This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

How to map the risks that could make or break your firm's strategy

News
Share:
How to map the risks that could make or break your firm's strategy

By

By Louise Fleming, Partner, Aretai Consulting

By Louise Fleming, Partner, Aretai Consulting 

Cast your mind back to the last time risk management appeared as an agenda item for your board or senior management team. Did the discussion identify the key risks the business faces in delivering its strategy? If so, did you come to an agreement on the priority risks to be evaluated in more detail?

The reality is that, for all but 'risk professionals', an agenda item to discuss key risks or an invitation to attend a risk workshop is not what gets them out of bed in the morning. This is because firms approach risk from the bottom up, not the top down, and from a compliance perspective, not a strategic perspective.

The starting point for risk management should be strategy. Renewed market confidence opens up new opportunities for legal and other professional service firms. As firms review their strategic options to maximise these opportunities, it is critical that they also manage the key risks to achieving them.

Once your firm has signed off its strategy and risk appetite through the appropriate governance structure, it should create a key risk map by identifying, prioritising and evaluating the risks to achieving its strategic objectives.

Gaining perspective

There can often be a lot of processes involved in the compilation of a robust key risk map. These are generally valid and valuable but, before you get sucked into them, try having a free-form risk discussion. Get everyone to do three things:

  1. work through the key components
    of your strategy and write down what could go wrong;

  2. admit the things that 'keep them awake at night'; and

  3. think about the major changes happening externally in the market and how they are impacting the business.

The sorts of risks you discuss should include merger integration, international expansion, lateral hires, new pricing models, information security, culture and regulatory change. These are examples of the highest level
of risks you face - your key risks, the risks that will make or break the delivery of your firm's strategy.

Picture the scene: your management team have spent the afternoon working through a detailed bottom-up risk identification process. They have examined the risk register and various contributions from different business units, but ended up with a list of risks that don't ring true. They move on to the bar next door and, over a glass of wine or a beer, the conversation moves to "of course what will really stuff us is…" and "what really worries me is…" These are the key risks that the business faces and should be reflected in the firm's risk profile.

Mapping risks

Such a free-form starting point does not mean that the risk mapping process is
not necessary. The 'valid and valuable' process referred to above should include
the following.

  • A risk index listing the relevant categories of risk, as well as a clear definition of each risk. This is important to ensure completeness and clarity. It is absolutely critical to ensure a consistent approach for larger firms where the risk profile may be repeated in a more than one location or service line.

  • Reference to risk identification sources such as risk events, breach reporting and detailed risk registers. Risks that are either very high impact
    or lower impact but occur regularly should be captured and used to cross check that you have the right top-down list of risks.

  • Reference to external sources, such as the SRA's Regulatory Risk Index. This should also help you to identify new or emerging risks. A word of warning though: the regulator's risk index provides a catalogue of risks that could impact on its business, not yours.

Once you have completed the top-down review of risks and cross-checked it through a robust challenge process using other risk identification information, the next step is risk prioritisation.

Prioritising risks

As an overall goal, a risk map of the
firm's top 10 risks should be your desired outcome. Of course, this does not mean
that you ignore risk number 11 or 12 if it
is particularly significant.

The process to get there requires a system of scoring each risk to prioritise it
in terms of impact and likelihood. There
are various tools which you can use to
do this, but a transparent process is important to ensure the board, senior management and key business stakeholders can be confident that risks are being managed effectively.

Once you have identified and prioritised your top 10 risks, the next challenge is to evaluate them in more detail. Following on from this comes a focus on controls to mitigate and manage risks, and monitoring and reporting of risk and controls, but these steps are only meaningful if you have identified the right risks in the first place.

Louise Fleming has 20 years experience working with professional and financial services firms in business and risk management (www.aretai.net)