Anchored for the long term

Dhe consulting firm i-Risk has accompanied more than 100 companies in the introduction and continuation of risk management in recent years. With this experience, the decisive influences for the successful anchoring of risk management can be divided into three categories, which proceed chronologically in three phases:

• Risk management during implementation
• Risk management in the first year
• Risk management in subsequent years

Introduction - Creating a Risk Register

At the beginning of the risk management process, the company's management should clearly define the framework conditions. These should be adapted to the size and structure of the company in order to be able to continue risk management in the long term with the existing resources. The industry and the nature of potential threats also play a role. Three factors are closely related to each other when setting up the initial parameters:

• The scale of the extent of damage for the assessment of risks
• The flight level of the risk assessment
• The number of risks assessed

The lower limit of the scale of the extent of damage for assessing risks defines the number of risks that are recorded in the system. For example, if the threshold value is CHF 300,000, more risks are included than if the threshold value is CHF 500,000. The flight level of the risk assessment determines the granularity of the risks: For example, a failure of the entire production or, at a lower level, each production plant individually, can be listed as a risk. A uniform granularity of the entire risk list simplifies the comparison of the risks among each other. Accordingly, the number of risks in the risk register is influenced on the one hand by how the rating scale is defined and on the other hand by the chosen flight level. Both factors should be kept as constant as possible over the years so that the long-term course of the risks can be recorded.

In practice, it has been shown that it is most efficient to include only a few risks in the risk register, but to look at them in depth. For most Swiss SMEs, the number of risks is in the region of 20.

Fewer, but more in-depth

By focusing on the greatest threats, the quality of the risk assessment can be ensured in detail. If a lower altitude is deliberately chosen for risk identification, more risks are automatically considered. It is often the case that these are already recorded in other management systems and are therefore managed twice, which leads to inefficiencies.

Another key point of efficient risk management is to formulate each risk as a scenario and to appoint a responsible person from the workforce in each case. These risk owners inform the risk manager about changes and are always informed about the status of the risk-reducing measures. With a selection of approximately 20 risks, the flight level is at a level where each member of management can comment on all issues and all risks can be assessed in a single half-day workshop. This achieves an objective classification of the risks.

In the first year - ensure impact

At the end of the implementation of a risk management process, the risk policy is defined and approved, which establishes the legally prescribed system for the longer term. It is advisable to draw up a document of about ten pages in which three main points are described:

• The periodicity of risk assessment
• The periodicity of the monitoring of measures
• The risk management process including responsibilities

In most Swiss SMEs, risk analysis is carried out once a year and monitoring of measures takes place on a quarterly basis. Many companies tend to increase the frequency in order to increase the timeliness of the information contained. However, it is important to keep the frequency of the monitoring of measures higher than that of the risk assessment, because only in this way can risk management achieve its full effect. By implementing the defined measures, money can be saved and competitive advantages expanded. Companies often use a traffic light system for monitoring measures. In the quarterly meetings in which the measures are discussed, the focus is then on the yellow and red measures that are in arrears.

There should always be a direct flow of information throughout the risk management process: It must be ensured that employees communicate risks directly to the risk manager so that he can initiate necessary measures. Especially in SMEs, the introduction of numerous levels of responsibility in the process should therefore be avoided. In some companies, one encounters employees who communicate the risks to their

DirectCommunication

of the division, filter them and forward them to the risk manager. However, this makes it impossible for everyone to communicate quickly and directly with the risk manager. A pragmatic solution to ensure direct connection to the risk manager is to set up a mailbox to communicate risks and threats.

Risk management in subsequent years

People are at the heart of the risk management process. Creativity is required here, especially in risk analysis. He proposes newly identified risks and evaluates them. To avoid repetition, management should always involve other people in the process. The risk exposure of a company is thus examined from a new angle every year.

In the case of an annual risk analysis, a three-year cycle for adjusting the risks has proven effective in practice: Year 1: Risk identification based on interviews and checklists as well as assessment of risks in a joint workshop.

2nd year: Adding, deleting and adjusting risks as well as evaluating the risks in a joint workshop. In the process, the biggest shifts in the risks are analyzed in particular.

3rd year: Consideration of trends in the industry and derivation of new risks as well as analysis of shifts in risk assessment (Chart 1).

Risks change

In the first year, a "greenfield" start is made by recording the risks anew on the basis of structured interviews and then evaluating them. The risks already present in the system or the industry experience of external consultants during the initial implementation are consulted as checklists. In the assessment workshop, management evaluates the risks and defines priorities for the implementation of measures.

In the second year, the focus is on the shifts in risks compared to the previous year. The time required for risk identification is relatively low, as the situation in most industries changes little over the course of a year. Management then reassesses the risks and compares them with the previous year's assessment. The focus is on the main shifts, for each of which a justification is documented. The assessment of risks usually changes significantly when measures have been introduced or significant market or organizational changes have taken place. By examining the changes in risk, the efficiency of the measures introduced can be demonstrated and measured.

In the third year, trends are integrated into the analysis. In the first few years, it makes sense to take an internal view so as not to focus too much on external risks and to concentrate on those problems that the company can reduce itself. In subsequent years, management can look more to the future and to the outside. The influence of macro trends on the company is analyzed. In the third year, for example, trends in the industry can be analyzed and relevant risks for the company can be identified. In risk assessment, the focus is even more on changes than in the previous year.

Conclusion

In order to anchor risk management in the long term and make it as enriching as possible for the people involved, pure repetition should be avoided. As soon as repetition creeps in, there is a danger that risk management will degenerate into an alibi exercise. Only identified risks can be dealt with. Therefore, the creative thinking process should be maintained through new perspectives. It is also advantageous to involve different players in the process from time to time in order to absorb new opinions. In this context, lateral thinkers are more than welcome.