By Colin Weatherby 900 words
Lancing Farrell raised several important issues in providing advice to a colleague regarding risk management. How does a council balance the pressure not to take risks and fail, with the competing pressure (often from the same sources) to take risks and meet demands to create new value?
Risk is an interesting concept and there are various definitions. I like to think of it simply as the uncertainties related to achieving your goals. It is about the hazards along the pathway as you make your way towards your destination.
Businesses that don’t take risks will fail. They become uncompetitive or customer satisfaction drops. Either way, they lose business to competitors taking risks to create value that customers want and will pay for. We can all think of the companies that have taken big risks in redefining a service or product to create a new market.
You are probably wondering what this might have to do with local government. Aren’t we just doing what we have always done?
Many councils are. Whether they should be, or whether they will be able to continue to do so, should be questioned. We now live in the ‘age of the customer’ – residents want personalisation, mobility, self-service, rapid response, and efficiency (efficiency for them, not the council). The variability introduced by customers must be quickly and effectively absorbed by the organisation. Complexity, by its very nature, creates risks.
In conjunction with mandated limits on prices (the rate cap) and growing numbers of customers (as Lancing points out, Melbourne is growing rapidly), the rising expectations of residents means that councils must do things differently. Different usually involves risk taking.
I recently attended a training session on developing an organisational risk appetite. It showed me how councils could identify hazards and manage risks differently, yet still satisfy the pressure to stop things going wrong while meeting the demand to create new value. It needs a re-think and a more sophisticated approach to risk and compliance.
Every organisation has risk exposure. In simple terms, this is the potential for loss that might occur as a result of an activity. This is about threat. As we all know, you can’t let this stop you getting out of bed.
There will be a maximum amount of risk that an organisation can take before its viability is threatened. This sometimes called the risk capacity. We all have limits on the risk that we can tolerate before it stops us sleeping and we become nervous wrecks.
The risk appetite exists somewhere in the range of risk exposure between no risk and the risk capacity. It is the amount and type of risk that an organisation is prepared to accept or pursue. Those of us who drive to work will be finding our risk appetite – do we leave early to make sure we arrive on time despite the traffic or do we rely on a few short cuts that we know when traffic is bad?
There will be an upper limit to the risk and organisation is prepared to accept. Risk tolerance is the top end of your risk appetite. This is shown in the following diagram.
This is a simple framework for thinking about taking and managing risk.
If the risk level is above the risk capacity action must be taken immediately to reduce it so that it is within the risk tolerance. The viability of the organisation is at risk.
If the risk level is below risk capacity and above risk tolerance (the upper threshold for risk), action must be taken to manage and reduce the level of risk to be within the risk appetite. This is where most risk management effort at councils is currently directed.
Finally, if the risk level is below the lower threshold of the risk appetite, the organisation should focus on activities that increase the risk exposure into the risk appetite range to achieve strategic objectives.
The benefit in identifying the risk appetite is that it encourages ‘risk-enabled’ performance to assist everyone in the organisation to achieve strategy objectives. Fewer decisions will be sent upstairs for the Executive to make. It creates the freedom for action within boundaries.
This post is not a recipe for creating risk appetite statements. Skilled assistance is required to ensure that the risk appetite is accurate for the different types of risks and for the organisation. It is worth noting that risk appetite statements can take different forms.
A risk statement can be a simple statement of principles related to behaviours. For example, ‘We have a low appetite for risks that impact on our brand or reputation. You should always minimise the likelihood of negative reputational impact’. My guess is that this is part of the current risk appetite for most councils, albeit unwritten.
Or, it could be a statement that specifies limits on the impact of risk exposure. For example, ‘An occasional negative article in the local press is acceptable but not on the front page’.
It could also simply state the organisations tolerance for actions. For example, ‘We never want to see negative articles in the local press’.
Whatever form it takes, an effective risk appetite statement addresses organisational strategy and is nuanced enough to accommodate different types and levels of risk. It sets boundaries and accountabilities that provide sufficient flexibility to pursue opportunities and achieve strategic objectives.
Most importantly, a risk appetite statement supports risk taking to create value for customers and the community.