4 Considerations When Designing A Risk Management Program
The risk management framework in ISO 31000 provides a flexible approach to create the right program for your organization. The document doesn’t provide advice or wisdom, so you have to supply that yourself.
The details of the risk management program or specific framework in your organization includes policies, procedures, analysis, and reporting, yet it also has to work within the context of your organization.
Based on the work of Greg Hutchins in ISO 31000: Enterprise Risk Management here are four considerations to supplement your wisdom as you design and implement your program.
1. Define Clear, Meaningful Program Objectives
As with any process or program, the success of the endeavor improves with a clear vision of the objectives and desired outcomes. A risk management program in general focuses on identifying and mitigating risks. That is too general.
Define the desired outcomes clearly. If it is to reduce the consequences of adverse surprises in the market, or from your products, say so. Be specific and clear.
“Over the next year our risk management program will identify and mitigate xx types of risks reducing adverse consequences by xx% year over year.”
The statement of the program objectives provide direction and guidance for all involved both inside and outside the organization.
2. Keep It Simple
Risk identification and risk mitigation are complex tasks, your risk management program should not be complex. A clear objective is a start. Streamline and simplify data collection, analysis and reporting, for example.
The design of a product along with it’s verification may be complex, and it helps to avoid product recalls. Yet, when a recall is the right course of action, the triggers and implementation should be kept simple.
An overly complex risk management program increases the risk of making poor decisions, mitigating minor risks, or diverting resources unnecessarily. A simple system and it’s clear objectives permit effective implementation. An effective approach to reduce risk in an organization is reducing ambiguity.
3. Include Cultural Elements
Beyond the technical procedures and reporting channels, also consider the behavioral elements, that culture, within your organization. How does information effectively inform the right individuals? How are messages, good and bad news messages, typically received.
The cultural elements concerning the relaying of bad information, in particular, is important to understand. A trigger or event of a significantly adverse risk may receive little attention or forwarding when the culture tends to ‘shoot the messenger’.
Blame, privacy, secrecy, all play a role to stifle the transmission of both good and especially bad news. A part of the risk management plan may need to explicitly address the cultural elements that otherwise will retard the effectiveness of your program.
4. Define the Program Scope
The overall purpose of a risk management program is to identify and mitigate risks to the organization and to their customers. Yet a risk management program does not imply unlimited scope and authority to act in the name of addressing risks.
Establishing clear boundaries that include:
- Who has authority to take specific actions (initiate a recall, for example)
- Who has what spending authority, decision authority
- What are the time lines and deadlines for routine and event related activities
- Who can stop production
- Who can speak to the media and when
Other elements to consider as you define the scope for your program include context, capabilities, maturity, and objectives. In many situations the existing decisions and spending authorities will map to similar risk management program responsibilities. Think it through for your organization and adjust as needed to create an efficient program.
These are just a few considerations to create a risk management program within your organization. The framework provides a structure that you can use to build your program that is unique to your organization and situation.
What else should you consider? Add your insights and suggestions in the comments section below.
Reference: ISO 31000: Enterprise Risk Management by Greg Hutchins supplemented by discussions about establishing risk management programs with Greg one the past few years.