As the weather starts to cool and we all start to remember the predictability of a British winter, checking our kids coats still fit, firing up the central heating with crossed fingers, putting the garden furniture away, it brings into sharp focus just how good we humans are at risk management. The older you get, the easier it gets, but it’s a natural instinct, something we do daily without even realising. Ironic then that so often we are met with groans and the usual 🥱 banter when it’s time to talk risk in a business setting.
But as we have closed out our quarter three risk reviews at Sigma Connected, something interesting has happened. Something new and strange. Stakeholders have thanked us for the introspective, stakeholders have enjoyed the process, stakeholders have congratulated themselves for the focus they’ve gained from the process in getting those little things done that make the big differences. We look today at a very different business from even 2 years ago and what is pleasing to see are all the little improvements that put icing on cakes and cherries on icing.
The truth is, we’ve achieved something rare. We have built a business and a culture that truly embraces risk management as more than a burden, more than just a ‘creative writing’ session about things that might not happen, but as a process that helps us go from good to great. We’ve embraced risk management as a tool to shine a spotlight on the ‘nice to haves’ we missed as we grew quickly and the ‘must haves’ we didn’t realise we needed until we took a good look inside our own departments and processes.
The real key to running a risk management programme that truly adds value in any business is about making it more than a tick box exercise. You must change mindset. If you can’t convince everyone that risk is good not bad, that ‘red’ is the best colour not ‘green’ and that understanding your weaknesses is the best way of finding strengths you didn’t even know you had, it will always be nothing more than an administrative burden.
And the best way to do this…?
Talk to the people who know.
We’ve changed the mindset not only in the boardroom, our CEO chairs the risk committee, but right through the organisation, from Executive Risk Owners, through business owners and all the way through to our front-line risk champions.
We call our risk champions the Risk Rangers, a tongue in cheek nickname that sets the tone of how we run the risk programme, we take it seriously but it must be enjoyable. All our Risk Rangers take part in a bespoke training programme and then work with the risk team on a weekly and monthly basis to ensure that mitigating actions and controls are continually developed. This makes our quarterly stakeholder reviews quicker and we’ve been able to show rapid improvement in our exposure since we re-launched our risk programme 2 years ago.
We started with an ethos to never ask stakeholders to ‘do risk’ by themselves. We ran risk identification sessions in groups, roundtable meetings where whole departments just chatted through things that worried them, had gone wrong or nearly gone wrong. We wrote those up, pulled out the risks and then re-ran the sessions to talk about “what’s the worst that could happen?” for each scenario and then a final session to say, “how can we prevent that or protect ourselves?”. Only then did we take those risks to the risk owners to sense check and approve. All our reviews are done face to face where we facilitate, but now we have stakeholders asking for logins to the risk management platform so they can update their risks more regularly.
But the best part of all is the positive change we’ve seen in our business. For a modern business, running lean, it’s really easy to de-prioritise risk because there’s always enough ‘stuff actually happening’ or that we are ‘fire-fighting’. But by embracing risk management, embedding it into our culture, the time saved by not having to fix problems and the benefits from the controls we’ve put in place will always outweigh the time committed in the first place.
We’ve still work to do here; more we can achieve. But the benefits and the progress made so far are beyond tangible. Morale, engagement, profitability and efficiency have all seen positive impacts as a result of this process and, as businesses are run on tighter and tighter margins, the role of effective risk management becomes even more critical.
About the author
Peter Hopgood-Gravett has led risk and compliance teams, in FCA regulated industry, for over 12 years and is Sigma Connected’s Director of Compliance, Risk and Audit.
You can connect with Peter on LinkedIn.