EMBEDDING RISK MANAGEMENT
Risk
management needs to become part of the way business is conducted. Embedding
risk management in the regular, daily affairs of the organisation is not an
easy task and requires continuous effort. To achieve this measure of acceptance
may take some time; however, a number of steps can be taken to help the process
SUPPORT (Sponsorship)
from the Top
The implementation must be sponsored at board level
and positively supported by all senior people within the organisation. There
are a number of ways this can be done: presentations, devising a risk policy,
inclusion on agendas
POLICY
Every
organisation should have a risk management policy, whatever the approach by the
organisation is to risk. Such a policy should be formal and set a framework
within which an organisation has to implement its risk management
responsibilities and processes. The policy should include:
- Objectives
and the overall purpose of risk management for the organisation (statement
of intent). There should be links to other policies, for example audit
(internal and external), control, governance, conduct, insurance and so
on
- Responsibility
for risk management should be clearly set out at board, management and
operating levels. This should be repeated in specific function
responsibilities and job descriptions throughout the organisation.
- If
there is an audit and/or risk committee in an organisation their
responsibilities for risk management should be clearly stated in their
terms of reference. This applies also to internal audit and any other
internal or external assurance activity
- Risk
appetite, the level of risk the board is prepared to accept to achieve its
objectives, in specific circumstances or possible events. Indicating the
levels of control that are needed to mitigate against specific risks
- An
explanation of the key components that sets out the overall approach to
risk management, including the commitment of resources (staff and
information systems), training and development
- It is necessary for key
risks to be considered on a regular basis and reported up the hierarchy as
required. Designated managers at various levels report upwards (on either
a quarterly of half yearly basis) on the work done to keep risk and
control procedures up to date and appropriate to circumstances within
their particular area of responsibility.
- A
common risk language, defining the terms to be used
STRATEGY
The organisation must develop a clear articulated
and communicated strategy, explaining how risk management will operate
according to an implementation plan (timetable). This will be consistent with
specific responsibilities and roles set out within the policy
Risk management must be linked into other
activities as a matter of routine, such as business plans, project plans, team
meetings etc.
Risk management must be a high priority for
everyone in the organisation and must be clearly built into both departmental
and individual performance objectives.
STRUCTURE (STAFF)
Linked to strategy there needs to
be in-house expertise and sufficient resources within the business in the form
of an organisational structure
TRAINING
& EDUCATION (SKILLS)
Training
and education are needed to help people understand their role as well providing
explanation and practice of the process. This helps to ensure consistency and
should be based upon clear guidelines and a simple working method that is effective.
The method for identifying and assessing risk must be easy to use and not be an
end in itself
A good way of helping the process is to run risk workshops
If you'd like a full copy of Chris' article, please request it using the contact form on the Capable People website
The
McKinsey’s 7 S framework is a good basis for developing a risk culture
