Organisational risk: Predicting the unpredictable.

We can now add 'cost of living' to a growing list of modern day challenges which include: global pandemics, deteriorating geopolitical landscapes, climate crisis, etc. So, whilst the world continues to accelerate away from any previous 'norm', how do we manage the increase of known unknowns and unknown unknowns within our existing risk frameworks?

In short, every organization must be underpinned by a risk register. This document contains: risk description, type (business, operational, etc.), likelihood, severity, measures to prevent/ mitigate/ transfer risk, owner and status. This is derived using generic hazard identification methodology(s) which measure against potential impact/ interface with interested parties.

I tend to begin with a PESTLE (political, economic, social, technological, environmental, and legal) which I combine with a SWOT (strength, weaknesses, opportunities, and threats). If we look at ISO to help us define 'interested party' then they talk of 'those who affect or can be affected'. Examples would include employees, suppliers, regulators, pressure groups, etc.

By using both methodologies in unison, an organisation can populate their risk register and create their own unique risk profile (appetite v capacity v requirement). By doing so, they add meaningful perspective to their strategy and objectives, which in turn informs vision and mission. In times of change, such as now, an organisation can live and die by a risk register.

The secret to having an accurate risk register is matching the management of the document (frequency and competency of review) with the threat landscape/ hazard burden. This is where a risk management professional pays for themselves many times over by ensuring that the register is current, and matching the contents with usable quantitative risk probability.

There are several proven methods that can help you to accurately quantify risk, these range from sensitivity examinations (often seen as a tornado diagram) to expected monetary value (EMV) analysis (commonly used in decision trees). However, what all quantitative methods deliver are verifiable data sets that leaders can employ to make objective decisions.  

It is by following this journey map (or something relatively close) that resilience can be built through solid business continuity management (BCM) practices. This is because, without the hazards from a PESTLE being fed into a SWOT and captured in a register with assigned probabilities, your business impact assessments (BIA) can only be subjective guess work.

In summary, an effective risk professional is an evidence-based influencer who coordinates a quorum of discipline experts with external sources to derive an accurate risk-related picture which helps inform your decision making. If you don't have one, you could be living in a...