How to Manage Risk (Using OKRs)

Risk is a necessary part of any operation. It’s also inevitable, because no one controls everything. Risks can be things you control directly (how many layovers you have flying from A to B) or things you can’t (the weather). How does your organization approach risk? Do you understand the different types of risk? What is your process to manage risk?
Risk management is a framework most commonly used in cybersecurity and financial teams within organizations. It exists to anticipate and protect an organization from harm—methodically. In this article, we’re going to talk about why risk management is important, the different kinds of risk management, and how OKRs can help companies better manage risk.

What is Risk Management (RM)?

At its core, risk management is about how to avoid risk, what could go wrong, and how to prevent it. This includes identifying risks and analyzing or evaluating them, to prioritizing how to respond. In most cases, RM refers to financial risks to a business or organization.

Is Enterprise Risk Management (ERM)different from traditional risk management?

Businesses manage risks daily, so how does enterprise risk management differ from risk management? Under more traditional risk management frameworks, specific departments or stakeholders are responsible for managing the risks under their purview, e.g., the CTO with cybersecurity, the CFO for cash flow and finance, etc. With ERM, organizations establish the biggest potential risks that could affect the company’s most important goals and objectives. This allows for more overlap of the people responsible for managing the risks and less siloing than a traditional RM model.

Is Integrated Risk Management (IRM)different from traditional risk management?

Based on the belief that organizations need a more overarching view of their business to manage risk, IRM integrates decision-making and performance via a set of processes and procedures to allow organizations to factor in strategy, response, assessment, communication, monitoring, and technology into their risk management strategy.

Why is Risk Management Important?

Expect the best, prepare for the worst. We never want anything to go wrong, but chances are high that something will at some point. The most successful organizations prepare for uncertainty and are better able to respond when it happens. Beyond just asking “what if?”, risk management is a framework for addressing real threats to your organization. Cybersecurity, financial upheaval, legal action, even natural disasters or human error. Your ability to mitigate these risks quickly and smoothly can be the difference between flopping, surviving, or thriving.

To understand if you’re properly prepared to manage risk, first assess your risk appetite and risk tolerance. Consider different types of risks:

  • Risk Appetite: How much exposure to risk can you handle?
  • Risk Tolerance: Should something negative occur in your business, how much of that can you accept? What resources do you have in place to tolerate that risk?
  • Different kinds of risk: The most common types of risk organizations consider:
    • Strategic: Anything that might derail strategic goals
    • Operational: Loss due to failed internal processes, labor or materials shortage
    • Compliance: Regulatory changes, legal proceedings, liability, etc.
    • Financial: Loss of earnings, tax law changes, inflation, etc.
    • Social and Reputational: What people say about your organization on all platforms and places
    • Cybersecurity: Keeping out hackers, malware, ransomware
    • Health and safety: The physical, chemical, and biological safety of employees inside and out of the office

What are the five phases of a risk management framework (RMF)?

Implementing an RMF is important to protect your organization and give you the steps you need to identify, analyze, evaluate, modify, and monitor risk.

1. Identify the risks: What are all the risks that could affect the company?
2. Analyze the risks: What’s the likelihood of that risk occurring and how would it impact the organization?
3. Evaluate and rank the risks: Which are the most pressing and need to be handled sooner than later?
4. Modify or eliminate factors for the risks: What risk factors can be mitigated or eliminated now? What processes can be put into place to protect the others?
5. Monitor and review the risks: Constantly assess and communicate with teams to stay on top of potential threats.

How can OKRs (Objectives and Key Results) help companies manage risk?

Often, the teams responsible for analyzing and identifying risks can be separate from the ones who are responsible for delivering the work. How do you keep a large organization moving towards the same outcome, staying mindful of the biggest risks? OKRs can help.

Here’s an example of an OKR where risks are balanced with growth:

O: Increase sales by 50% over last quarter.
KR1: Generate $10 million in sales.
KR2: At least 10% of sales must come from returning clients.
KR3: Increase customer satisfaction to 90%.
KR4: Monthly training sessions for sales teams increase the number of follow-up meetings by 20%.

This team understands that driving up sales at all costs can lead to costly sacrifices in other critical areas. So in addition to quantifying their sales target, they address quality by including a KR on customer satisfaction and another improved sales training.

The problem of managing risk can become complicated when one team, such as finance, uses different technical language than say, an engineering team. Cutting through jargon makes goals and definitions of success so clear that it can help surface risks sooner too. OKRs use simple, everyday language to tie strategy to execution so they can be understood from any vantage point within the organization.

Other ways OKRs can help with RM include:

1. Real-time tracking: OKRs help track risk in real time because they are measurable, verifiable, transparent and have a built-in monitoring process called CFRs (Conversations, Feedback and Recognition). When the city of Syracuse needed an emergency response plan during the height of the COVID-19 Pandemic, they used OKRs to aid their response and reopening plan. This included using OKRs to set and adapt important metrics, such as how much PPE the city had or needed to source based on real-time case counts.
2. Balancing quantity with quality criteria for success: While OKRs are often ambitious, pairing a quality KR with a quantity KR helps ensure you don’t overlook something important. Back to the Syracuse example, they adjusted their KRs to meet present realities, changing their financial stability Objective to accelerating spending cuts (specifically reducing spend 10% across the board) and increasing revenue with a quality KR consideration for how the pandemic had affected each area. This helped them stay not just productive but focused and astoundingly keeping the city’s long-term bond rating the same as it was pre-pandemic.
3. OKRs balance the tension between failing to spot a risk and failing to take a risk: In order to grow, every organization needs to take risks. Some risks are so big that failing can harm the organization. But if the risk pays off, the benefits and rewards can more than make up for the potential harm. On the other hand, trying to avoid all failure is a different kind of risk. This is where OKRs can help. Because OKRs are collaboratively set, aligned through every part of the organization and transparent, they complement your RM or ERM framework. This allows you to balance high risk/high reward efforts with measures put in place to help you be more strategic and accountable when taking those big risks and getting them to pay off.

Conclusion

If you’re implementing a Risk Management Framework or Enterprise Risk Management strategy, consider pairing it with OKRs. If you’re ready to use OKRs to help you manage risk, take our OKR 101 course or sign up for our Audacious newsletter.