Building risk resilience from the inside
Why bother looking inward when external risks seem so pressing?
The answer is straightforward: you're only as strong as your internal structure. Studying how to manage floods in your neighborhood is only so helpful when your house is on fire.
The role your people play in preventing or enabling risks, for example, cannot be underestimated. Huge scandals in the press don’t always start out on the front cover of national newspapers – internal risks can be insidious, starting as small as rumors, a white lie in a meeting, or a statistic or number entered incorrectly.
The culture of your organization makes or breaks your risk management strategy. People raising their concerns when small risks arise, and not staying silent, can be the difference between no issue at all and a much larger risk that spirals out of your control.
Think less “if it happens” and more “how it could happen”
Not seeing risks doesn’t mean there are none – it means you’re missing something.
When we mentioned earlier that internal risks are insidious, it’s really a perfect way to describe them – the changes are so gradual you may not recognize the risk until you’re in its headlights. This is where psychological factors like confirmation bias can also play a role. If all your metrics are going green, it's easy to ignore that one red flag waving in the wind.
Secondly, where there are people, there are risks. Humans and human behaviors are messy, and the business of doing business always comes with human risks.
Essentially, risks are always present – determining whether risks need to be mitigated, or managed with regular oversight, requires full visibility into the risks facing your organization.
Let’s break down the types of internal risks you might be dealing with:
Immediate risks
These risks demand urgent attention and action as they are likely to escalate quickly. They also pose danger for the business, your people, or both. Immediate risks are also the hardest to anticipate, so procedures defining how they should be handled need to be prepared long before they have a chance to happen. Think of these risks as flashing red lights that get the emergency service team on the move ASAP. That emergency service team has to know exactly where to go and what to do.
Examples
- Incidents involving gross misconduct, violent assault or harassment
- Illegal activity, such as embezzlement or extortion
- The discovery of a dangerous artifact onsite
- A major data breach
Evolving risks
Risks that aren’t unheard of – but can also be managed with good processes and regular review. These are things that could happen but aren’t necessarily happening today. These risks often start out small and become larger issues over time, like a weed growing in your garden. They often affect teams and productivity over extended periods, risking attrition, poor morale and affected productivity if they aren’t kept under control. A healthy workplace culture where your people can have open conversations about workplace issues before they become longer-term problems will help manage these kinds of risks.
Examples
- Shifting project goalposts over time beginning to risk meeting your SLAs
- Poor budget management and oversight into spending month-on-month
- Inefficient communication and operations – and a struggling pipeline
- Ongoing resourcing issues and stressed, unhappy employees
- Data or knowledge silos causing delays in your production cycle
Situational risks
These are risks you can’t prevent and sometimes can’t anticipate. These risks may originate externally, but can have huge internal repercussions for your organization and the communities, regions and industries you work in.
Examples
- Regulatory-related risks including legislative updates or new requirements affecting service or processes internally or with third-parties and suppliers
- An economic downturn forcing you to cut budget areas – this might include employee perks, events or even headcount
- Geopolitical conflict requiring an urgent rethink in the countries you work with or hire from, including, but not limited to sanctions
- Natural disasters or health-related crises in a particular area your business operates
Kickstarting your internal risk assessments: where to start
We’ve examined the types of risk your organization might face that originate or impact your internal operations. Now the key is to start laying groundwork you can build on as part of your management of internal risks. Once you know where to look, you can more easily identify what steps to take.
- Start with an internal audit – Before you can manage risk, you need to know where it exists. Enlist your compliance, finance and HR departments to provide an overview of existing procedures and policies so you can see how risks are handled right now.
- Employee feedback – Your team knows your internal workings better than anyone else. Make use of anonymous surveys or open forums to get insights into possible areas of concern.
- Identify critical assets and processes – What are the non-negotiables your business absolutely can't function without? Make a list and start from there.
- Assess historical data – Look into any past incidents that could point to potential risks. Even small issues can serve as indicators for larger, systemic risks.
- Prioritize – Not all risks are created equal. Use the data you've collected to categorize risks by their potential impact and focus on the ones that could hit your organization hardest.
Once you've gathered this initial information, you'll have a solid base to start formulating a more comprehensive risk management strategy. Remember, the goal is progress, not perfection. Every productive day starts with a well-organized to-do list.
The heart of the matter
Whether internal risks manifest immediately or evolve over time, they are a part of your organization's fabric. Being proactive in identifying and managing them not only prevents potential damage but also fortifies your operation against external uncertainties.
Remember, situational risks may come from outside, but their impact reverberates internally. As much as external issues may dominate the headlines, it's the internal mechanisms that often dictate how resilient an organization truly is. Being vigilant in identifying, categorizing and acting on internal risks enables you to steer the ship with precision, even when unexpected storms hit.
Ultimately, your internal operations set the stage for how well you can manage external risks – and that’s why your internal compass should point just as clearly as your outward radar.
Check out NAVEX risk management solutions to see how we can help you pin down your internal risk management strategy.
