Is risk management more than just putting up warning signs?

Peter Björklund Senior Business Consultant, Solita

Published 02 Nov 2023

Reading time 4 min

Risk management could be the best continuous improvement process out there

After having spent over a decade working with business process management, I have become convinced that one of the biggest drivers for process improvement is risk resilience, ensuring business compliance and business continuity. The last couple of years, with unprecedented events and all kinds of uncertainty, most certainly proves that point. Meanwhile, many in my line of business would rather consider business transformation and innovation to be the main, if not the only, drivers for business process improvements. Hence, the risk management function is placed in a completely different silo, not even recognised as an awesome source for improvement initiatives and perhaps even more capable of saving money than any other department.

Your typical risk management process (1. Objective setting 2. Risk identification 3. Risk evaluation 4. Risk mitigation 5. Risk reporting and analysis) is one of the most battle-proven and effective methods out there to identify the obstacles that stand in our way to success. It´s not rocket science, it´s not trying to add administrative work, it is just common sense. It´s like looking left and right before crossing the street. If that work is not already integrated into your improvement processes, you should do it ASAP.

What can go wrong? vs What must go right?

However, I do believe that the risk management department also needs an adjusted approach. Unfortunately, most risk workshops start with asking the team “What can go wrong?”. We try to identify events that are bad for us, in other words, a risk is equal to a future ‘negative’ event. With this type of evaluation, the risks are only considered to be things we don’t want to happen, there is just loss and no gain. Consequently, risk management is branded as something that identifies judgement day scenarios and in addition generates administrative work. No wonder why “business innovation” sounds a bit more attractive.

Of course, identifying unwanted events is still a big part of risk management and should not be forgotten but I do suggest that we also ask ourselves “What must go right?”. For example, if our strategy states that we are expanding our business in a new market, that event could have a degree of risk but also a reward. Hence, they cannot be judged as typical downside risks that only consider the damage. So instead of shooting down the strategy by seeing all the dangers we should rather place the risk in relation to the reward. This could then facilitate a more balanced dialogue about taking risks and reaping rewards. One could also claim that this question is mainly relevant to strategic and business risks, not operational risks or compliance risks. Ultimately, by distinguishing between strategic and operational risk your risk evaluation workshops might be even more to the point. In addition, from a risk reporting perspective, we use a risk/reward diagram in parallel with the traditional heatmap.

Understanding the business landscape is a prerequisite

As risks are very much a consequence of the business model, our ways of working and everything related to that, a common view of the business landscape is crucial. At Solita we are experts in creating this common understanding. Through a set of workshops and interviews, we establish maps of the business eco-system and initially, we use these maps to identify problem- and opportunity spaces. We strongly believe that if these structures aren’t transparent, we won’t have the ability to identify where the future opportunities (read: events) are and how they impact the organisation. If you do have this transparency and can identify opportunity spaces you will be equipped with great tools for assessing flaws in business processes, negative customer experiences, outdated IT solutions, etc. In other words, these elements carry great risks but also great rewards if handled correctly. Bear in mind that this is a joint effort between business leaders, workforce representatives and other subject matter experts. The workshops are often facilitated by business designers and business architects. But this is where I also suggest inviting the risk managers and risk owners of your organisation. Risk awareness will add balance to the great plans and allow decision-makers to take calculated risks. 

Risks blog

Risk/reward + Damage/Probability

I also suggest complementing the traditional heatmap with other types of evaluations and reporting tools. When identifying events that only have a downside, obviously they are placed as risks in the traditional heatmaps. However, if you identify events that entail some risk but also an opportunity to improve, then it cannot be measured through the probability and damage dimensions. Those events should be placed in a Risk and Reward matrix. For example, entering a new market is filled with risk but if managed correctly it could mean increased revenue, which is the reward.

Risks blog

Include a space for the opportunity post-it on your whiteboard

To conclude this blog post I would like to call out to all risk management teams to have lunch or coffee with the business designer and architects in your surroundings. I’m convinced that they have the tools to provide even greater transparency and understanding of your organisational structures and dependencies. Next, you start to plan sessions where the ecosystem is mapped and assessed. Will you only find downside risk? Or will there also be opportunities with both an upside and a downside? And please, when you prepare the spaces for your risk post-its, include a space for the opportunity post-its as well. 

Read also about our Lifecycle services.

  1. Business