7 insights from “Planning and managing risk scenarios” with White Label Consulting
Whether you work for a global enterprise that operates in a highly regulated industry or you’ve just launched your own start-up in the retail sector, risk management is a topic that will apply to you and is an area you simply cannot afford to ignore.
As it holds such universal importance and relevance, we decided to make risk management the next focus of our webinar series Compliance Best Practices and invited Magdalena Goralczyk to discuss the most effective ways to work with the process.
Magdalena is a partner at White Label Consultancy, a boutique consulting firm operating within privacy, data protection and, starting in January, security. Coming from a corporate and privacy background, Magdalena has a wealth of experience managing risk scenarios for large, highly regulated organisations. She’s also gained deep insights into the risks scene for smaller businesses after starting her own company, which has given her new learnings on the more holistic approaches required for some teams.
Having worked with companies of all sizes and sectors at various stages of what she playfully calls their “risk adventure”, Magdalena has a great overview of different types of risk management and processes. Kindly, she agreed to share her advice in our latest webinar, focusing in particular on her knowledge on reporting risk in a more valuable way and ensuring your risk results make a difference.
First up, what is risk management?
One of the first questions we posed to Magdalena was a common query among clients – how do you define risk management?
While Magdalena was quick to point out that the answer will always vary slightly depending on your company size and what you do, she says risk management is about:
“Going back to the basics and actively approaching what can endanger your company and what can truly bring it to its knees.”
Although a quick Google search will probably tell you that risk management is about providing controls and mitigations to counteract potential threats, Magdalena suggests it’s more about asking yourself: “What’s the worst thing that can happen to us? “Can we do something about these risks? How do we prepare our company for these scenarios?”
For large enterprises that handle massive risk scenarios, identifying these possible areas can be a lengthy and extensive undertaking. Whereas for some scale-ups with less to lose in terms of financial status and brand value, it may be a less intensive exercise.
However, no matter your company size, it’s an essential process for any organisation that wants to protect itself from internal or external threats and unlock the many benefits and business opportunities that risk management can bring.
INSIGHT #1: WHEN IDENTIFYING RISK, START AT YOUR CORE
Whether you’re at the very beginning of your risk management journey or you’re revisiting existing measures to increase efficacy, you’ll know that the number of potential threats can seem overwhelming.
Magdalena advises always starting with the question: “What does my company do at its core?”. For example, do you mainly work with IT solutions? Do you depend on a third-party service? Is data processing integral to the delivery of your product?
By establishing your core purpose and functions, you can then start identifying your core risks and move on to figure out what steps you need to take to counteract them.
For instance, if you work at a large insurance company, your core risk is going to be losing your license. If you lose that, you can no longer operate as a business. So, you’d need to work out what situations could lead to this and what could prevent them from happening? What mitigations need to be in place to counteract these risks?
INSIGHT #2: RISK MANAGEMENT SHOULD PREPARE YOU FOR THE UNEXPECTED
It’s highly unlikely that any business will be able to pinpoint the exact nature of every risk that comes its way.
COVID is a prime example. It’s unlikely that most companies had a global pandemic listed as one of their number one risk scenarios for 2020. The likelihood of the events that unfolded over the past year and a half would have been hard to imagine, let alone predict.
However, Magdalena suggests that by starting at your core business purpose and risk, you can always use your risk management efforts to prepare for major disruption. “In principle, the whole risk management process should prepare you for the unexpected,” says Magdalena.
For example, if you know your company is dependent on IT, then you’d put in place mitigations around what could happen if any software in your tech stack was disturbed. If you rely on a delivery chain, what can you do at each stage if there’s an issue in the flow? Or, if data protection is central to your operations, what would you do in the case of a data breach?
“Sit down with a piece of paper”, suggests Magdalena “, and start looking into what could happen to your company that would look really, really, really bad.”
INSIGHT #3: GO FOR BROADER DEFINITIONS OF RISK
On the subject of defining risks, Magdalena advises that if this task becomes tricky, you should always spend more time discovering mitigations and less time defining risk.
For instance, if we revisit the insurance company example, the most extreme risk they’d face is the loss of their license. While this is a generic, broad definition of their core risk, as we’re not saying it was lost because of specific actions, it allows the company to start working out how to mitigate this incident. Could there be issues of illicit activity within the company? Would there be a problem if there was a change in the regulatory environment?
Through discovering mitigations, you’re able to deepen your understanding of the risk in question. It’s also a more productive exercise, as mitigations should naturally improve your company, helping bring greater value to the business.
Imagine your core risk is a ransomware attack. You can use this broad definition to look at your systems and locate any vulnerable IP stature. At the same time, you can use the same exercise as a chance to review how secure and relevant the different components of your tech stack are, providing immediate value to the company.
INSIGHT #4: CONSIDER ROLES, RESOURCES AND RISK PROFILES
Once you’ve identified your core risks, the next three areas to look at are employees in your company, available resources for the project and your business’ unique risk profile.
When it comes to employees, you need to figure out who is responsible for your business as usual activities and who delivers your main services to clients. You then have to work out what could happen to them.
HR will be particularly handy in this part of the process, providing insights into who carries out what tasks and what risks could interfere with their roles and responsibilities. In some companies, these risks could be physical. For others, it could be unsatisfactory remote working conditions that lead to high employee turnover due to incidents such as COVID.
Magdalena raised the point that available resources, as always, will depend on your company. Not all companies will need a full-time risk manager or a dedicated team. Some businesses may have someone who spends 20% of their time driving and maintaining risk-based projects, with check-ins scheduled for bi-annual board meetings. Others, who are perhaps working with a more established risk management culture and history, along with sufficient budgets, will be able to put together an entire risk team who are in regular communication with stakeholders.
When it comes to risk profiles, again, every company will be unique. However, some of the key questions Magdalena mentions that help her clients get a sense of where they are in the market include: “Are you a start-up and therefore potentially have less to lose financially and through your brand value?”, “Are you a regulated industry?”, and “What industry are you working in?”
She also suggests you should revisit the question: “What’s core to your business?”. This question, in particular, will ensure you don’t ignore major areas of business exposure. For example, if you rely on an external company to deliver your goods, you need to assess what might happen if they could no longer distribute your products.
Rather than being overwhelmed by the number of potential risks, Magdalena advises starting small, stating: “I’d rather have a well-working process that is very minimal than a massive one with bells and whistles. Start with a simple scenario and just try to stack things up.”
INSIGHT #5: WEIGH UP THE LIKELIHOOD AND CONSEQUENCES
When identifying your risks, you’ll often end up with lots and lots of possible risks. At some point, however, you need to start some sort of evaluation of which risks are most likely to happen and what sorts of consequences they’ll have. That’s where the likelihood and consequences step comes in.
Analysing your risks in this way allows you to prioritise your strategies and ensures you’ll tackle any threats in the right order.
On this topic, Magdalena offers up a top tip of focusing inwards, rather than spending too much time investigating your industry:
“You can, of course, look on the internet and find different scales. Instead, look into your company. Really examine the likelihoods and consequences for your company that fit with the systems, processes and financials you have in place. The consequences will be very different for a company that has a bigger or smaller budget than yours.”
INSIGHT #6: LOOK BEYOND PURELY ECONOMIC RISKS
Although you could argue that everything eventually translates into economic impact, it’s best practice to look at different types of risk, not just obvious financial issues. Some of your risks may be regulatory; others could be related to your brand; some are dependent on compliance.
Make sure you look into all the varied sources of business disturbance. Then, revisit your likelihood and consequence process, working out which risks are more relevant to you.
Don’t get too hung up on assigning the precise financial implications to each risk, as this can be time-consuming and problematic, but use this exercise as a guide to measuring risks against each other so you can get prioritising.
INSIGHT #7: RISK MAPS ARE ESSENTIAL TOOLS
When balancing up whether to tackle the most likely but low impact risks or the less likely but high impact risks, Magdalena recommends creating a trusty risk map.
For anyone new to risk maps, you start by establishing the likelihood of a risk occurring. We always recommend a four-tier labelling system of very low, low, high and very high to establish the level of impact that risk would have. With this information, you then map your risks onto a square heat map, helping you visualise where you need to direct your attention.
As a general rule, you should always try to mitigate the highest and most impactful risks. However, there could be some “low hanging fruit” in terms of easy solutions for highly likely, but low impact risks that you may want to take immediately.
Magdalena gives some handy questions to help you decide where your priorities are going to go. If you’re choosing between risks, ask yourself questions such as: “What would be the mitigations with this risk? Are they doable? Are we willing to invest time, innovation and money into handling this risk? Can we afford to ignore it?”
At this stage of decision-making, Magdalena raises the importance of having C-suite buy-in. By taking the time to focus on mitigations, you’re essentially taking away time from other business areas. You’ll need senior management involvement to ensure you’re given the time to carry out your mitigations and if you aren’t given the appropriate resources, accepting the risk lies with those making top company decisions.
We ended our webinar with a short demo on how risk management can be done easily in a compliance system. You can watch Alexandra’s demo here, and if you have any questions or would like to discuss how the Complyon team can help with your risk management process, get in touch.