Guest Post by Peter Holtmann (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
This article is the fourth of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so, we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.
In previous articles (1st, 2nd, & 3rd) we’ve looked at the core elements of the risk management framework generally, as well as the role of leadership and commitment, and integration more specifically. In this article, we’ll be looking at how to effectively design your risk management framework.
In order for your risk management framework to be as effective as possible, it needs to be well designed. In this article, we’ll be looking at how to design an effective risk management framework by focusing on some key design considerations. These considerations include understanding your organisation and its context, how commitment to risk management is articulated, the assignment of risk management roles, responsibilities and accountabilities, the allocation of organisational resources, and the establishment of communication and consultation. Together, these key considerations will inform you to effectively design your own risk management framework.
Understanding the organisation and its context
In order for you to best design your risk management framework, you need to firstly begin by grasping a firm understanding of your organisation and the environment in which it operates. This involves both an internal and external assessment.
For the internal assessment, one of the best places to start is by looking at the vision, mission and values of the organisation. This can then lead into assessing the governance, structure, roles, strategies, objectives, policies, culture, and capabilities within the organisation. This list is not exhaustive. Whatever the internal assessment relates to, it’s also important to understand that each of these internal factors are intimately related, and they are also often influenced by external factors. This requires us to conduct an external assessment as well.
For the external assessment, you need to consider a wide variety of factors. This includes the likes of the social, cultural, political, regulatory, technological, economic and environmental factors, as well as how they work and interact act as key drivers of trends impacting your organisation. Matters which may influence such trends can also include the contractual relationships you have with external stakeholders, and how these relationships contribute to and are influenced by the complexity of your external networks. When assessing external factors, effective risk management design recognises that there is often little we can do to control those factors. Rather, we need our risk management framework to be robust to adapt to these external influences as best as possible and as efficiently as possible.
After completing the internal and external assessment of your organisation, you should have gained a solid grasp on the factors which influence your organisation’s risk management behaviours and practices, especially those which are within and beyond your control. With this knowledge, you are able to best design, adapt and iterate your risk management framework to the context and needs of your organisation.
Articulating risk management commitment
Your organisation’s management team and relevant oversight bodies should be effectively communicating and articulating their commitment to risk management. This is natural to assume, given our previous articles have touched on the notion that leadership and commitment regarding risk management runs from the top down. For this reason, management and relevant oversight bodies need to do more than just articulate their commitment with words; they also need to actually be acting as risk management exemplars.
Although actual behaviour is important, articulation of what that behaviour should be is also important. In doing so, you may select tools such as policies, statements, or forms to highlight the importance and necessity of good risk management practices. Now, these tools shouldn’t just be used internally. They should also be used externally in order to potentially attract resources. Resources in this sense may include government grants for safe practices, accreditation, as well as human capital who value working in safe environments.
Without the articulation of your organisation’s commitment to risk management, calculated risk behaviours will likely be absent from your organisation; a matter which can lead to significant costs both financially and non-financially. However, written tools articulating best risk practices should not be used at the cost of actual, observable risk behaviours within your organisation.
Assigning organisational roles, authorities, responsibilities and accountabilities
As we’ve mentioned in previous articles, one of the key aspects of risk management is having people accountable for doing so. Part of the accountability aspect of this is choosing and knowing who to assign these responsibilities and accountabilities to. Before we dive into specifics, it should be noted that while it is critical to have clear cut roles for who is responsible for risk management, this shouldn’t defeat your whole organisation also being responsible for risk management. Risk management is a core responsibility of everyone in your team.
When assigning these types of roles, you may like to identify the ‘risk owners’ within your organisation. It’s reasonable to assume that the most popular ‘risk owners’ are managers. Managers are typically a good option as they already have the authority to manage risk within the scope of what they’re already appointed to manage. If you work with a smaller organisation or if you’d like to spread out the specific responsibility across your organisation, you may also choose to appoint ‘safety champions’ to manage risks within the specific environment they work. Appointing these types of roles can also help to reinforce a culture of safety.
One of the most pressing points about risk management is having the resources to do so. Even when we know we do have the resources, we need to ensure that we allocate them effectively. Insufficient or inadequate allocation of resources towards risk management activities can completely undermine your efforts, and therefore the safety of your team.
When allocating resources, you need to consider things like your organisation’s processes, methods, and tools, documented processes and procedures, information and knowledge management systems, and professional development and training needs.
When considering these things, ask questions along the lines of whether or not they’re currently effective, and if they are effective, whether or not they can be improved. This will then help guide you to figuring out what aspects need the most investment, and you can therefore allocate your resources accordingly. This approach to resource management operates as a design mechanism which helps support a robust and effective risk management framework
Establishing communication and consultation
One of the most important characteristics of an effective risk management framework is that it is consistently adapted and iterated to the changing needs of the environment in which it operates. To do this, solid lines of communication and consultation need to be established.
In doing so, you should have an approved approach which both sends and receives messages relating to risk. Having a platform for your organisation to do this can operate as an important cultural factor to support positive risk behaviours.
When sending messages on such a platform, it is critical to ensure that the medium used reflects the needs and expectations of the stakeholder to which it is directed. The message being sent should also be timely and appropriate in the context of risk.
When receiving messages, it’s important for management to interpret and synthesise that data to then effectively action it. Messages received can be particularly useful for gaining insight into aspects of your organisation which may be missed in policy drafting, as well as any changes that may arise from new policies or procedures, for example. When this data is actioned, changes should then be communicated to your organisation.
As we can see above, solid communication and consultation mechanisms are a critical support tool for helping to both design and maintain the design of an effective and relevant risk management framework.
Ultimately, appropriate design factors are fundamental for supporting a solid and effective risk management framework. When the factors that we’ve touched on in this article are properly and thoroughly addressed, we are then able to build, adjust and adapt our own frameworks as needed and in the best interests of our organisation’s safety practices.
If you have any stories – good or bad – about how you’ve designed your risk management framework, I would love to hear them.
If you’re looking at designing a risk management framework in light of your practices and procedures and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.
About the author
Peter is the Founder and Director of Holtmann Professional Services, a global provider of executive coaching, business excellence consulting and career path development. Peter has 20 years of experience in executive roles and has been the President and CEO of a global non-profit. Peter has written for many journals and blogs, is a keynote speaker and is a champion of prosperity through excellence of leadership.
If you are interested in working with Peter, please reach out to firstname.lastname@example.org.