Risk management
Risk management

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

Free course

Risk management

3 Risk ownership in a matrix business

As discussed previously, many businesses today operate a matrix structure. Put simply, this means that the typical employee has two reporting lines: one to the business unit in which they work and another into the function to which they belong.

Download this video clip.Video player: Video 3 Matrix structure
Skip transcript: Video 3 Matrix structure

Transcript: Video 3 Matrix structure

When a small business is formed, whether a sole trader, partnership, or limited company proactive, risk management is normally the furthest things from the mind of those running that business. Generally, there are more pressing priorities. Winning business, producing products or services, and generating cash are just some of the things that will come before managing risk. And yet, it is not proactively managing risk that often results in company failure.
Many small businesses fail because of risk they have failed to recognise or failed to manage has materialised potentially in a way that was not expected and as a consequences too big for the business to cope with. This is all too common when you consider risks around business continuity. Specialist resource or knowledge and technology transfer when small businesses may not have the finances to mitigate to the level they can find acceptable so often find themselves resigned to accepting.
However, this does not mean that small businesses should undertake risk management. Undertaking risk management enables a small business to understand the risk it faces, prepare as best it can, and recognise those things are beyond its control. It can allow for some coordination of risk activity through the use of a risk register and provide input into forward planning to reduce risk or avoid risk going forward.
Demonstrating good risk management can also help support the investment process, showing potential investors that the company is well-managed and is considering factors that may take plans off course and, of course, addressing those things. Good risk management may also save money, reducing the size and scale of events, but also, in some cases, through real cost savings, for example, in reduced insurance premiums for having appropriate risk response and recovery plans in place to manage business continuity.
As a business expands, the need to formally consider risk becomes more apparent. When more than one location exists for the business, those that run the business need to consider how communication will be managed across the sites. What will be managed locally, and what will be directed by management?
In terms of risk, consideration needs to be given to whether risks will be centrally described- is the risk the same in all locations, assessed- so do all locations face the same risk, and treated, so do all locations need the same treatment- or whether there should be a degree of local impact to the risk activity.
Inevitably, some action will be required locally. So, for example, it will be shop assistants who implement food hygiene controls in a chain of grocery stores. And some degree of review will be required centrally. In a similar chain of grocery stores, the general manager might arrange for routine servicing of all refrigeration. And in practise, a number of factors will play a part in determining the balance between central and local risk activity.
As with our example of a small business, at this stage in the company's growth, there is not the need for dedicated risk professionals. And risk activity will fall to other managers within the business. When a business begins to diversify, it really needs to know whether it understands the risk profile it now faces. At this point, it can often quite quickly move into a totally new area of risk, which it has failed to appreciate.
The same is true when external factors create an industry shift, which can create a new normal for the business. When embarking on such a move, even if it is within the same industry- so, for example, when vertically integrating activities- the company should ensure a thorough understanding of the risk forms part of the business case and that those new risks have been accepted by the right people within the company.
At a certain point, the activity of the company becomes too large for the company management and owners to be able to review risk solely through the activity of non-risk managers undertaking risk work. There is also a very real risk that when too many people are undertaking risk work without the focal point of a risk manager, activity will become uncoordinated, lose value, and, at its worst, not correctly inform the company management of the risks being taken.
Prior to reaching a point where control is lost, the company should invest in risk management. Initially, this may involve just one risk manager, often reporting in through the finance function and usually linked to a network of people who are involved in risk management in the company. The company may also be a need to employ people for whom a large proportion of their activity is about managing risk. So, for example, a health and safety manager or a financial controls manager.
As the company grows, there will generally be a need to grow the risk team. And this will often be proportionate to the amount of risk the company is willing or able, as in highly regulated industries, to take. However, generally, risk teams represent a very small number of the total headcount within a company, even if big corporation effectively manages risk with less than 50 people dedicated to risks management.
Risk will continue to grow proportionally within the company. However, it is at the point where the company evolves into a matrix organisation that risk must evolve to meet this organisational change. Generally, in a matrix organisation, business units or divisions are supported by functions or service lines. So, for example, HR, IT, finance may all be functions that support a business unit.
For the risk organisation, key challenges must be addressed to ensure success. These are how is a risk managed when it resides in one business unit? How is a risk managed when it resides in one business unit and needs the support of at least one function? How is a risk managed when it resides in more than one business unit? How is a risk managed when it resides in more than one business unit and needs the support of at least one function?
How is a risk managed when it resides in a function? How is a risk managed when it resides in more than one function? How is reporting managed for the organisation?
When the dimensions of the matrix are mapped, understood, and agreed, then risk can work successfully in a matrix organisation. However, until this has happened- and sometimes if it is allowed to evolve in an organisation, it can be confusing and even chaotic, reducing the company's ability to effectively manage risk.

End transcript: Video 3 Matrix structure
Video 3 Matrix structure
Interactive feature not available in single page view (see it in standard view).

Businesses that operate in such a fashion need to design their risk systems carefully to avoid duplication of effort or, potentially worse, a situation where no one feels accountable for managing a risk because it is always someone else’s job.

The typical approach to avoid these issues is as follows:

  • Risks are owned by the part of the organisation that suffers the consequences (or gets the benefit) from the risk. This will typically be a business unit.
  • This does, however, leave one remaining issue: how to deal with risks that occur from the same root cause (e.g. failure of a common IT system) that impacts more than one business unit?
  • Here functions can play a key role. By aggregating the impact of the common root cause across multiple business units, risks can be properly assessed and prioritised accordingly.
  • Functions have a role in breaking down silos. As discussed earlier the company management team often see across multiple business units and as such are well placed to identify hidden risks (often risks identified by one business unit but not by another), setting standards for managing certain types of risks (e.g. safety and compliance risks) and sharing best practice.

Take your learning further

Making the decision to study can be a big step, which is why you'll want a trusted University. The Open University has 50 years’ experience delivering flexible learning and 170,000 students are studying with us right now. Take a look at all Open University courses.

If you are new to University-level study, we offer two introductory routes to our qualifications. You could either choose to start with an Access module, or a module which allows you to count your previous learning towards an Open University qualification. Read our guide on Where to take your learning next for more information.

Not ready for formal University study? Then browse over 1000 free courses on OpenLearn and sign up to our newsletter to hear about new free courses as they are released.

Every year, thousands of students decide to study with The Open University. With over 120 qualifications, we’ve got the right course for you.

Request an Open University prospectus371