The road to risk intelligence can be divided into five stages, each reflecting the different parts of an organisation’s journey towards awareness of its particular risks, maturing in its attitudes towards risk and achieving levels of competence in managing this risk through optimising its resources and capabilities. A company’s risk maturity levels can similarly be mapped against five characteristics: Risk Naïve, Risk Aware, Risk Defined, Risk Managed and Risk Enabled. But what does all this mean?
Simply put, when a firm is Risk Naïve, it will probably have no formal training or awareness of risk management. Whatever it does by way of risk management will in all probability be ad hoc and dependent on individual, instead of team, players. Things start coming together once it manages to get past this stage, and it moves to becoming Risk Aware. Here, risk management activities become apparent although they are still unfocussed and silo-based, with different business units doing things independently of each other. Risk management at this stage is not aligned to corporate strategy; coordination, monitoring and reporting functions are largely fragmented and not cohesive.
Should the firm persist in its risk management efforts, it will be possible for it to reach the Risk Defined level, where putting structures in place usually begins. Communication here may get quite intense, as discussions about how to introduce the appropriate frameworks, operationalise systems and deliver training, gain traction. This is also where and when knowledge sharing and exchange of information across the organisation starts to happen in a concerted, structured manner. Documentation becomes more orderly and streamlined, and with the flow of data and information will come increased awareness of the need, use and value of risk management.
The firm’s staff will also realise the need to cast off the silo mentality that regularly permeates large organisations because this new openness lays bare the vulnerabilities of the organisation that can affect all its sectors. As the firm progresses on its Risk Journey, it begins to realise how far it can go with the resources it has; it has begun to measure its tolerance to adversity, and can now articulate how much risk it can take. In other words, it has identified its risk appetite. Identifying your risk appetite is an organisational milestone. It says a lot about you because it takes into consideration your competitiveness and sustainability, and how well managed you are.
Besides these, it is an indication of the level of corporate governance of the firm. A well-managed firm, with strong corporate governance, knows how much risk it can tolerate. This is based on its resources and the most current information that it has in the markets where it is present. These are imperative to its decision-making but it also needs competent management and clear direction from the Board – so that means senior management steers where the Board indicates the organisation should go.
It is worth noting that where risk is concerned, the tone at the top has the greatest influence on how the rest of the organisation regards it. In determining risk appetite, the company is moving concertedly to develop a risk culture that everyone in the company can readily understand, accept and support. They will, in effect, achieve a state of being truly risk-intelligent, for both their organisation and themselves.
