There are a lot of elements that must come together to make an effective risk management program. The tone from the top, regular and clear communications with team members, training, engagement & involvement in the risk management process and solid linking with strategic planning activities are just some key elements.
Assuming that it all comes together, what features would we expect a well established and embedded risk management program to have?
Firstly, there would be clarity about what risk the business can tolerate and what it needs to do to manage this risk. This wouldn't be confined to the Board room or the risk department, but would be understood by the entire team.
Secondly, armed with this awareness, there would be an expectation that staff would proactively think about risk and respond appropriately and in a timely manner. First line of defence participation and ownership would be high.
Next, in this environment there would be an expectation of a disciplined and structured approach to risk - everybody would know their responsibilities for risk management enabling a coordinated and effective response to risk.
All of the above should lead to what many would call a risk aware culture.
The Risk Management Process
*Source: Based on CAN/CSA-ISO 31000-10, Risk Management – Principles and Guidelines, International Standards Organization/Canadian Standards Association, 2009
The above diagram is from the ISO31000 standard. In future posts we'll talk about each of the elements in turn but for now, assuming an organisation had adopted this approach to risk management, we would expect to see certain attributes:
future focussed - anticipate and manage uncertainty
transparent - open dialogue with stakeholders about risks
constructive - as much about realising opportunities as mitigating threats
consistent & comprehensive - uniformly applied across all business units
strategic - drive RM process by aligning with business objectives
reflective - maintain a healthy unease by regularly evaluating the process
agile - adaptive to the business as it grows and evolves
Imagine the benefits that would flow to an organisation that was able to get this right. It takes an investment of time and resources but most importantly, leadership from the very top.
Some organisations seem to manage their risk with ease, some do a great job at one element (e.g. safety) and are not so good at the rest. Others are yet to formally start the journey to realising the benefits of good risk management. Whatever stage of the risk journey your organisation is at, it's worth continuing the conversation.
Next time, we'll discuss the first component of the process - Establish Context.