Facilities Matters - June 2018

HAVE YOU always wished that you could see around the corner or be able to document the challenges ahead for your organisation? If we could accurately predict ahead, then there wouldn’t be a need for managing risk.  Some financial organisations make a lot of money by trying to predict what’s going to happen and the impact that it will have. The majority of us, however don’t have that insight so we have to rely on tools and processes to mitigate and manage the risk.

There will always be businesses failing with some having a greater impact than others, as in the case of Carillion, and incidents that impact on individuals, organisations and society as a whole. After any incident or accident, one of the first questions asked is “Where’s the risk assessment?” We all live everyday with risk as part of our lives. For example, crossing the road, pull out of a junction or questioning if you should leave the washing on when you go to work. In most circumstances our assessment and reaction to risk is unstructured, undocumented and occurs in a dynamic fashion.  

Organisations of all types and sizes face internal and external factors and influences that make it uncertain whether (or when) they will reach their objectives.  Controlled risk taking is at the centre of all commercial activities, but by taking steps to identify and manage those risks gives us more control.  

Managing risks

Managing risk is an essential part of governance and good management practice at local, divisional and organisational levels. So how do we go about managing risk? Good practice would be to follow the appropriate International Standard and in the case of risk that is ISO 31000. This will ensure that the organisation has a framework and process for making sound decisions.  

ISO 31000 is structured to provide a set of principles, a framework and a process for and practices for the design, implementation and maintenance of a risk management system in an organisation.  The standard is designed in such a way that it can be applied across all parts of the business and integrates all operations; tasks and processes within it. ISO 31000 does not replace specific risk management techniques or actions such as fire risk assessments, health and safety or Display Screen Equipment. But it provides the framework to compliment and encompass these individual processes into an organisational wide structure.

IF we tried to manage out every single risk to the organisation there would be no time for the organisation to focus on its core objectives. So, a balance has to be struck between trying to identify every possible risk no matter how small to not losing sight of those risks that may be very unlikely but would have a significant impact upon the organisation if they were to occur. This is where an effective system to rate risk becomes essential and allows the organisation to focus on risk what could have a significant business disruption impact. 

Once the risks have been identified and assessed, all techniques to manage the risk fall into one or more of these four categories:

• Avoidance – eliminate, withdraw from or not become involved;
• Reduction – mitigate by putting controls into place;
• Sharing – transfer via outsourcing or insuring against; and
• Retention – accept and budget

However, there are always those circumstances that are out of the organisation’s control that will come along and hit you when you’re least expecting it and therefore it’s essential that as well as a strong risk management process your response is managed by an up to date Business Continuity Plan (BCP) for when things happen outside of your control.

There is lots of advice available on how to manage risk; recently the BIFM launched its latest Good Practice Guide on the subject, which was called GPG Risk Management and can be found online at www.bifm.org.uk/bifm/knowledge/goodpracticeguides. 

Stephen Roots is president of the British Institute of Facilities Managers. For more information, visit www.bifm.org.uk