Great organizations don’t avoid risk. Risk is simply uncertainty, and anything worth pursuing involves uncertainty. Risks can be negative or positive, so the conversation always involves threats and opportunities. To thrive, you need a solid awareness of the threats and opportunities you face and what you can do about them. In the past, we have emphasized the importance of a risk cycle, and we currently advocate a four-step cycle:
- 1 – IDENTIFY threats and opportunities faced by the organization across its functions.
- 2 – PRIORITIZE risks according to likelihood, speed of onset, and magnitude of impact.
- 3 – RESPOND to these priorities by avoiding unacceptable risks, reducing the potential negative impact of unavoidable risks, piloting opportunities, and shifting some risk to others where appropriate (using insurance, contract provisions, joint ventures, etc.)
- 4 – ASSESS and IMPROVE, by evaluating how your responses have played out and how each risk can be better managed in the future.
Why is each step important?
You start by identifying. You ask questions of people throughout your organization to ensure that you get as much information as possible.
Then you prioritize. If everything is important then nothing is important. So you rank your issues.
You respond, in order to fix problems, avoid threats, and develop opportunities.
You assess and improve, to see what works and what still needs work.
And then, most importantly, you begin the process all over again. You continue to identify issues, prioritize them, respond, and assess and improve. You build into your culture the habits of learning, exploring, questioning, and improving.