What is risk governance
Risk governance is not so much a tool as it is a way of handling risk in general. It is a systematic process to identify, rate, control and economically assess risk in an organisation. By making a risk profile for the organisation it is possible to achieve effective risk governance. Risk profiling is the act of establishing what acceptable risk is to the organisation, whether risk is evaluated in terms of money, reputation or damage. A risk profiling should be made in advance of risk governance. It, as all other risk tools, serve as a cost saving mechanism if done correctly, as well as a time saving mechanism.
It involves five phases/elements: Risk identification, risk description, risk evaluation/assessment, risk strategy & risk reporting.
– What we know from previous encounters. This is where the organisation will look at what has happened to them before or try to identify risks that they have not encountered yet. It is usually performed either by being proactive or reactive.
- The proactive method is where you try to imagine risk you are vulnerable to. By analysing risk factors and performing a likelihood evaluation.
- The reactive method is where you analyse previously encountered risk scenarios and register them according to organisations specific variables. By looking at previous events and evaluating them, you in time learn how to manage these risks so they are not as likely.
Using both these methods will probably yield the best result. But it can be hard to successfully imagine risk, so we recommend at least being reactive, and then when there are enough registered events (hopefully not) then try to imagine what else can happen. It is also a good idea to perform brainstorm sessions at regular intervals with engineers, risk managers and financial managers to at least try and see if there are any future risk scenarios you should be aware of. This process can be done with the previously described risk tools: Brainstorming and Scenario risk analysis
– This is the phase where you establish a “common view” of risks.
- Here you should establish what you, as an organisation, see as risks. To create common ground for how a risk is perceived and experienced.
- This is important to do, because if the organisation doesn’t have a common risk perception then it’s hard to learn from a previous event. There will always be someone who see a risk that someone else doesn’t see.
– This is the phase where the risk is evaluated/assessed.
- Risk is evaluated and rated according to the organisations risk profile to determine which risk are acceptable and which are not.
- This is also the phase where the organisation would re-evaluate their risk profile if necessary. In the risk evaluation/assessment phase you evaluate risk according to: Likelihood & Consequence.
- This should result in a vulnerability analysis which is a ranking of one’s vulnerabilities.
– How should the organisation handle risks?
- In this phase a strategy for risk management is chosen based on the previous evaluation of the organisation’s vulnerabilities. This can be done with a Risk Matrix where you place risk in their respective “fields” in the matrix (green, yellow, red) according to their likelihood and consequence. Then you make a plan for handling those risk starting with the red ones or the ones that are most likely and has the highest consequence.
- This is where some risks are either accepted or deemed unacceptable. Is deemed unacceptable, then a plan should be implemented to remove that risk or at least lower its likelihood and/or consequence.
- Ideally every risk is removed, but that is not realistic. The goal here should be to lower every risk as much as possible while still being able to run your company. That is why evaluation is important. In some areas of operation some risks are acceptable even though they are rated as catastrophic e.g. In nuclear energy power plants. The risk of a meltdown is accepted but the risk is managed by safety procedures, and other mitigative barriers.
- The last phase in this risk governance “tool”. This is where you report your findings to the corporation, and an evaluation is made on the whole thing.
Why is it a good idea to do risk governance?
First of all, it is nice to know how likely your organisation is of being “hit” by a specific risk. Because then you can manage it! Secondly it saves the organisation a lot of money both in terms of equipment but also in terms of reputation. You gain branding opportunities by being able to say what a safe company you are. You lessen the fear of accident among workers and therefore maintain a human gain, instead of having workers who are scared of coming to work.
- IRGC is a good place to start. Their explanation can be found here.
- Another IRGC article about the framework for risk governance can be found here.
- CIO Wiki, is also a good place to get an overview. See it here.
- ScienceDirect is another great place to look. This is aimed at the IT sector. https://www.sciencedirect.com/topics/computer-science/risk-governance.