The identification and mitigation of risk is a key factor in organisational strategy and most risk registers favour a scoring/probability model which has widespread application in larger businesses. At SME level the perception of risk is much more intuitive merely because there is no defined risk person or anyone with full time responsibility for risk measurements or mitigations but rather the cultural approach set by the owner/managers tend to keep risk at an instinctive level rather than a measured/ probability/impact approach.
Different sectors have different approaches to risk and compliance/ regulatory risk my be give greater prominence than FMCG and stock obsolescence, so no one size fits all and there has to be some situational and proportional concepts applied to the identification of sector specific risks. some risks transcend sectors such as cyber attacks or liquidity risk.
Some risk can be classified using the using PESTEL or breaking it down into operational/liquidity/market risk and to some extent boards get got a bit muddled regarding the appropriate level of risks and responsibilities.
At a Board level we are talking strategic Risk, so brand/reputation, solvency and adequacy of resources (financial capacity and human capabilities. it systems) would probably be the area in which the Board would concentrate and lower level risk would be left to the executive, so it is a case of knowing where the dividing line is between Board level and operational risks.
Which brings me to the question of responsibility. Most risk registers specify certain key roles which, in truth, would only be available in larger organisations. Think about the size/stage of development and risk is probably uppermost in the minds of the owners/managers, purely because there is no one else such as a CFO or a CIO to whom risk management can be delegated, so resources for risk management are an issue as are the subsequent plans for risk mitigation which are identified and these become fixed in the mind, so sometimes ‘risk antennae’ work overtime which may lead to undue anxiety , so a sense of proportion is required .
My final comment is also about timing and many organisations who do have specific people assigned as risk managers often forget that risk is a dynamic entity and various risks come to the surface at different times and priorities and perceptions change so using a scoring based system means that probabilities and weighting factors need continually monitoring, and if one minimal risk suddenly turns nuclear what is the communication channel available to let the Board know that this is now THE issue. I personally don’t think some risks can wait until the next Board meeting so again, who at Board level is going to be the go-to person when unexpected risks emerge.
For this reason I also favour some form of traffic light system so if a risk goes into the red zone, or scores heavily on organisational impact then there is sufficient notice/concern that the risk mitigation strategies are immediately enacted.
Risk needs to be joined up between Boards and operations and I have seen instances where risks and perceptions are different dependent on time, circumstance and mood, so having regular reviews and understanding what really matters is important.