Alexander Larsenpartners with Invest India and IRM India to bring risk management training to start ups in India
Effective risk management is vital to every business start up, to ensure there is a structured approach to managing and mitigating potential risks from an early stage. As a result of the Covid-19 pandemic, effective risk and resilience management has never been more important to every organisation around the world.
Invest India and the India Affiliate of the Institute of Risk Management (IRM) have joined forces to offer a free course “Enterprise Risk Management for Startups” to ensure startups in India have the best possible risk based approach at this difficult time for any business.
Alexander has developed half of the educational material for this joint initiative course and delivered it via virtual training. The IRM is the worlds leading professional body for Enterprise Risk Management education and research. Invest India is part of the Government of India’s Department for Promotion of Industry and Internal Trade of the Ministry of Commerce and industry.
Alexander, President of Baldwin Global Risk Services, is a Certified Fellow and Certified Trainer of the Institute of Risk Management with 18 years of experience within risk management across a wide range of sectors. Alexander has previously worked with major organisations in India and collaborated with IRM India to deliver risk management training. Delivering the other half of this course is Mr. Uday Gharpure, an IRM India Coach for Enterprise Risk Management with 38 years of experience as a transformational CXO level leader building and growing IT services organisations.
This course is a great opportunity for Startups in India to get a full understanding of how to manage risks from an early stage in their business. This forward looking and progressive step from the government in India will be a huge boost to the survival of a startup business. As the pandemic has emphasised the importance of resilience in response to disruptions and making risk based decisions, this course will focus on how to embed this approach into a new business.
It is essential that entrepreneurs learn how to manage uncertainties to protect the objectives and enhance the growth of their business. With increasing business failures and external complexities, it is imperative that startups implement robust processes and systems to identify and respond to vulnerabilities and threats across the value chain. Regulators in India have mandated only specific companies to set up a formal risk management function but in the wake of the pandemic, even private equity funds and other startup investors have started evaluating startups on their ability to manage risks and crises.
These startup businesses will be developing the CEOs of the future and having exposure to risk management at an early stage will result in robust and sustainable businesses. It is important that risk management is maintained through start up, growth and maturity of an organisation. Many larger companies ensure they have risk experts sitting on their board in Non-Executive Director roles to provide risk advisory and oversight of all activities.
The Enterprise for Risk Management for Startups course is split into 6 Modules;
Developing an effective risk championship network starts with endorsement from senior management. Once you have that, you need to think carefully about what the role will include and who the best people for the job are. Training is critical for giving your champions the tools they need, and rewards will help keep them engaged and interested. Starting the risk champions from a strong baseline can’t be under-estimated; with strong commitment, the right training and encouragement and support from the organisation’s leadership, the benefits risk champions can bring will reap dividends on an ongoing basis.
Executive summary
Building a successful network starts with C-suite support
Communication of the role, expectations and value of risk champions needs to be clearly articulated by the organisation’s leaders
Spell out the rewards for committing to and succeeding with the risk champion role
Champions can be chosen in a few ways: by managers or the risk team, or by asking for volunteers
Training means that champions understand risk and the role of risk management
Using workshops gets champions familiar with identifying risk and working with experts in their departments to better understand and analyse risk
Eventually an almost autonomous network is formed, with departments having ownership of their risks and champions promoting risk culture
Context
International firms with a network of offices, usually spread across countries and continents, often struggle to build a consistent risk program and a positive risk culture. This is partly because risk management teams have limited reach, but also because different geographies and management teams – and the prevailing country or regional culture – will have different attitudes to risk.
Equally, smaller firms where the risk management team is extremely small, often struggle to identify the risks throughout the organisation. Risk managers (especially those operating alone) have limited time and it can be difficult to prioritise and align expectations and competing agendas, let alone connect with everyone across the business to understand risks and promote consistent risk culture. Additionally Risk Managers can’t be an expert in every technical area of a business.
In both scenarios, building a network of risk champions can help. Having a group of well-trained individuals who understand risk and are responsible for information gathering, sharing experiences and updating risks exponentially, increases the reach and effectiveness of the risk management team.
As everyone will have had the same training – regardless of geography – you can start to build a consistent and positive risk management approach and culture across the organisation internationally. Meanwhile risk champions become an extension of the core risk management function – the eyes and ears of the risk team, meaning a better-informed decision-making process. They can report back to you about some of the challenges and what frustrates staff and managers about your risk process. It allows continuous improvement to the risk management approach as a result of this feedback loop that you otherwise wouldn’t have had as a risk manager. And having a network of risk champions basically selling risk management throughout the organisation builds understanding and culture.
Finally, a risk champion network allows departments to take ownership of risk, something which is otherwise difficult to achieve because people just look at the risk management department or the risk manager and assume the responsibility for it sits with them rather than at the front line. The champion framework puts the responsibility for assessment and mitigation back on departments and risk owners. Having a risk champion within each department or area enhances and strengthens ownership of the risk process.
Key Steps
Getting senior management approval
The first stage to building a successful risk champion network is to engage senior management. You would usually need to get approval from the from the top – whether that’s the board, a risk audit committee or the C-suite – to go out there and put this sort of network in place.
If you don’t have this approval, you may find that when you ask managers to choose a risk champion, there is reluctance to get involved and commit to the risk management initiative. This is particularly true when senior staff don’t prioritise risk management or are very busy. However, if it’s in a policy and it’s been signed off at the top of the organisation, then people see the commitment from top management and are more inclined to positively respond to what you need.
A simple way to get the leadership team familiar with the term is to mention risk champions in your risk procedure or risk policy document. This should explain at a high level how risk management will be undertaken, including the roles, responsibilities and value of risk champions. It’s important to note that there can be other names assigned to the role such as Risk Co-Ordinator, Risk Analyst or Risk Focal Point, whatever suits the Organisation’s current terminology.
Another approach is to try to drive it through the risk committee. Suggest a risk champion network, outlining the reasons and benefits of taking this approach, and they may give you a mandate to get it done.
You may be able to proceed with a risk champion network without sign-off, but only if you’ve got extremely good relationships across the middle management team. In most organisations it helps for the process to have senior management endorsement. A Risk Manager should always be looking to develop these strong relationships within an organisation, so it is often up to them to prove the Risk Champion network’s worth before taking it up to the Risk Committee or C-Suite.
If you can’t get senior management approval, you may be able to work with HR to embed risk management in senior managers’ job descriptions. If they know they have to do risk management as part of their responsibilities and KPIs, and as part of their annual appraisal, they will be much more willing to assign a risk champion to take on that work.
Deciding what the risk champion role will be
Next you need to come up with a job description for your risk champion network. This will vary depending on the risk maturity of your organisation and how engaged and knowledgeable people are with risk management.
It could be as simple as updating departmental risks at defined intervals, or it could be going further and include making sure that risks are analysed. You might want to say that the risk champions should talk to all people in a department individually or you might ask them to run workshops. It could be that you want the risk champions to drive risk management within their own departments, but instead of the risk champion being responsible for the risk register, they support their manager in maintaining it. With the right risk champion and training, they could even drive training throughout the organisation.
You also need to think about how much time they have and what percentage will need to be dedicated to risk management. That will dictate how much of the risk management responsibilities they can take on alongside the other roles that they play.
If you know that you’re really chancing your arm even getting them in the first place, then you just want to keep it simple. But if you know that you’re going to get support building risk culture, then you may want to go into a bit more depth. Generally speaking, I would get the basics done first and then think about building in extra responsibilities.
Whichever approach you take, it needs to support your ultimate aim, which is to drive risk culture with the managers owning risk for the departments. Managers are responsible for departmental objectives and it is therefore natural that they should also be responsible for the risks impacting their critical objectives.
Working out how many risk champions you need
When building a risk champion network, I start by looking at the organisational structure of the company. For example, many businesses have divisions sitting below senior management and then departments within those divisions.
In an ideal scenario, each department would have a risk champion, so that is a good place to start. But in some companies, this will not be achievable as it would involve too many people and too much training.
In that case you may want to start by having a risk champion for every higher level division, but you can also identify the most critical divisions and implement one champion per department there, or two or three champions for the division to support the departments.
It also depends how many people are in each department. If they are large departments, they should have a risk champion, but where there are smaller departments all sitting within a bigger division, you can probably get away with one risk champion for the group.
For an international company, I may look at a different organisational structure with risk champions representing the different offices. If one office only has 50 people, you can get away with one champion, but if it has 400 people you may want one champion per division for that location.
It may also depend on the authority you have for a foreign country. You might just have one focal point who could be an informal risk champion, but with a clear line of access and communication with the central risk management team.
Choosing your risk champions
There are at least three different approaches to selecting risk champions. They include:
1) Managers assign risk champions for their departments, divisions, or geographies
In some cases, a manager assigns the risk champion themselves, which can happen in companies with good risk maturity and culture. Often the manager will choose someone who works for them.
The upside of this approach is that the assigning manager knows what the role entails, and that the person is going to be doing this on an ongoing basis.
The negative is managers often choose someone they think isn’t too important (in their eyes). That’s because they don’t want their key team members to be dealing with what they may perceive or value as the simple tasks of risk management, which they don’t see value in. Sometimes they assign anyone they can find that can take on more work, and that’s not good because the risk champions need certain skills (both hard and soft) and authorities to do the job successfully.
In a company with good risk maturity, your managers are more likely to suggest someone with the right blend of knowledge, competency, skills and commitment. Otherwise, you can try to improve the process by guiding managers on the kinds of skills you need. For instance:
champions need to be relatively senior
they may need to have the authority and ability to speak to people at higher levels
they need to have been in the job for a while
they may need to have a certain personality
you might want someone with certain qualifications (for example, financial or engineering background)
You don’t want to step on managers’ toes, but if you can give them a good idea of what you are looking for and how the specific characteristics and criteria will benefit them, you’re more likely to get the champions you need.
2) The risk manager assigns risk champions
The upside of this approach is that the risk manager knows what skills a successful champion needs and should be able to identify the people who can do the job.
The downside of this approach is that risk managers may not have all the information they need to select someone in every department, and could find that they’re choosing people without sufficient authority or networks.
In this situation, you can speak to your network within the organisation and ask who might be good and who other people recommend. This can help broaden your reach and make sure you’re choosing the right people throughout the company.
The ideal scenario when it comes to picking risk champions is a mixture of risk manager and manager deciding (and agreeing).
3) Risk champions volunteer themselves
The best system is where you have people in departments or regions raising their hand and volunteering to be risk champions. Then the risk manager gets to vet them and make sure they have the right skills for the job. Finally, they need to get sign off from their managers to make sure they agree and are on board with the process. Having people volunteering ensures you have a risk champion network that want to do their job, have the drive to do a good job, and will offer quality you would otherwise not have.
Reflecting risk champion roles in job descriptions
Once you’ve selected your champions, work with HR to get their new responsibilities added into their job descriptions and appraisal systems.
When I speak to risk champion networks, I often ask them who wanted to do the job – and no one puts their hands up. Often this is because the role was thrust upon them and is poorly rewarded and recognised. If someone is spending 10 per cent of their time on risk, this needs to be acknowledged through the review process, and ideally reflected in rewards, such as bonuses.
Ideally, HR will partner with the head of the risk function to gain the necessary insight, promote the importance of the risk champion’s role, and ensure adequate recognition (including reward elements) are incorporated into the annual review cycle.
Beginning with an introductory meeting
This is an opportunity to explain the champions’ new roles to them and what risk management is all about.
It’s also crucial to build a rapport within the network and to make sure that they all understand each other’s departments and what they do. Often in a business, people have no idea what other departments actually do, but risk champions need know who is reliant on what – and how risks in the business are interlinked.
I break down and bridge the silos immediately and work on networking, getting them to know each other and building up a relationship.
Creating a community of risk champions is as important as selecting and training the risk champions.
Training risk champions
When I build risk champion networks, the next thing I do with newly selected champions is training. Ideally, this is an intensive five full days of training, but you can also scale this and start with a two-day course. This training can be spread out over a period of a few weeks, and some of it can be done online if needed.
If you have the budget, ideally you would send them to a recognised course such as the Institute of Risk Management that could provide them with a certificate and qualification.
If you’re not using an external provider, good elements to cover in training include:
What is risk management?
What does risk management look like in the world?
What does the organisation see as risk management (focus on opportunities too)?
What is risk appetite and tolerance? What is the organisation’s current risk appetite?
How do we go about identifying risk?
How do we measure those risks?
How do we manage those risks?
How do we communicate and what reporting requirements do we have?
How to facilitate workshops and risk conversations.
This could be covered over the five days with case studies and examples to flesh out each of the different risk tools and concepts.
Holding risk workshops
Next, I usually go out and work with each champion by holding a workshop with their department. I will run the workshop and facilitate the identification of risks against their key objectives within the department, with the risk champion present as part of the training. I try to make sure that their manager is part of this workshop. I also clarify the role of the risk champion and the importance of risk management.
They see me in action identifying the risks, and then I use this information to help them populate the risk registers, reports or other requirements set out by the organisation or risk procedure, so that the champions become familiar with the process. They sit with the managers in a meeting to get sign-off on the risks, then we go through the first process and assign tasks and actions to various people.
I tell them that from then on, they will have responsibility and ownership for the registers alongside their managers. All the risk champion needs to do is follow up and make sure the risks are updated, and every few months perhaps run a workshop themselves.
I wouldn’t necessarily expect the champions to be ready to run the workshops themselves straight away, but after two or three run-throughs, I can hand this activity over to them as well. It could take up to six months, but eventually I would expect them to be running this process autonomously.
That is my main purpose for my risk champions. I want to make sure that they feel comfortable enough to run this on their own and be able to overcome some of the barriers they may encounter in developing an accurate view of risks. And, ideally, I have the right characters to be able to do that.
If you want to go further and do quantitative risk analysis, I wouldn’t suggest the risk champions do this. What I suggest is the risk champions gather the data that you request so you can run the analysis with them. Involving them is important, as they will soon understand why you need the data and what kind of data to be looking out for. In some cases, the right risk champions may have the right skill sets to run such quantitative analysis and it is useful to ensure they receive training to do this. Quantitative risk analysis is a powerful tool and the more people capable of doing it, the better.
Once the risk managers are autonomous, you can start deepening the work that they do. For instance, you might want to make them business continuity champions or responsible for identifying new risks. You can start layering activities to get the most out of your network.
Regular networking and sharing success
You need to make sure your champions are regularly brought together for further training, to learn from each other and to keep networking. Ideally, champions should be meeting at least once a quarter, and some of the allocated time should be social.
For large, international organisations group meetings might be difficult, so I implement monthly meetings per division, quarterly meetings per country and an international risk management conference once a year.
Different approaches will work for different business structures, but you need to be creative in making sure that people are still networking and sharing.
Looking at additional rewards
Even if you have risk built into appraisals for champions, you should also look at other ways of rewarding your champions. To get the right rewards you need to think about what drives your organisation and staff.
For instance, if it’s an organisation that doesn’t pay very well, look at trying to secure some extra money for champions to reflect the additional responsibilities and time they need to commit to their roles.
But if it’s a highly paid organisation, an extra two or three per cent isn’t going to motivate people and deeper consideration needs to be given to the specifics of compensation and remuneration.
Options to consider include:
Financial rewards – for example, pay or bonuses
Access to the C-suite – for example, having champions present risks to the board and CEO
Career development – for example, certification or introducing risk requirements for partnerships or management roles
Recognition – for example, awards
Outputs
Better quality risk management Risk champions along with their managers are now responsible for risk to their objectives, meaning better quality data that is kept up to date by those on the frontline dealing with the risks and making decisions about them.
Ownership of risks This means that departments and divisions now have ownership of their risks, so risk culture is consistent throughout the organisation – and the risk management team has more time to work on areas such as emerging risks and improving the decision making of the C-suite.
Risk Culture
Having champions promoting risk management, using examples from training and real life case studies and ensuring that their colleagues understand that risk management is about enabling the organisation to take risk, the right risk, and that its not a bad thing, can build a consistent, strong and positive understanding of risk management across the organisation, and promote the right type of risk culture for your organisation. The right risk culture trumps a good policy and procedure anyway! as Peter Drucker says, “Culture eats strategy for breakfast!”
Risk maturity increases If you measure risk maturity throughout the organisation, you should see it steadily increase. Furthermore, the business gets better at identifying new threats and opportunities and – critically – mitigating it.
Results
There is now an autonomous network of risk champions identifying and assessing risks through workshops and updating risks on a continuous basis. The risk manager no longer needs to chase people for that “once a quarter risk register” that often adds little value. Risk culture is consistent throughout the organisation and champions are responsible for promoting risk management in their departments. This should lead to greater insight right across and up and down the organisation, with the ability to respond more effectively to events.
Lessons learned
What worked well
Building a risk champion network helps increase the reach of the risk management team, meaning risk is better embedded across functions and departments, and internationally. The champions can reach much further than you can as an individual or as a department.
Having allies in every team means that the risk manager is better informed and gets early warning about risks coming down the track.
Having a positive risk culture ensures that people are actually willing to report risk AND take risk, and are not scared that they will get punished.
What was difficult
Sometimes managers might propose champions that are ill-suited to the role. If after training a champion still isn’t succeeding, you will have to go back to the manager and ask for someone new.
Sometimes it can cause challenges when a champion reports a risk and their manager disagrees. To overcome this, it is first important to ensure there is a mechanism to allow these risks to be communicated to the risk manager. I would then sit down with the manager and say this risk is coming out of the business, and ask why they don’t see it from the same perspective. There might be a good reason, or it could be that the risk needs to be included.
This blog post is an adapted version of a paper from Risk Leadership Network’s Intelligence platform, contributed by advisory board member, Alexander Larsen.
Risk Leadership Network’s Intelligence platform is a searchable database of peer-contributed case studies, tools and templates. Contributed by Members, current and former senior risk managers and subject matter experts from around the world, the Intelligence platform is a melting pot of new ideas and shared learnings. You can view a list of all contributions currently available to Members of the Risk Leadership Network here.
Risk Leadership Network’s Intelligence is one of four interconnected platforms that enable our Members to collaborate and share knowledge across different sectors and geographies to improve the effectiveness of risk management. Click here for more information about our different platforms.
Season 1, Episode 1: Alexander Larsenmeets with Gregory Irgin in the UAE to share experiences and insights
In this series of Risk Managers Getting Coffee, we’ll be meeting with seven Risk Managers to gain insight into their risk experiences, areas of expertise and to learn more about risk management in the country they work in.
In this first episode, Alexander Larsen met Gregory Irgin in the UAE. Gregory influences and drives integrated risk management – enterprise risk management, insurance, resilience (business continuity management and crisis security management) – resulting in shareholder protection and return on investment. He has worked across the Middle East and Africa and has exciting stories to share around geopolitical risks.
Introduction: Gregory is Head of Group ERM and Insurance within the aluminium and smelting sector in Dubai and Abu Dhabi, producing and selling aluminium in its 100% form. His customers are all over the world including big companies such as BMW. A mine coming online in Guinea and sales offices are based in America, Europe and China.
2:36 How did you get into Risk? Gregory originally trained as a lawyer in England, worked in New York until 9/11. Following this he worked in the UK in insurance construction claims and contracts. He has always been an advocate of ethical leadership. Worked all over the world in places such as Jordan, Iraq, Syria and Afghanistan. He discusses headlines v reality, understanding whats really going on in the country and once you know there’s no going back.
3:47 Geopolitics: Africa & Latin America: Working in London, Gregory was travelling to Africa and Latin America. Previously had a trip to Guinea to meet a Government representative and while boarding the plane, received a call saying the person he was due to meet had just been shot. Looking at it now, the stability in Guinea has changed a lot over 10 years.
4:38 People Risk: Nationalisation & Recruitment: Alexander and Gregory discuss bringing on board nationals to be involved and trained early in a project. They want to feel valued, rather than just expats on site. Bringing nationals in early so they are mentored and embedded within the team before expats leave. There will be an issue with Brexit as skilled workers may be leaving.
6:28 What makes a good risk manager, soft skill set vs quantitative and technical knowledge. Gregory is pro soft skills and breadth in risk management. It is essential to step back and review the situation, communication is key. A Risk Manager can draw on technical experts in any industry and don’t need to be quant heavy. They need to analyse information and interpret this to the top level management. Ultimately need a balance around the table to extract the right information from the right people and experts in the company.
9:03 People Bias- How do we engage people? The fundamentals to any organisation are the people. There is a duty of care to lead with ethics, manage people well and drive behaviour. However how can we do that? Each department has own agenda, KPIs arise as tick-boxes and everyone should all be working towards same goals. Alexander had previously worked with a national park senior management team in the UK. Some directors hadn’t ever seen company objectives and some didn’t agree with them. The CEO had just put them together and assumed they would be backed by the rest of the board. How can the whole organisation work together if the CEO and board management aren’t even aligned?
We hope you find this interview useful and informative!
Meeting and Sharing experiences (and coffee) with Risk Managers across the world, with Alexander Larsen.
We are proud to announce the first season of “Risk Managers Getting Coffee”. In Season 1 of Risk Managers Getting Coffee, we’ll be meeting with seven Risk Managers to gain insight into their risk experiences, areas of expertise and to learn more about risk management in the country they work in.
At a time where risk and resilience has never been more important, Our guests share risk management expertise, opinions and thoughts on the future.
Trailer- Risk Managers Getting Coffee
Episodes will be released every few weeks here on the Risk Guide website and via our LinkedIn and YouTube pages.
Season 1 Participants:
Gregory Irgin – UAE – Gregory influences and drives integrated risk management – enterprise risk management, insurance, resilience (business continuity management and crisis security management) – resulting in shareholder protection and return on investment. He has worked across the Middle East and Africa and has exciting stories to share around geopolitical risks.
Dr Maria Papadaki – UAE – Years of experience in Risk Management from both Academia and Industry, with numerous of years in the implementation, development, improvement and management of risk frameworks, tools and techniques. Involved in Blockchain technology and other innovative technologies.
Peter Smith – UAE – Peter has over 13 years of experience leading teams of advisory professionals and implementing innovative initiatives in Project Controls Solutions and Risk Management across sectors including Oil & Gas, Rail, Infrastructure and Construction in countries like the UK, UAE and Iraq
Horst Simon – Namibia – A veteran in banking operations management, mergers, take-overs and implementation projects; who is now at the forefront of the Future of Risk Management with Risk Management Concepts and Risk Culture Building programs that disrupt and transform organisations to build sustainable competitive advantage.
Mykhailo Rushkovskyi – Ukraine – Has Held several high level risk positions in Energy companies across Ukraine and is a strong advocate for improving risk culture and reporting in his companies.
Aarn Wennekers – Qatar – Extensive international experience supporting Board Chairmen and Directors to promote good governance and enhance oversight of the executive management team to ensure the organization achieves its strategic, operational, reporting, and compliance objectives.
Paul Edge – Portugal – Based in Portugal, Paul is a Risk Manager with years of experience working with Quantitative Risk methods and has been involved in the blockchain space for a while. He has also established a cryptocurrency StatiCoin, a stable coin solution for traders looking for safe investment and merchants looking for a non-volatile digital currency.
We are sure you will enjoy these interviews with these excellent risk professionals!
Alexander Larsen & Ghislain Giroux Dufort of Baldwin Global talk through how risk managers can use risk management as an effective decsion making tool. As originally published in Strategic Risk Magazine
Risk Management has for a long time been looked upon as a process that stops bad things from happening rather than an effective decision-making tool that helps organisation’s form and improve their strategy, meet objectives and provide competitive advantage.
Reporting
If risk management is a decision-making tool, and identifying risks is an exercise in preparing for the future, then why do so many reports insist on looking at last quarter instead of looking forward? Additionally, too many reports focus on the old Risk Matrix or Risk Register approach of looking at the top risks based soley on Likelihood and Impact.This often results in the same risks staying on the risk register for years, or senior management focussing too much on the top 5 risks and not getting time to discuss the rest.
It’s no wonder senior management see this as an assurance exercise rather than something that should be adding value to the business.
So how can we fix it?
There are three key areas that need to be addressed.
A) linkage to strategy and objectives.The two inform each other. Linking these two allows more productive discussions at senior management level and provides real value to future development of strategy and a chance to consider emerging risks.
B) Risk visualisationin order to truly engage top management, we need to look at how we can move towards a visually-inspiring presentation of risk.
C) Timely and effective information.We need to move away from looking back at the last quarter or 6 months and move towards having up-to-the-minute information as well as having leading indicators.
Know your audience
When presenting to executive committees and Boards, a dynamic and interactive approach to risk visualisation such as that which Nico Lategan at Transport for London developed, and which is shown in Figure 1, may add value by summarising the risk register. The ability to filter out specific objectives or risks or focusing on areas of vulnerabilities at the click of a button whilst in a meeting is highly effective when discussing scenarios or strategies and demonstrates the true power of risk management in decision-making. An example of linking risk to objectives can also be seen clearly in Figure 2.
Figure 1
Figure 2
Nico Lategan, in the recent Institute of Risk Management “Fuelling the debate” energy publication, suggests that Senior Management teams tend to be made up of “big picture” people who appreciate being able to visualise their organisation’s strategy along with all the risks and opportunities and all the interconnectivity involved, which often leads to stimulating discussions and prompting several key decisions.
Whilst the examples above are proving effective for boards, in some cases, discussion may require more detailed information and alternative visualisation should be considered. Using bowtie diagrams for example, where you can dig deep into root causes, look at controls and their effectiveness, and link causes to lower level risks within the organisation, have been highly effective in these circumstances. The common theme is interactivity and visualisation depending on the makeup of senior management.
Risk Prioritisation
Engaging senior management by using risk visualisation is only half the battle however. Ensuring that risks are prioritised based on risk appetite and up to date information is vital to ensuring that risk management is actually adding value. One approach that has proven popular with board members has been using KRI’s and Risk Appetite.
There is much debate around risk appetite statements that are often qualitative or aspirational, limited to acceptable variations around corporate targets which, whilst looking good on paper, don’t add much value. For example, let’s assume fictitious airline company AirSafeCo states that it aims for a customer satisfaction index of 80%, plus or minus 5%. This is a nice aspiration but says little of how much risk the company is really willing to take.
A Better approach might be if the company identifies the major risks that drive such variation around the target, as well as leading key risk indicators (KRIs) that alert of changes in these risks. By establishing risk appetite statements at the KRI level, AirSafeCo obtains an early warning system that allows to be alerted of risks to customer satisfaction objectives and to take action before it is too late.
Figure 3
Figure 3, a powerful visualization tool in itself, illustrates how to use this approach. Let’s say AirSafeCo wants to be in the top quartile of the industry in terms of passenger safety (strategic objective). It identifies three associated risk components: crash, turbulence, delays on the tarmac. Risk components have different sources and manifest themselves differently. For each major risk source, leading KRIs are sought and risk appetite statements set for these KRI. For example, the time to buckle up during turbulence announcements may be such a leading KRI.
Specific and quantified statements for leading KRIs are created that consider both the level of risk and the cost of managing the risk (due to the number and cost of treatments).
Once this system is in place, it can be used to make decisions and take action at the required frequency: in real time, daily, quarterly, etc. When a KRI drifts away from risk appetite (the green zone), different actions are taken depending on the magnitude of the variation (orange and red zones in Figure 3). It is important to remember that a sensible action may be to actually reduce spending on control and take more risk, thus freeing up more resources to manage other risks or take advantage of opportunities.
This approach to risk appetite and KRIs provides real-time snapshots of the status of risks to the business and a perspective on their trends (as demonstrated in Figure 4), as opposed to the traditional likelihood vs impact matrix which often misses the mark.
Figure 4
Figure 4 shows which risks are most pressing based on approved risk appetites for top risks. Such visualization tool also provides a perspective on how risks have improved or worsened over time, most likely due to management action, as demonstrated with Safety over 5 quarters. With leading KRIs and an adequate monitoring frequency, this table also allows for timely decision-making before risks materialize.
All companies and organisations, including not-for-profit ones, need to take risks in order to achieve their objectives and to thrive. This approach helps to make timely decisions on risk levels and cost of risk.
Road related risks come in many forms, whether its traffic, lack of roads, lack of bridges, bridges that cant carry heavy loads, roads that are not fit for purpose and roads that are not wide enough for delivery of critical equipment. Before embarking on any major project it is vital to fully understand the status of road infrastructure in the area of work. This is not often easy as access to sites in Iraq during tender stages of projects can be restricted due to land ownership issues, land mines not having been cleared etc.
Road infrastructure on Large Equipment Delivery
1. Road not wide enough for trucks
One of the critical factors in delivering equipment to site is the width of roads allowing trucks to access them. Often, roads are not wide enough in places to allow access for trucks carrying large equipment. This can lead to delays or additional cost to the company in order to build sufficient roads to allow access to these trucks.
2. Road closures leading to delays to delivery
Due to the poor quality of roads in Iraq, there is often works needed to be undertaken in order to fix roads. During this period, roads are closed meaning that equipment ready to be transferred from port to site may not be able to leave the port leading to delays to the project or even exposing operations to major disruption if it is replacement equipment. There are other reasons why roads may be closed including security issues which makes it vital that the company is aware of alternative routes (or the lack thereof)
3. Bridges unable to take weight of trucks
Basra is essentially based around marshland with rivers flowing and bridges needed to cross key access points. There is a risk that some bridges are unable to take the weight of some trucks or trucks with heavy equipment which the company may need to resolve by building alternative crossings or seeking out other routes which could come with their own issues such as security etc.
4. Trucks getting stuck on roads
Due to some roads being in severe states of disrepair or being essentially dirt roads, there is a risk that a truck can get stuck on the roads or mud (during periods of rain). The company should consider this in their delivery strategy ensuring that heavy or critical equipment is delivered outside the rainy months and ensure that all vehicles are fit for purpose, maintained and tires changed regularly in order to withstand major potholes.
In order to overcome some of the above risks, alternative strategies should be sought in order to ensure delivery such as considering a modularised strategy in order to allow smaller pieces of equipment or piping etc. to be brought to site before being assembled. Road infrastructure on Large Equipment damage
1. Damage to equipment due to bumpy roads
I mentioned before that the condition of the roads can be poor and lead to a very bumpy ride. Assuming the vehicle doesn’t get stuck there is still a risk that the equipment, if not secured effectively (this can be difficult to monitor when using subcontractors in Iraq), can either be damaged during transportation or worse fall off the vehicle causing more severe damage.
Road infrastructure on access to sites
1. Delay of project startup and mobilization due to limited access to site
Assuming there is no infrastructure on the site of work (green field site for example), there will obviously be a delay to the project startup with teams needing to arrive on site in order to build basic infrastructure. Something that can delay this further is the fact that the site may be on marshland causing great difficulty in sustaining the basic infrastructure when rainy season comes. Assuming the initial roads are washed away with rain, significant delays can be expected. Additionally, some roads may be flooded if there isn’t a full understanding and plan of where the marshlands flood.
2. Delays to work on marshland sites during rainy weather due to lack of roads
As mentioned in the previous risk, where there is marshland there may be no access to road infrastructure during rainy season. Whilst I suggested it would be vital to consider the flood plains and build around this area, there will no doubt be areas that are unavoidable such as pipelines running through the marshland. This means that any roads that are built will need to be built higher than the floods and be able to withstand excessive water before the rainy season.
One of the interesting aspects of Iraq is the vast number of holidays that they have throughout the year. This often makes it very difficult to plan schedules, especially if the contractors don’t have experience of working in Iraq or indeed, the middle east. Even if they do have experience /of the region it can still be difficult. What is even more tricky is trying to adjust for productivity drops during these periods. Very few companies have accurate data or history of productivity in Iraq and the unique nature of the country as well as holidays and the fact that it is still a war zone in many places make predicting productivity very difficult..
Ramadan holidays
Ramadan is the ninth month of the Islamic lunar calendar. Every day during this month, Muslims around the world spend the daylight hours in a complete fast. During the month of Ramadan, Muslims all over the world abstain from all food, drink, and other physical needs during the daylight hours (such as smoking or sex). Ramadan is much more than just not eating and drinking; it is a time to purify the soul, refocus attention on God, and practice self-discipline and sacrifice.
Due to the fasting, work hours are often reduced and productivity is less.
1. Lack of sufficient consideration of productivity in schedule for ramadan
Often, foreign contractors can underestimate the impact on productivity that Ramadan has on a schedule. The shorter working hours, prayers during the night and fasting during sunshine hours takes a toll on workers (and especially during the last few years when Ramadan has been overlapping with long hot summer months). If productivity isn’t considered carefully, and either extra manpower, or more time accounted for, then a schedule can fall seriously behind during Ramadan.
2. Increase in accidents and errors
Due to the lack of concentration brought about by tiredness and fasting, there is an increased risk of accidents and errors occurring. This can be in the form of HSE related injuries to employees themselves or damage to equipment or quality failures that may require rework later in the project or even at the time leading to further delays.
For operations the impact can be even greater with damage to equipment causing considerable production downtime. the damage to equipment doesn’t have to be direct either, it can be a result of mistakes during maintenance which in turn lowers reliability or even a mistake causing a power cut and power surge which can damage equipment.
Short and unplanned holidays
1. Lack of sufficient consideration for inclusion of holidays in schedule
Similar to Ramadan, there is often key holidays that are left out of schedules. This is especially true when entering into new territories where the project teams or company has little experience of working in. As an example, in Iraq, there are 10+ days of holidays at the end of the year that many companies were unaware of and that were unaccounted for in the schedules. There are also a number of 1 or 2 day holidays throughout the year for various prophets birthdays and these can differ from region to region. It is therefore vital to understand fully, the number of holidays during the year prior to starting the project.
2. underestimating the number of days that holidays will impact schedule
Interestingly, even when a project team feel that they have accounted for all the holidays, there may be an understimate of number of days that the holiday will impact. If you take Eid for example, the official number of days holiday for Eid will be about 5-7 days. Often however, there can be an additional 2 or 3 days on either side of the holiday where workers do not turn up for their work. There is a number of reasons for this including lack of public transportation in their home towns, length of time to reach and come back from their home towns (especially in a country with red zones), extended breaks of bus drivers around the country and sometimes the worker simply feels like taking a couple of days extra off.
3. increased incidents of Protests
Something that often occurs in Iraq is that when a short holiday is announced it allows tribes to gather, unhappy workers to gather and organised events to occur. It allows these disgruntled workers or tribes to organise themselves and protest which will often have an impact on deliveries to site, safety of staff traveling around sites and security of some sites. There have been instances of offices and sites being stormed or targeted leading to asset damage, injury to staff and theft.
In some instances this has stopped operations and significantly delayed construction due to materials being missing or key equipment being damaged.
A Guide to Risk Management 