The diagram above shows the Risk Management Process from ISO 31000:2018 Risk Management – Guidelines (Guideline). This sets out a method for managing risks. This ISO 31000:2018 Guideline is recommended for anybody interested in risk management.
The purpose of this ‘Handy Hints’ is not to go through each of these elements in detail and simply restate what is in the Guideline, but rather to:
§ Discuss a couple of excerpts from the Guideline that don’t get enough attention
§ Provide some views on a component of the Risk Management Process, and
§ Provide some hints for practical application.
The two excerpts are:
“Although the risk management process is often presented as sequential, in practice it is iterative.”
“The risk management process should be an integral part of management and decision-making and integrated into the structure, operations and processes of the organisation. It can be applied at strategic, operational, programme or project levels.”
So, the risk management process is (or should be) happening as an integral part of management and decision making at all levels / areas of an organisation, about different types of risks, often in an iterative manner and, will be at differing stages for different risks. This integrated, dynamic and iterative approach may seem at odds with the scheduled facilitated risk workshops that often come to mind first. But both of these applications of the risk management process are very important and should complement each other.
A key insight is that to be effective risk management must be integrated into management, decision making, structures, operations and business processes.
Another key insight is that risk management is honest conversations. This is not to say structured approaches and record keeping aren’t important – they are. Rather, irrespective of how the risk management process is applied it requires honest conversations – to share thoughts and observations, to proposed new risks or changes to existing risks, to get a shared understanding of the risk, how they are controlled (mitigated), how effective are the existing controls, if more action is needed, etc.
Risk management should not be considered as the responsibility of just senior and middle management. The conversations should include the staff at the coalface and those responsible for executing the various risk controls – they have a deeper understanding of what is happening with your customers and how effective the current risk controls. Similarly, having as open conversations as possible to explain what the controls are and why they are important, and encouraging honest feedback can result in vital feedback (like better / more efficient ways to achieve the same goal) and help staff to understand why they shouldn’t look for / use workarounds.
The importance of these conversations and encouraging honest feedback (which sounds like ‘communication and consultation’) cannot be overstressed. Interestingly, the first component of the Risk Management Process described in the Guideline is ‘Communication and consultation’.
There has been a deliberate emphasis on ‘honest conversations’, ‘encouraging honest feedback’ and ‘having as open conversations as possible to explain what the controls are’. The last of these means that at times it would be imprudent to disclose too much information, for example it wouldn’t be a good idea to describe in great detail the exact controls to identify and prevent internal fraud – but letting everyone know (without the exact details) these controls exist can act as a deterrent.
Being able to have ‘honest conversations’ and ‘encouraging honest feedback’ is vital to ensure the flow of accurate and uncensored information. Quite simply, risks that are not communicated or are not well understood won’t be managed properly.
Achieving ‘honest conversations’ and ‘encouraging honest feedback’ this is tied to the broader subject of organisational culture and can be also be unintentionally, but significantly, impacted by other factors.
All of the organisation’s management must both communicate the desire for honest conversations and feedback and always display supporting behaviours – i.e. they must all ‘walk the talk’. There must be a safe environment to allow these honest conversations and feedback. Some examples include:
§ Not ridiculing or dismissing anything – rather ask questions (such as: ‘What have you seen to indicate that?’; ‘Has that occurred? / How has that occurred?’; etc)
§ Acknowledge contributions
§ Where further consideration is to be done, let people know the outcome.
Other factors that can unintentionally affect people’s willing to speak up honestly can be:
The desire to not appear in a bad light – for example often risks are assessed using a heatmap (or risk matrix) that is based on likelihood and consequence and using colored cells. Managers may have a natural reluctance to rate risk highly (in the red cells) as this they think it will be interpreted as poor management. To counter this the emphasis should be changed to encourage early risk identification and timely actions to reduce the risk level when required, and;
The structure of performance or remuneration measures – for example, if performance assessments &/or remuneration is decreased by how high risks are rated (or by number of incidents / complaints / returns / etc, this can affect people’s willingness to speak up (or even record these). These criteria must be structured to support the desired behaviour of honest conversations and feedback. For example, these criteria could be restructure to reward early detection of risks / issues.
COPYRIGHT NOTICE & DISCLAIMER
This document is the copyright of Primescope Technology Solutions (A'SIA) Pty Ltd – © 2020. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following. You may print or download contents to a local hard disk for your personal and non-commercial use only. You may copy some extracts only to individual third parties for their personal use, but only if you acknowledge the website as the source of the material.
You may not, except with our express written permission, distribute or commercially exploit the content. You may not transmit it or store it on any other website or other form of electronic retrieval system.
The information contained in this website is for general information purposes only and is provided by www.primescope.com.au. While we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. You need to make your own enquiries to determine if the information or products are appropriate for your intended use.
In no event will we be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this website.
Through this website you may be able to link to other websites which are not under the control of www.primescope.com.au. We have no control over the nature, content and availability of those websites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Comments