Organisations that have a low level of maturity when it comes to risk-based decision making have a lot of untapped potential. The explanation is in the tag line to my latest book Risky Business: How Successful Organisations Embrace Uncertainty. Developing a strong capability and culture of risk-based decision making lets organisations embrace uncertainty and achieve greater success. It just makes sense. The question is how many of the more formal risk management practices of risk registers, risk workshops, control testing, culture assessments and the like are needed to achieve it.
Consider my model of risk maturity shown in Figure 1: Risk Maturity. There are five levels of risk maturity tracking from Vulnerable to Agile. The overarching concept is that an organisation with a high level of risk maturity is more agile because staff at all levels of the organisation understand the risk associated with their environment, understand the board’s appetite for risk taking and can make decisions effectively and promptly.
Many people will say the aim of risk management is to create resilience. With my model the aim is to achieve resilience and move beyond that to become more agile. When I engage with senior executives of large organisations on enterprise risk, I ask them what makes a small business resilient. The answer they discover is agility i.e. its ability to adapt like so many have had to do these past 18 months just to survive. What I offer them is an ability to regain the agility they once had when they were a smaller, fast-growing organisation.
However, to deliver agility, the organisation’s approach to risk must be to minimise red tape to ensure it maximises insights into decision making, within a well-understood appetite for risk.
As can be seen in Figure 1. The use of an s-curve shows that to move from Exposed to Resilient can be done quite rapidly. Moving beyond Resilient to Agility has diminishing returns for the effort expended. And that is why organisations must carefully choose optimum levels of formal risk management. Too much and it becomes organisational drag. Too little and opportunities are missed while costly mistakes are being untangled.
You can check out more information on risk maturity here as well as my risk maturity model where you can take a short, 10 question self-assessment to place your organisation on my maturity curve.