Tinkering around the edges or an integral part of business?

Risk management needs to be integral to all public venues, sport and leisure businesses.

The success in applying risk management varies considerably throughout these industries. While many organisations have been applying some form of risk program for many years more seem to be asking the question of 'why is risk management not working for us?' The answer may be that they are tinkering around the edges and that risk management is not an integral part of business!

What is Risk Culture?

Part of the answer lies within the definition of risk management in the Australian Standard AS4360. Successful risk management requires not only establishing processes and structures for analysing risk but also requires the nurturing of a certain type of culture. Under the Standard, risk is defined as threats and opportunities to achieving objectives. This suggests it is not just about finding things that can go wrong; but applying a systematic process to making good decisions and prioritising efforts toward the things that matter most. Organisations with a mature risk culture often use risk processes in strategic planning and in making good investment decisions.

Sport, Leisure and Public Venues can learn much from the banking and finance, oil and gas and rail industries, on how organisations have been forced to mature their risk culture. ‘Risk culture' is intangible, representing the collective values, attitudes and beliefs of an organisation. However, it is the behaviours that result from these variables that count, and they can be measured.

In a practical sense this means that the words and actions set by an organisation's leaders have an enormous impact upon their risk culture. The performance management system that measures manager and staff performance and enforces accountability, should also reflect the expected behaviours that support a risk culture.

Industry Drivers

While there has been a distinct lack of drivers of risk culture in the Sport, Leisure and Venues industries (apart from health and safety) this is starting to change. Insurers are now demanding more detail of risk management processes and industry bodies are increasingly interested in safety, security and liability issues.

In addition, Australian Stock Exchange (ASX) listed companies are now formally required under Principle 7 of the 'Principles of Good Corporate Governance & Best Practice Recommendations' to report on their risk management systems and oversight of all major risks (not just financial) that have the potential to affect share price. It will only be a matter of time before those ASX listed companies that are also sponsors of sport, entertainment and venues will require an understanding of the risk management systems of sponsorship recipients before handing over valuable sponsorship dollars.

Enterprise-wide view of risk

While economic rationalists could argue that all risks can ultimately be measured in dollars, there are many other risk categories that should be on the radar of an organisation's leaders through a structured risk management process. Apart from financial risk, other categories of risk may include brand value and erosion. For most sporting organisations and major sporting events, their image and reputation and those of the players, are arguably their most valuable asset. Yet, do sporting organisations link image and reputational risks into their formal risk management process across the business? Other risks include operational disruption through emergencies, crisis, loss of people, technology, facilities, supply chain or loss of information. There are also risks associated with regulatory or commercial compliance, and of course health and safety and common law duty of care.

In all risk categories, those organisations whose leaders have an interest in risks to the business, and set in place systems to identify, analyse, control, measure, monitor, integrate, report, respond to change, and install accountability at all levels, are more likely to foster a positive risk culture.

What Defines Risk Cultural Maturity?

A positive risk culture is not an absolute end point, but rather it is characterised by the organisation's movement through various phases.

  • Initial - Defining a list of risks and basic controls
  • Repeatable - Establishing basic systems for continuous improvement
  • Defined - A change from specific risk category focus such as safety, security and insurance to Enterprise-wide risk management
  • Managed/Optimised - Sound business decisions are made based upon the opportunities and threats presented. Risk management is fully integrated into the planning processes leisure industry operate their risk management programs at the Initial and Repeatable level.

What Prevents Growth of the Risk Culture?

There are many factors that restrict the growth of the risk culture. Apart from the lack of senior management leadership, some of these are explored below.

Managing Risk at the Source Organisations that tend to mature their risk culture typically have dedicated risk custodians such as risk managers, OHS Managers, risk consultants &/or internal resources that drive the risk management system. However, a common misconception is that these people are responsible for the management of risk. In reality, risk is best managed at the source where it occurs. A risk custodian's role is to develop, implement, monitor and communicate the risk management system across the business. They provide the tools to let managers manage. They provide reporting systems for senior management to understand the significant risks to the business and have a sound understanding of their controls, effectiveness and the vulnerabilities that have the potential to impact significantly on the business achieving its objectives.

Senior Reporting Line Organisations that have the risk custodian reporting to a low level in their organisational structure imply that the organisation is only interested in bottom-up risk management (operational disruptions and controlling hazards) rather than taking a genuine interest at a senior level. As a rule of thumb, the higher the reporting line of the risk custodian, the more seriously senior management take risk management. The resulting impact on risk culture was outlined earlier.

Loss Control v Enterprise For many organisations in sport, leisure and public venues, their risk management focus is largely on mitigating losses. There is a heavy focus on public safety and OHS, physical security, property damage and risk transfer through contracts and insurance. Organisations that move along the risk management maturity model look at integrating their risk management processes and systems. A simple example is by combining and calibrating enterprise risk management categories into the risk assessment matrices so that health and safety risks or security risks can be compared against operational disruption, event/project, financial, legal or reputational-based risks. Managers can then prioritise their limited resources against controlling all significant risks and not be swayed by the person who speaks loudest.

Risk Metrics and Measurement Risk and their controls can be measured. To quote an old adage, 'what gets measured gets managed'. Many organisations go through a process of risk assessment but do not put anything in place to measure the effectiveness of controls. For events, the measurement of queue times at intervals prior to the event is a good customer service performance indicator. If providing high standards of service to the paying customer is your objective, then this clearly helps measure a risk control. Number of complaints, incident reports, queue times and customer surveys are all examples of risk-related service-based performance measures. If your objective is hosting a successful event, then the length of critical task delays on the event planning schedule, number of contracts at risk or number of contracts unsigned, are all examples of event project risk performance indicators. If brand exposure, revenue and profit are your objectives, then the number of internet hits, daily sales figures or sales per person are strong performance indicators of revenue and marketing success. If brand enhancement and reputation are your objectives then the number of media reports (positive and negative), number of sponsor complaints, number of contracts lost and their value, may also be measured. The key is identifying the measures that are important to achieving business objectives and then focus on the effectiveness and integrity of the data collected. Some industries define lead indicators and lag indicators for measuring risk controls but this is another subject for another day.

80/20 Rule In identifying what is important, it is essential to remember that in risk management the 80/20 rule applies. That is, 80% of your risk profile is represented by only 20% (or less) of all business risks. So if every risk that is identified must have a formal risk control, then you are probably wasting resources on risks that are not important and imposing a process that is not actually risk based. Organisations struggling to improve their risk culture are better served by spending their resources on risks that are important.

Confusion over Terminology Many organisations within the leisure industry confuse risk management terminology, so organisations should develop a framework that explains, in simple terms, how risk is managed in their business. It should include: definitions, terminology, methods, reporting lines and risk acceptability criteria. It may also include strategies that the organisation uses through its risk management system. These might include risk and safety training, incident reporting, document control, contractor management, insurance and so on. It should be relevant to the business and implemented through a consultative process. Organisations that confuse risk terminology will struggle to mature their risk culture.

Risk Management's Perception on the P&L and Balance Sheet Organisations that see risk management as a painful administrative burden typically perceive it as a compliance exercise that is a cost to the business (an expense item on the P&L). However, as the risk culture matures, risk-based decision making (looking at opportunities and threats) and use of cost-benefit analysis can also add to the revenue opportunities on the P&L and help accumulate assets and equity on the balance sheet. Perceiving and promoting the value that risk management adds, and not the expense that it creates, is another important means of building the risk management culture across the organisation.

Risk Management Breakdown - The Vicious Cycle Finally, one major blockage to progressing the risk management culture is the vicious cycle that many organisations are locked into. It begins because risk management is perceived as not adding value to the business. Because management do not see this value, they do not allocate sufficient time to it. There is little time each week or month dedicated to systematically understanding the risks and control strategies that are being adopted in their business. They therefore do not establish formal risk reporting structures and do not allocate the resources necessary to implement a risk management system properly.

Here, 'you get what you pay for' and the value is not achieved. Management therefore remain unconvinced.

This cycle can be broken in three ways. Firstly, a major incident can occur and this is one way to focus your mind, the media, the public and Government. There are numerous examples of this across industries that have spurred improvements in risk culture in Australia: the NAB traders scandal in banking, the Longford Gas Plant disaster in oil and gas, the death of a patron at the Big Day Out and death of a marshal at the Formula One Grand Prix.

Secondly, new systems can be implemented to better analyse and report on risk. These might include development of risk registers, incident reporting, integrating quality, safety, environmental and risk management systems.

Thirdly, the personal conviction of the CEO and Board can have a profound impact upon breaking this vicious cycle. 'If the boss says it is important - it is important.'

Risk culture must be led from the top. Without visible senior management leadership and commitment to risk management, organisations will struggle to progress down the risk culture maturity continuum. The challenge for the sport, leisure and venue industries is to learn from the experience of others and not wait for the incident to drive the change. Risk probability is defined as one in a something....i.e. 1/10, 1/1000, 1/1,000,000. That means that 'the incident' always has a chance of happening. Unless you shut the door and turn the lights off permanently, you are always exposed to risk. The remoteness of 'the incident' may not be as remote as your gut feel suggests as risk matrices lose their effectiveness for risks that are of low likelihood but very high consequence. The choices for organisations are simple: do nothing; choose to implement cursory risk systems and controls; or understand these risks and help influence their impacts.

The former are those organisations that tinker around the edges and the latter have made risk management an integral part of business.

Wayne Middleton Principal