The key to good enterprise-wide risk management is to define success and then identify the appropriate actions. It’s important to be proportionate in your response to problems in order to win friends – there’s no point in using a sledgehammer to crack a nut.
Good preparation will help to ensure that actions are relevant. Update your risk registers regularly to drive actions and remember that accurate information is essential in order to monitor these.
1. Work to a structure. Even the most entrepreneurial business needs some structure for its risk management, whether that involves following set guidelines or a code of practice. There are several of these already available. For example, ISO 31000, “Risk management: principles and guidelines”, defines the practice of risk management as it moves from“principles” to “framework” to “process”. In addition, you need to identify the roles in your organisation that need to be given risk-related objectives.
2. Define success. If you haven’t defined what success means for your organisation, this shortcoming will be reflected in what comes out of the process. It is too easy for companies to become lazy and to rely on routine. Risk workshops are a good way to achieve a common understanding of your definition
3. Keep risk registers fresh and relevant. There is a huge variety of risk registers, many examples of which are available on the internet, so check these out for ideas. Remember that you must identify what information your business needs to collect and how it will be used. One useful tool is “bow-tie analysis”. This offers a visual representation of the causes and consequences of a serious risk and the barriers, such as systems or people, you need in place to limit your business’s exposure.
4. Retain knowledge. Most of the information we refer to is kept on paper or in IT systems. Your business needs to capture information and store it in an accessible format before key people move jobs and take their tacit knowledge with them. It also needs to have the right culture in place. One way to ensure this is to run an annual survey. Employees can be asked questions about how competent and confident they feel about their ability to manage risk.
5. Avoid using jargon. You need to be able to talk the language of business as well as the language of risk. If not, you will put up barriers and managers will view you as an outsider.
6. Brief or train those who govern the organisation. If you don’t think this is important, ask yourself how often risk information that is passed up through your organisation is used to change a process. The objective is to make change happen.
7. Understand the interdependencies across your organisation. Consider how all the business’s risks link with each other.Continually assess performance.
8. Benchmark your business’s risk management against that of other similar organisations and see how your systems measure up to theirs.
This article is based on Allan Gifford’s seminar at the IIA conference. For details of IIA training courses on risk, visit bit.ly/oPuqHF