Last month, #*IT Happens introduced the Funnel Analogy as a way of explaining the risk management process. This month, we look at some of the higher-level principles, or aspirational values, that should underpin the process if real changes are to be made to the risk management culture of an organisation.
The Risk Management Standard, AS/NZS ISO 31000:2009, sets out certain principles that should be adopted. These principles suggest that, ideally, risk management:
Creates and Protects Value
Risk management should never simply be a box-ticking, administrative exercise; it should always help the organisation to achieve its goals by allowing employees to focus their efforts on threats that may prevent goals from being achieved.
Enhances an organisation’s resilience and creates strategic and tactical advantage
Risk management programs should always aim to address significant external or internal threats. By completing risk assessments to identify, analyse and treat risks, the threats to the success of an organisation will be minimised, increasing its resilience.
Developing sound crisis management and business continuity plans will further assist the organisation in making itself more robust.
Is an integral part of organisational processes
Risk management should never sit out by itself in isolation – it should cut across all other disciplines, as its aim is to address the impact of uncertainty on objectives. If you consider that every business function has objectives, then risk management helps manage anything that may threaten success. For this reason, organisations that are successful in managing their risk actively seek to integrate risk into other business processes to the point where it is ‘just part of the things we do’.
Is part of decision making
When any significant decisions are made, consideration of the risks should be part of the process.
Every decision has a range of possible consequences. Risk assessment can help to explore the chance of each consequence occurring. Cost-benefit analysis can help to determine the cost to the organisation for lowering the risk for each alternative course of action.
In this way, risk management can assist in managing change and investigating new business ideas.
Explicitly addresses uncertainty
Although legal compliance is the minimum standard, risk management should strive to go beyond it. Its real value is in helping the organisation to understand and influence uncertainty in the future.
Is systematic, structured and timely
Embedding risk management within an organisation is vital. A key way to do this is to systemise risk assessment, treatment monitoring and risk reporting, and give management timely and accurate risk status reports.
Is based on the best available information
The nature of most organisations is that they are always changing. With these changes comes new information, and it is essential that all risk-related decisions are based on the most up-to-date information available.
Risk management must be calibrated to fit the business. Risk definitions, risk ratings and acceptability criteria, assessment methods and supporting business rules need to be customised. In this way, risk management will be tailored to match the organisation’s needs.
Takes human and cultural factors into account
In order to foster a positive culture, support must come from above. The communications and actions of the Board, CEO and Senior Managers will greatly influence all employees. If the leaders express their expectations and initiate accountability systems, staff will nurture a risk-aware culture.
Is transparent and inclusive
Risk management should be designed in a way that it involves everyone in the organisation but is specific to individual job roles.
Is dynamic, iterative and responsive to change
As mentioned earlier, organisations are always changing; those that do not respond to changes in the internal or external environment risk their very survival. A risk management system needs to be receptive to change so that it continues to be relevant and useful.
Facilitates continual improvement of the organisation
Organisations should aim to review and improve the ways in which they manage their risk. It is vital that we learn from mistakes and become more resilient as a result.