From reputation damage and cybercrime to workplace health and safety, NSW councils need to manage a diverse and expansive number of risks. And each organisation will do so differently.
So, have you considered the level of risk your council is willing to take or retain – and the specific risks you believe are worth controlling? And when it comes to day-to-day management, are you using the right tools for assessing these risks?
We sat down with Craig Hutley, Principal of Strategic Risk at Marsh Consulting Solutions – to ask him the tough questions on all things risk appetite.
Q. How do you know which risks are worth controlling?
A. Great question. Every time I present on risk appetite, I guide the executive team or board to ponder one fundamental question: what is the magnitude of the risk?
This involves considering how likely it is for any negative consequences to actually occur. By drilling down on the potential ramifications of each risk, you can identify which ones are worth controlling.
Q. How can councils assess their risk?
I find most organisations are not overly sophisticated in the way they manage strategic risks.
Typically, they’ll use qualitative methods. Because a lot of the time, they don’t have the resources or capacity to do more than this.
Unlike quantitative risk analysis, which uses numbers and verifiable data, qualitative analysis involves breaking the risk down and considering whether it will adversely or positively impact your objectives. From there, you can then explore the variables that create the risk. Understanding the control of the variables is the key to effective risk assessment.
Q. Is qualitative risk assessment enough?
A. Quantitative risk analysis – which often involves more ‘big picture’ thinking – should be the first step of a larger risk management process.
So ultimately, you want to reach a point where you also conduct some quantitative modelling. For example, using stochastic models like the Monte Carlo simulation. However, having a solid objective and consistent understanding of your risks and how to control them is often enough.
Q. Should teams conduct this analysis themselves – or outsource it?
A. This depends on the organisation. Some local government entities do conduct sophisticated quantitative modelling.
In other organisations, although someone might be wearing the risk manager’s hat, they’ll also be wearing five other hats. So they might not necessarily have the time and resources they need to conduct appropriate risk analysis. In cases like this, outsourcing could be the answer.
Q. How much of a risk should be controlled?
A. It really comes down to the level of risk you’re comfortable retaining.
For example, say you’re using a four-level risk grading system that’s categorised into low, medium, high and very high. If you’re okay with a risk at the medium level and that is where it is currently rated, then you don’t need to add any additional controls.
Whereas in another scenario you might rate your cybersecurity risk as very high. The solution? Investing more money into controls that decrease the risk to a level your organisation feels satisfied with.
Comfort levels around certain risks will vary from person to person and council to council. So it’s up to your organisation to come to a consensus on your risk appetite.
Q. Conversely, are there any risks that councils should be receptive to?
A. Yes, definitely. An example would be in the IT space, where you need to implement a new system. Perhaps it’s a customer relationship management system or an IT security system.
Essentially, you must accept a certain amount of risk because you don’t always know how that system will work out – or how well it will be implemented. You need to accept a grey area of uncertainty as you and your team navigates the new system.
That’s the paradox in the IT space. The risk appetite for cybersecurity needs to be at the avoid level. Yet to implement new systems, you must also be receptive to risk.
And this is true often when councils want to modernise or innovate. There will be some level of risk involved – but we could see this as necessary risk.
Q. Could you share any case studies or stories on successful council risk management?
A. Managing your risk appetite and having effective risk management actually creates an absence of stories.
I’ve got a host of examples of when enterprise risk management goes wrong. But when it goes right and actually works? No one sees it. There’s nothing to talk about.
Although, you will notice, for example, that your projects tend to come in on time and on budget.
Q. When do you know it’s time to move beyond Excel spreadsheets – to a more sophisticated quantitative system?
A. Once it becomes clunky and challenging to report on, that’s when I recommend a database system. There’s lots of different options out there to explore.
However, it’s important to remember that merely inputting a qualitative system into a database doesn’t mean it’s quantified – in any way, shape or form. It still doesn’t involve a calculation of the risks that come under quantified risk modelling.
Even further, just having the ability to quantify risk doesn’t mean you’ll have a better understanding of your risk. I always focus on getting the mindset right. Understanding – to a degree of precision – the things that comprise a risk, as well as the causes, impacts and controls.
To learn more about how your council can manage risk, speak to your Statewide Mutual Risk Manager. Or call us on (02) 9320 2726.