Risk management; using organizational review approach

In 2012, my firm, Summit Consulting Ltd won a bid to formulate a risk management strategy for a government institution. This is our first assignment. Being the team leader, I had to research extensively as you can imagine — just looking for a process that works. My key questions were: “How and where do I start from?” As a consultant, I am expected to know more. And I had one chance to prove my competences and those of my firm, www.summitcl.com.

As the firm leader, we spend thousands upon thousands of dollars finding for a system that works all the time. At first, most of the documents available on the Internet were just standards, theoretical models and presentations and general writeups about risk management. I am happy to tell you that we finally found a process that, if you implemented well, risk management become very easy. This process is briefly explained below. If you want the whole kit, risk management tool kit, do not hesistate to contact me and start earning more money as a risk management consultant yourself!

You are a newly recruited to start a new risk management department from scratch, how do you go about this? How do you implement the risk management department from scratch. Whether you are a consultant hired to set a risk management department or a new recruit, the insights in this article will provide you with the right road map to achieve your goals.

Current state assessement

The first step is to undertake deliberate understanding of the organisation — the strategy, governance structure and existing control systems, who is who, the Board awareness of the business, committees of the board, and the people behind the need to set up the risk management department. Is it the Board? Is it the CEO or it is regulatory requirement for the business to continue operating.

Understanding these and more helps you know who to put on your side to ensure the project gains the top management support that is needed for its success. In undertaking the current state assessment (CSA), you are collecting critical  information about the organization. Having a one-on-one discussion with different staff as you review the documents, is critical. You could make an appointment with the MD, Internal Auditor and the department managers to gain unfiltered opinions on how they see the business where it is coming from and where it is going. Such discussion helps you gain instant connection and networking with the top company leaders. You want to ensure that everyone is involved so that they are not taken by a surprise. As you meet them, you explain briefly, what risk management is, your expectations after having understood their expectations as well.

What is the purpose of risk assessment?

Risk assessment is about managing critical risks that could cause the downfall of the organization. You want to understand what the key success factor for the business is. Meaning that for the business to win, what things must it be good at?  For these things that the business must be good at, what has the organization done to ensure that these do not fail. You may find that a given company has a server which is very essential. Then you are trying to see whether all leaders appreciate that the server is critical for the on-going concern of the business. What kind of investment do you make to ensure it is safe? If the server is not safe, it is still exposed to risks of theft, water spillage or black-outs. There have to be mechanisms in place to ensure that critical assets of the organization like computers are well stored. The information is backed up regularly so that any of crush, it is not lost completely.

Why carry out documentation review?

In your current desktop review, you want to understand whether there is awareness among the top staff about risk management. But also you are trying to find out whether there have been any discussions and concerns about risk. Is there any evidence of some risk culture? You are doing organizational readiness assessment towards risk management, what are these people’s backgrounds and experience? Do these people have any thinking about risk management? Would they appreciate effort in overcoming risks?  Of all these people, who would be a risk champion/s? Someone who will ensure that any new staff are trained about risk so that they make it as part of their day-to-day activities.

Organizational review is very critical because it helps you understand what is currently in place. This is why we carry out current risk assessment to know where we are now and how far behind we are against best practices — once you understand the current status, you are able to ask yourself ‘what is the ideal situation’ or best practice for this kind of company. What should be in place to attain excellence in risk management? You have interviewed people and taken notes and therefore have a clear picture of where the organization is not only in terms of governance but also risk management.

For organizations that are well governed and have managed risk, you have a list of what is expected in place — that is what we call best practices or leading practices. The next step is to perform a gap analysis. The process of analysing what is in place and comparing it to what should be in place is called ‘gap analysis.’

The reason why you are doing risk assessment is get the ideal picture for the company by moving it from where it is to where it should be. The entire risk management process therefore is to close this gap to make ensure that you have clear a step-by-step risk management strategy.  This takes a lot of organizational change because depending on the size of the gap, you have to articulate what kind of resources you need and the support you need. You have to undertake budget analysis – what activities would be required and how much will it cost?

Does the organization have the resources to ensure effective risk management implementation?

Unfortunately, many organizations confuse risk management strategy with an implementation plan. The two are diffent and will be discussed fully in the next post.

Copyright Mustapha B Mugisa 2015. All rights reserved. You are free to share with appropriate attribution.


Would you need a risk management tool kit — an editable word template with clear guidelines of developing a robust risk management strategy – containing policies and procedures, key risk indicators, risk appetite, risk culture, risk strategy, risk register and risk strategy implementation plan template? Save your time and energy and get a tool kit that will position your risk department for unprecedent success and save your organisation money.

A consultant will charge you US $20,000 or more. The risk management toolkit costs just US $1,500. For a sample, email mugisa/at/mustaphamugisa/dot/com

About M. B. Mugisa

Mustapha Barnabas Mugisa is one of those rare people who provides business consulting and advisory to professionals and corporate entities who demand the very best. He is a prolific speaker and governance (strategy and risk) expert. His speaking involves making key notes at major conferences and business events on both technical subjects and leadership skills. A change agent and motivational speaker. Mustapha provides tools and proven methodologies to remarkable results through making people appreciate change. Visit Mustapha's LinkedIn profile to know more. Mustapha is the architect of #WinningMindset Leadership and #WinningTheGame strategy approach that combines Harvard Business strategy Playing To Win, with the Blue Ocean Strategy and Balanced Score Card to deliver a strategy that is easy to execute and monitor. Visit www.mustaphamugisa.com for special insights to improve your condition. Are you too good to be great?

Entries by M. B. Mugisa