Guest Post by Peter Holtmann (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
This article is the eighth of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so, we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.
In previous articles we’ve looked at the core elements of the risk management framework, as well as the role of leadership and commitment, integration, design, implementation, evaluation and improvement more specifically. In this article, we’ll be moving away from the framework and instead introducing you to the risk management process.
The risk management process is incredibly versatile. The shape and form it can take differs depending on its use, and that use can occur in a range of contexts and at different levels of your organisation. Whatever shape or form your risk management process takes will present a common trend: it will be systematic, and it will apply to a number of your organisation’s activities. You can view a diagram of the risk management process from the ISO 31000:2018(en) Standard is available in Figure 4 of section 6.1 here.
Some of the most prevalent activities to which the process will apply will be the communication and consultation about the risk, establishing the risk’s context, then the assessment, treatment, monitoring, review, recording and reporting of that risk. When we consider these activities in a linear fashion, it is easy to identify the systemic nature of the risk management process. However, the risk management process is not linear. Rather, it is iterative and how you choose to manage that iterative nature will depend on the objectives of your organisation. We’ll look at these factors in more detail below.
Effective use of the risk management process requires it to be deeply integrated into the structure, operations and processes of your organisation. For this reason, you may have a number of mechanisms in place to ensure this holistic integration, and they may take the form of policies, procedures and practices. In essence these mechanisms will play a key role in the activities that we identified in the introduction to this article, each of which we will be looking at in a little more depth below.
- Communication and consultation: this activity involves helping your stakeholders better understand the risks that your organisation faces, how decisions are made concerning those risks, and at what point and why risk management actions are taken. Without a proper and well-rounded understanding of these risks, the way in which you manage it may be inhibited.
- Scope, context and criteria: this activity is composed of three key steps. The first is to define the scope of the risk management activities, the second is to consider the external and internal context of your organisation and how it wishes to define and achieve its risk management process, and the third is to use the insights from steps one and two to define your organisation’s risk criteria.
- Risk assessment: this activity involves the more general approach of identifying the risks faced by your organisation, conducting a risk analysis and then an evaluation of that risk.
- Risk treatment: following your risk assessment, you will typically need to implement a remedy. This stage in the process allows you to select and then implement the options which most appropriately address the risk that you have assessed.
- Monitoring and review: the role of monitoring and review is to help improve the quality and effectiveness of how your risk management process operates. This is typically conducted on a periodic basis, and the factors which are paid attention to include the risk management process itself, its outcomes, and the responsibilities which were assigned throughout that process.
- Recording and reporting: this stage in the process ultimately relates to knowledge management and governance through documenting and reporting your experience with the risk management process. This is usually used to positively reinforce communication, decision-making, improve risk-management more generally, and to help those who are accountable for risk management activities.
As we can see above, there are a range of activities to which the risk management process applies to. However, none of these activities should be considered in isolation. Each activity positively reinforces one another, and in order for your risk management process to be as robust and effective as possible, the consideration of all these activities together cannot be overlooked.
How should the risk management process operate?
As we have maintained throughout this series of articles, risk management, in the most general sense, should be holistic. The risk management process is no exception to this. The process is, and should be treated as, an integral part of all decision-making, regardless of what level of the organisation that decision is being made at. Failure to maintain a holistic approach up and down the hierarchy can lead to a fragmented cultural understanding of risk management, of which can undermine the risk management culture you have created through the use of the framework or process. This is especially the case for those organisational decisions which relate to strategy, operations, or projects, as they in effect steer the direction of your organisation towards the achievement, or non-achievement, of its risk management goals. In essence, the risk management process needs to work at all levels of an organisation, and it needs to work cohesively between those levels to ensure the highest standard of risk management, and the risk management process more specifically.
How should the risk management process be applied?
The application of the risk management process within your organisation will depend on its strategic goals, objectives, and the internal and external environment within which it operates. As these factors differ between organisations, you need to ensure that your approach to the risk management process is relevant and tailored to those wants, needs, and the environmental reality of your organisation. Ascertaining data concerning these factors may be best derived from both internal and external stakeholders, such as your organisation’s top management team and any department managers which you may deem relevant, as well as external stakeholders such as your competitors and any other relevant market players.
The iterative nature of the risk management process
Risk management generally and the risk management process more specifically are not static. This is as our attitudes and approaches towards risk management over time can change, and this will typically call for a shift in how we actually manage risk. These shifts may be aggressive in how they present themselves, or they may sneak up on us, and these factors can alter the risk management culture within our organisation. This is especially the case given the dynamic and variable nature of human behaviour, and how that behaviour informs our organisational culture. To combat your risk management process becoming obsolete, you need to remain adaptive and resilient to the changing demands and trends of risk management practices. This calls for an iterative approach. Such an approach enables you to help your risk management processes remain adaptable and relevant, and therefore more successful at its objective to manage risk to the best of its ability.
The risk management process is an excellent tool for ensuring that your organisation has a versatile, dynamic and adaptable approach towards recognising and mitigating risks, regardless of where and when those risks occur within your organisation. The risk management activities that we have identified, and how they formulate the overall
risk management process have been considered, and in later articles we’ll do a deep dive into the nuances of each of those activities. Beyond this, the operation of your organisation’s risk management process should be holistic and iterative in order to best support effective risk management practices and processes.
If you have any stories – good or bad – about how you’ve introduced the risk management process to your organisation, I would love to hear them.
If you’re looking to improve your risk management framework and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.
About the author
Peter is the Founder and Director of Holtmann Professional Services, a global provider of executive coaching, business excellence consulting and career path development. Peter has 20 years of experience in executive roles and has been the President and CEO of a global non-profit. Peter has written for many journals and blogs, is a keynote speaker and is a champion of prosperity through excellence of leadership.