This guide describes how organisations can go about the transition needed to achieve a more encompassing and less silo-based approach to managing risk. It includes practical advice on a simple, seven-step process that we recommend organisations adopt to ensure a successful transition
A more effective way to manage risk
Organisations of all kinds face internal and external factors and influences that make it uncertain whether, when and the extent to which they will achieve or exceed their objectives. Objectives are the highest expression of intent and purpose, and they typically reflect an organisation’s explicit and implicit goals and values and the imperatives of relevant enabling legislation.
The international risk management standard, ISO 31000:2009, defines risk as the effect of uncertainty on objectives. The effective management of risk is therefore essential if organisations are to achieve their objectives and satisfy the needs of their stakeholders.
It has been long recognised that good governance and effective management are best achieved through the development and deployment within an organisation of a single coherent and consistent framework, methodology and vocabulary for managing risk, to be used for all kinds of activity. This ensures that:
- There is a consistent and defensible basis for decision making at all levels, particularly where effort or capital is expended
- Change activities are more likely to succeed
- The organisation can pre-empt and capitalise on external changes such as those involving demographics, customers’ needs and government policy
- All employees are encouraged to focus on and give priority to actions that aid the execution of strategic and project plans and enhance the organisation’s objectives
- The organisation is prepared for and protected from major incidents and losses
- Moves to identify and seize opportunities are stimulated and enhanced
- Accountability for risks and controls, and the monitoring and assurance of controls, is clear and understood.
In time this will also lead to a significant change in culture as the organisation and its employees engage on activities directly related to ensuring the achievement of goals and objectives and the successful completion of projects.
This all-encompassing approach to managing risk is sometimes called Enterprise Risk Management (ERM). It has gained considerable support over the last 15 years because it provides a more coherent, simpler and more cost-effective approach than managing different kinds of risks in different ways – the so-called silo approach.
Why do organisations fail to manage risk effectively?
To achieve effective risk management and generate the greatest possible benefits takes time. It also requires the investment of resources and a period of sustained management commitment. Organisations may think that they can change and adopt different ways of working and thinking overnight, with the minimum of support, encouragement or training, and others may expect significant returns with little or no investment, but this is not the case.
We have seen ERM fail because of:
- Management impatience coupled with poor support and limited senior management priority
- A poorly planned or executed transition or enhancement process
- Lack of ownership and support by senior management
- Lack of perceived relevance of the process to the business
- Poor skills, particularly in change management, in those leading the process
- Overly bureaucratic systems where form rules over substance.
While managing risk is essentially simple, getting an organisation to adopt and integrate good, consistent approaches and then sustain them requires skills and understanding in both risk management and organisational change. Often those charged with the task of implementing more effective risk management do not possess both attributes, and in some cases neither.
The key to sustaining effective risk management
After many years of practical experience in evaluating and enhancing frameworks for risk management in organisations, we believe that success depends as much on the manner in which any changes to a framework are developed and implemented as it does on the detail of the tools and written materials generated. This is why we strongly recommend to our clients that we help them through a management of change process, where key internal stakeholders are involved and engaged carefully in evaluating the existing approach and in planning how, where and when enhancements will be made.
It is our experience that using a contractor to facilitate a series of risk assessment workshops and then adopting a commercial framework package is highly unlikely to achieve an efficient and sustained risk management process. On the other hand, taking time to develop a customised framework, tools and methods that reflect the organisation’s needs, risk profile and structure, and then training risk management champions − who roll out the framework and integrate the risk management process through a top-down engagement − normally achieves the most rapid acceptance and long term ownership of risk management by a management team.
This is why we prefer to partner with our clients, to coach their staff and to provide mentoring and support. We work with each organisation’s risk management specialists, building upon their skills and experience rather than replacing them.
The framework for managing risk – why it is vital
An organisation’s ability to manage risk effectively depends on its intentions and its capacity to achieve those intentions. This intent and capacity is referred to as its risk management framework, which is part of its system of governance and management.
The quality of the framework is important because effective risk management requires:
- Clear expectations from ‘the top’
- Appropriate capability, skills, resources and support
- Sound relationships with stakeholders
- Integration of necessary risk management practices into the day-to-day activities and accountabilities of the management team
- A commitment to continually learn and improve.
The risk management framework should not attempt to replace the natural capability of people to manage risk. Rather it should enhance good practices so that the process is reliable, comprehensive and consistent. For this to occur and for the required capability to be achieved, the organisation requires:
- A set of suitable ‘tools’
- A coherent approach to training and communicating to people so that they can use those tools in a competent and consistent manner
- An approach that signals and reinforces the correct behaviour and way of thinking.
The typical elements of a framework and an illustration of how this supports the integration of the risk management process are shown below.
How to enhance the management of risk and the transition to ERM
The tactics for successful transition
Although ISO 31000 explains how to manage risk effectively, it does not explain how to make the changes that are needed to ensure that an organisation's approach to managing risk improves, becomes all-encompassing (i.e. enterprise-wide) and fully integrated. Even though organisations are different and their starting points may differ widely, a generic and systematic process is applicable in all cases.
Our experience is that only approaches that are top down and driven by top management are successful, as these signal the clear mandate for change and help ensure the necessary resources are available to make the transition as efficiently and effectively as possible.
The transition can take place across all of an organisation or in one or more of its parts, such as within a subsidiary business. However, even if the implementation takes place in part of the organisation, the approach should still be top down.
It is our experience that to be successful the approach must:
Set clear expectations: Top management should clearly communicate to relevant stakeholders the reasons for the changes and the expected benefits (for example to improve the organisation’s ability to achieve its objectives), the end goal, the consequences of failure to complete the alignment, and the organisation’s commitment to complete the changes within the selected timeframe. This component of the overall alignment strategy is essential to achieving buy-in by stakeholders.
Set standards: The organisation should document what is required to be done to manage risk within the organisation in a set of within-organisation standards. These should be consistent with ISO 31000 and be supported by appropriate guidance material.
Such standards can take several forms, such as Chief Executive instructions, formal protocols, processes or rules. Whatever they are called, their function is to specify to everyone in the organisation how risk management activities are to done.
Make a written plan: To ensure that transition activities occur in the right order and are supported by the necessary resources, a plan should be developed that is tailored to the characteristics of the organisation. This is the risk management plan required by ISO 31000. Planning should commence by analysing the present situation and practices in order to identify the gaps and determine what should be retained and what should be changed or ceased. Because the plan is a form of decision, it can be expected that it will generate or change risks and therefore it should be subject to risk assessment.
Emphasise communication and training: The organisation should explain the role of the standards and related guidance documents to employees and train both existing and new employees in their content and application to attain adequate proficiency. In some cases, explanations and training may be extended to contractors, consultants and suppliers.
Ensure accountabilities are defined and accepted: Top management should assign accountabilities, and do so in a way that enables the performance of individuals to be reviewed against their accountabilities as part of general performance reviews. To reinforce their importance, the organisation’s hiring, induction, reward and recognition system should take the accountabilities into account.
The enhancement and transition process
This should follows the steps shown in the figure below.
Step 1: Establish clear intent for the transition
Senior management should clearly communicate to employees and relevant stakeholders the reasons for the changes and the expected benefits (for example, to improve the organisation’s ability to achieve its objectives) the end goal, the consequences of failure to enhance risk management, and the organisation’s commitment to complete the changes within the selected timeframe.
This may involve re-visiting and revising any existing policy statement about risk management.
Step 2: Appreciate the characteristics of the organisation to be taken Into account in making changes to its existing risk management framework
This will include consideration of any legal obligations and certification requirements arising from any management system standards the organisation has chosen to adopt. The purpose of this step is to permit careful tailoring of the design of the risk management framework and the transition plan itself, to ensure a good fit with the structure, culture and general system of management of the organisation.
Step 3: Develop or amend internal standards and guides
The organisation should document what has to be done to manage risk in a set of within-organisation standards.
The scale and content of the organisation’s internal standards and guidelines should reflect the characteristics of the organisation (refer Step 2) including its size. Even very small organisations will need to document what employees are expected to do and provide them with sufficient guidance about how it should be done.
The standards may specify that:
- Risk is managed throughout the organisation using consistent approaches
- Accountability for managing risk rests with the organisation’s management
- The duties of risk owners and control owners are clearly defined
- Training and support is provided for risk owners, control owners and people involved in other aspects of risk management
- The risk management process is an integral part of all processes for the management of changes (both external and internal) and for making decisions that affect the organisation’s objectives
- Use of the risk management process is an integral part of the development, planning and execution of organisational strategy, including business plans, projects and initiatives
- Consistent approaches are adopted for risk analysis and risk evaluation in all applications of the risk management process
- Internal and external stakeholders are involved, as appropriate, through comprehensive communication and consultation
- Information about risks and the output from all applications of the risk management process are recorded in a consistent fashion (preferably, in one information system or database) that can be accessed by decision-makers.
Guidelines in support of the internal standards can then be used as the basis for training or skills development as well as for ongoing reference.
Although this step precedes the evaluation of current approaches against the internal standards, in practice the evaluation may suggest a need for some aspects of existing internal standards or guidelines to be amended or expanded. This would become an element of the transition plan.
As with all aspects of risk management, the development of internal standards should include communication and consultation with those who will be involved in their implementation. There also should be provision for periodic review of standards and guidelines if there are subsequent changes in the organisation and its context or if ongoing monitoring and review activities identify weaknesses or inefficiencies.
Step 4: Evaluate existing approaches for managing risk
There should be an objective evaluation of existing approaches to the management of all kinds of risks by comparison with internal standards and guidelines. This includes both the process used to manage risks and the aspects of the existing risk management framework that enable this process to be applied (e.g. relevant training and delegations). Often an evaluation of this kind is best outsourced to an independent, expert person.
While the evaluation can occur by reviewing documents, in our experience it is also vital to observe and review how risk management takes place in practice. This is particularly true if there might be any discontinuity of practice across the organisation or inconsistent processes and systems.
It is also important to test managers' perceptions of the existing approach to risk management to see if they view it as effective and whether it is likely to satisfy their future needs. We normally undertake this testing through a series of structured interviews with senior managers.
The evaluation is best conducted using a structured protocol. It should enable clear findings to be made on:
- The framework and how it facilitates the integration of risk management into decision making, including risk management plans and the strategy for their implementation
- How risk management is applied in strategy development and during the concept and development phases of projects, for decision-making and change management
- Control assurance and reporting
- The reliability of each element of the risk management process
- How risk management is used to deal with changes and to provide contingency arrangements that respond to disruptions, including how learning and feedback take place after events, incidents and decisions
- How the overall risk profile of the organisation is obtained and evaluated through aggregation and roll-up and how risks are treated at the highest level
- The form and content of governance reporting
- How risk treatments are closed out and how monitoring and review of risks, controls and risk treatments occurs
- The organisation’s culture as it pertains to the management of risks, including both the intention and the practice
- The adequacy and effectiveness of the systems and resources available to support the management of risk, including human resources.
Step 5: Prepare the transition plan
A detailed plan is needed to ensure that necessary changes occur in a coherent order and that necessary resources can be provided and applied. This is the risk management plan required by ISO 31000.
The plan should:
- Detail the specific actions to be taken and the timeframe for completion, including amending the internal standards and guidelines, explaining and training to build capability, and making adjustments to accountabilities
- Identify any actions that are to be implemented as part of wider actions associated with organisational development or which are otherwise linked (for example, development of training material and engagement of trainers)
- Define responsibilities for actions
- Incorporate a mechanism for reporting completion, progress and problems
- Identify and record any criteria that are to trigger a review of the plan.
The plan itself should be subject to risk assessment in accordance with Clause 5.4 of ISO 31000. Any necessary risk treatment actions should be taken to maximize the likelihood of its success.
The plan should both require and allow progress to be tracked and reported to senior management and the Board. There should be periodic reviews of the plan if its implementation is likely to be spread over more than one year or if there are changes in the organisation’s context.
Step 6: Implement the transition plan
Senior managers will need to assign accountability for elements of the plan or specific tasks. They should review the performance of individuals against those accountabilities as part of general performance reviews.
To reinforce the importance of accountabilities, the organisation’s reward and recognition system should take them into account. Completion of actions should become part of the performance measures for the managers concerned.
Step 7: Conduct periodic review of progress, suitability and effectiveness
Progress against the plan and the performance measures should be tracked, analysed and reported to top management. In most cases it will be prudent to use the organisation’s normal systems of assurance to track progress.
Progress should be validated periodically by independent review. This could be done by an internal audit function.
At least once a year the overarching strategy for the transition and the elements of the plan should be reviewed in terms of suitability and effectiveness. Such reviews should also occur should any of the other review criteria specified in the plan be triggered (e.g. expansion of the organisation through a major acquisition or amalgamation).
Steps 3 to 7 form the basis for a continual improvement cycle in accordance with ISO 31000.