Rethinking risk in a strategic way

Share this page

Written by Russell Kenrick on 23 January 2017

Reading through the December issue of Raconteur, a supplement of The Times, a particular sentence jumped out from the article, “With the ramifications of leaving the single market still unclear, the onus falls upon chief financial officers to steer their companies through the uncertain times ahead.”

Managing risk is vital for global organisations, but many have very disparate ways of doing this. What’s needed is a cradle-to-grave process for managing risk. When starting a project, the first thing we need to do is understand why we are undertaking the project, we then need to look at what could stop it, what could support it, and what could happen in the future. We need to consider a process that is embedded within the organisation that everybody follows, and that can be tailored to suit the activity.

M_o_R Guidance for Practitioners2 uses the term ‘management of risk’ to incorporate ‘all the activities required to identify and control the exposure to risk which may have an impact on the achievement of an organisation's business objectives’. The M_o_R approach identifies a number of roles within an organisation and defines their risk management responsibilities. It also considers risk from four perspectives within an organisation: strategic, programme, project and operational. It links to AXELOS Global Best Practice, while also respecting the roles, responsibilities and terminologies used outside the disciplines of programme and project management.

Determining an organisation’s approach to risk management and monitoring its risks often falls within the remit of a core team of individuals who might set up policies, procedures and frameworks to help direct the organisation's risk management strategy. However, responsibility for the execution of sound risk management activities and the operation of key control points falls on the wider employee base as part of their day-to-day activities. 

Without an effective training programme to help explain the value of risk management and to support business users in their individual responsibilities, there is a danger that risk management becomes an ancillary, informal function rather than a documented process that is embedded into daily business activities.

Where to start?

Embedding risk management into the day-to-day running of an organisation and driving individuals to consider the risks related to their actions, are key to the implementation of a successful enterprise risk management (ERM) programme. Here are four starting points to embed and review the management of risk processes:

  1. Take a snapshot of what you are doing now and compare that with what you need to be doing in the future. The Home Office takes risk very seriously and is working to a maturity model for risk management so that it can continually improve the way it does things.
  2. The right documentation is essential. A documented risk strategy proves to an external auditor that the approach to risk management in your organisation is current best practice. Organisations commonly have a risk register, yet too often don’t know the difference between a risk management strategy and a risk register, or more worryingly, the difference between a risk and an issue!
  3. Training is likely to be needed to get companies to understand how to structure their risk management approach and then embed this into their everyday activities. Make sure training is effective. Users need to be helped through any transformational activities to understand the value of their actions or why change is required. Any training offered should be worded appropriately to demonstrate how it will aid end users in their roles so that it is viewed as adding value, rather than as one of many time-consuming corporate requirements. An effective training programme will meet the needs of a wide range of individuals who often are at different grades or levels within the organisation, but in many cases, have the same risk responsibilities. Risk management training should seek to cover not only the ‘why‘ of risk management, but also how users can implement risk management practices successfully into their day-to-day activities.
  4. Drive cultural change from the top. This is more about education than training. Risk awareness needs to be raised considerably but this doesn’t have to be expensive. In fact, it should be owned in-house — you can get trainers and consultants in to explain the basics and then get the people who make the decision to own it and cascade the responsibilities down.

Risk management is a key component for successful project outcomes. Current best practice is to treat ‘risk’ as an uncertainty that could either be a positive opportunity or negative threat. All managers need to be aware of the need to educate their staff. Executive-level training in the form of ‘know your responsibilities’ is a useful mechanism to help management understand their risk responsibilities and those of their staff.


  1. The progressive CFO, December 2016
  2. M_o_R Guidance for Practitioners. Published December 2010


About the author
Russell Kenrick is the Managing Director at ILX. For further information visit or follow on Twitter @ILXGroup

Related Articles

21 June 2022

The latest news for HR, talent, and learning and organisational development leaders selected by the TJ editorial team

29 June 2022

This week’s look at the news, reviews and research for all those working in HR, talent, skills and workplace learning and organisational development.

15 June 2022

Nordic research is paving the way for the future of work, Kirsi Nuotto outlines the work of her company the VTT Technical Research Centre of Finland