In a recent CEO Institute Syndicate meeting, a guest speaker said he was asked to review an organisation’s updated risk register. He commented that what he saw was a sound, comprehensive piece of work. He surprised the gathering by stating that the register greatly missed the point. In explaining himself, he said that it was mostly about catastrophic risks and primarily about risks to avoid. As quoted, "sure these are important and easy to visualise, like exploding drilling platforms (BP), beef patties made from horse-meat (UK supermarkets) and hacker attacks (Sony Pictures) to mention just a few."
The danger for managers is these sorts of risk are so vivid, they distract attention from a different type of risk. Our guest then quoted Theodore Roosevelt...
‘’Far better is it to dare mighty things, to win glorious triumphs even though checkered by failure than to take rank with those poor spirits who neither enjoy much nor suffer much because they live in the grey twilight that knows neither victory nor defeat. Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.”
Our speaker said, the risks which will kill us are the ones we don't know we aren't taking. Specifically, it is the risks we ought to be taking in order to move the business forward, but are not. New products, new markets, new processes or changed business models. We need these to secure the business long term. These can be hard to notice when we aren't taking as many of these risks as we could, or should. We can identify risks in what we currently doing, or in proposals put forward, but what do we know of proposals that aren't put forward?
All activities undertaken must be consistent with our organisational values, objectives and strategic plan. While we avoid activities that result in undue or unreasonable risk, achieving goals often requires innovation and new or novel practices.
He suggested that a Risk Appetite Statement is needed to set out the core principle of the enterprise, interests of stakeholders and the relationship between the organisation and its stakeholders. The company should always be averse to risks that materially affect these matters.
With the above exceptions, business should be open to accepting varying degrees of managed risk to achieve its objectives. By recognising and analysing the operating environment, business can identify and manage risk on a considered, informed basis. Often Boards have a view that risk appetite should vary across different risk types.
Our speaker suggested tying a key performance area to the businesses appetite: -
- Strategic: consider all strategic options and select one most likely to result in successful achievement of critical success factors.
- Financial: a stable, strong financial position allows the undertaking of business plans and protect financial assets; provides reserves if adverse operational and financial environments.
- Reputation: integrity and competence shouldn't be compromised; no incidents involving major breaches of integrity, ethical or professional standing. Activities undertaken mustn't compromise the business’s reputation.
- Operational: efficiency is a high priority to maximise the ability to pursue objectives. Efficiency is within business’s control and should be a strong focus for all staff.
- Regulatory, compliance & legal: have low tolerance for compliance breaches.
- Workplace health & safety (WHS): no reason for health or safety risks. Policies and procedures must be kept up-to-date and periodically reviewed. Managers must ensure staff are aware of and understand business’s WHS policies and procedures.
Companies should be working to advance a culture of risk management across the organisation to a point where it's used effectively and consistently in decision making. Risk management is 'everyone’s business' - Board, managers and staff at every level.
The CEO Institute was founded in 1992. It is now Australia's leading membership organisation for CEOs and senior executives. It provides a forum for over 1,000 Chief Executive members to connect and share their learning with each other. In 2011, The CEO Institute became the world’s first global certification body for CEOs, and in 2013, partnered with UNESCO in support of the "Malala Fund for Girls' Right to Education". In 2014, they began offering their programs globally.
The CEO Syndicate is an exclusive peer support network for CEOs. The first meeting of The CEO Syndicate program was held in Melbourne in June 1992. Offices were opened in Adelaide in 1996 and Sydney and Brisbane in 1997, with Perth launching in 2007. In 2015, the New Zealand office opened.
The Future CEO program is a certification course designed by the business leaders of today for the business leaders of tomorrow. The first Future CEO meeting was held in Melbourne in May 2012. In 2014, the "Future CEO Scholarship Fund for Women" was established, and continues to be offered today.
Membership of The CEO Institute is by invitation only. To register your interest click enquire.