When considering the term “risk,” most people usually associate it with “What could go wrong?”. While generally true and rooted in evolutionary cognitive bias, this is only part of the definition. According to ISO31000, risk is “effect of uncertainty on objectives”. Therefore, when we talk about risk we should consider it as uncertainty that carries both hazard and opportunity.
So why are we concerned with risk? Isn’t that some corporate/bureaucracy exercise? To answer this we need to appreciate the other side of the coin - trust - which is the opposite of risk. Therefore, the focus of Risk Management programs is ultimately to increase trust, including:
In a 2013 study conducted by the Boston Consulting Group, customers identified trustworthiness as one of the top qualities that would attract them to a brand.
Taking risks is part of life and we continuously assess risks against the benefits we enjoy by taking those risks. The risk profile of a company includes many different types of risks - financial, marketing, legal/regulatory, fraud, security, operational, etc. - that need to be balanced. The goal of the Enterprise Risk Management (ERM) program is to:
Building trust through the removal of uncertainties (i.e. managing risk) relies on two fundamental principles: being open and being predictable. Being transparent about our philosophy, practices and procedures means that customers know exactly what they are getting. Being predictable conveys that we are a reliable partner and is the reason behind our periodic audits.
There are two primary purposes in managing risk at Atlassian:
It is helpful to think of risk like debt - a limited capacity asset that an organization can deploy. It is best to maximize its expenditure for areas where we could receive maximum ROI - which is the goal of the balanced company risk portfolio. For example, we would have very little benefit of having high risks in our cloud operations because that would lead to more incidents and customers dissatisfaction. On the other hand, we could benefit greatly if we could experiment with new uses of our products. Hence, we should minimize the former, which will give us the ability to increase the latter. Certainly, ‘paying risks down’ to zero is quite costly (in most cases even impossible) and may not be worth the investment - every other 9 after 99.9% availability is progressively harder to obtain. That is another factor in balancing the risk portfolio.
Having a functional ERM program is:
At Atlassian, we have a risk framework in place to manage both strategic enterprise risks as well as day-to-day risks at the team level. We do this because there is clear evidence that companies with risk management processes facilitate better operational and strategic decision-making, which generates higher revenue and lower operating margins.
The Enterprise Risk Assessment is a comprehensive process that we perform annually and update regularly throughout the year. There are many inputs into the analysis:
We aggregate the data we receive, analyze it to determine the risks and score them based on likelihood, impact, velocity, benefit, and risk management effectiveness. If necessary, we check with business leaders for clarification and alignment.
While we track enterprise risks, our focus is on high risks without corresponding high benefits and areas that require additional attention.
While the Risk & Compliance function runs the program - collects and analyzes the data, reports and tracks execution - the periodic risk assessment report is the consolidated view of the executive team around our most significant risks and how we are addressing them. The Risk & Compliance team can opine and advise but it is ultimately the executive team that decides what our optimum portfolio will look like - which risks we would like to decrease, which risks we would like to increase, and where we would like to direct our efforts and resources.
Therefore, the risk assessment report is usually factored into operational and strategic planning to aid investments and resource allocation (but it is not the sole driver). It is also factored into the Internal Audit annual planning. We have been timing our ERM program in such a way to complete the report around the end of the calendar year. Additionally, that aligns with the requirement to update the Audit Committee twice per year (June and December.)
It is used as another checkpoint for the health of the business and the company. It helps validate or disprove how we “feel” about things. It is also an additional point of alignment around goals and objectives.
We want to provide our customers with confidence that risks are being managed appropriately. While there are many risks that are well managed, we want to focus on the ones where the risk we are accepting (implicitly or explicitly) is too high without a corresponding high benefit. It is this strategy that keeps Atlassian lean and agile in a complex environment where managing risk and time to market play a critical role in the development of the company.