Controlled growth, responding to external changes and making risk an integral part of everyday decisions: this is what Integrated Risk Management (IRM) is all about. Not surprisingly, we are seeing the trend not only by risk manager(s), but people on the shop floor are playing an increasingly prominent role in IRM.
Smart and short self-assessments are being introduced in organisations, to involve the business more actively within the so-called ‘three lines of defence’ model. It is no longer mainly the second (Risk & Compliance Management) and third lines (Internal Audit) that bear the responsibility for adequate risk management. It is precisely by involving the employees who experience the most ‘pain’ when risks occur that a collective sense of usefulness and necessity is created.
However, many organisations struggle with how to minimise and maximise the precious time of this first line, also known as the business owners. Marieke Kessels, CEO of Infoland, explains: “At Infoland, we see plenty of opportunities for this, precisely by involving everyone in the organisation in risk management.”
Ensuring and demonstrating that the organisation is in control is the main reason for carrying out control tests on a frequent basis. These are often self-assessments, intended to determine the effectiveness of existing management measures (controls). However, it requires a certain degree of risk awareness – and thus a certain level of risk maturity – from the business to meaningfully perform this task.
Ensuring that integrated risk management is supported at all levels therefore proves to be one of the biggest challenges in many organisations. For example, self-assessments or other forms of control testing are traditionally carried out according to a fixed format. Deviations from the expected result are recorded and settled as issues.
Marieke: “This is where it often goes wrong. Issues lead to improvement measures or other activities that need to be implemented and monitored. As organisational size increases, maintaining an integral overview is extremely complex.”
It is precisely the people on the work floor who can provide you with daily input and increase the value of risk management. Perhaps not always in the risk analyses themselves, but by involving them in periodic checks and by allowing them to easily report various occurrences.
Think of reports of (near) incidents, deviations, improvement suggestions or complaints that provide a lot of valuable input and serve as food for thought for integral risk management. This creates a continuous flow of insights from the business, taking risk management to the next level.
“‘More data from different perspectives’ actually makes the overall risk profile more valid and reliable,” Marieke explains. It enables organisations to:
Marieke: “Engaging the business and converting their input into valuable insights hinges on setting up an adequate IRM system that goes beyond simply capturing and managing risks.”
In an ideal world, organisations therefore use an integrated solution in which themes such as issue management, incident management and audit management have a place alongside risk analysis and control testing. Making these components an integral part of the IRM tooling creates practical insights thanks to (real-time) dashboards. This ensures effective risk management.
Zenya RISK is a solution that makes this possible. The software helps you optimally identify, evaluate, manage and monitor operational and strategic risks and their controls.
The insights that tools like RISK give you can then provide direct input for identifying and evaluating risks and control measures. These insights can also be used to increase risk awareness. For example, by sharing dashboards also on the work floor (and in the canteen), people see the positive or negative effects of their actions. This is how your organisation grows in risk maturity!
“Engaging the business and turning their input into valuable insights hinges on the establishment of an adequate risk management system that goes beyond simply capturing and managing risks.”
“In practice, there is another powerful tool to increase risk awareness in the workplace. It involves knowledge transfer through short questions and knowledge flashes,” says Marieke. Did you know that we recently made a Zenya module available for this too? Discover the benefits of microlearning with Zenya BOOST.
As an example, take compliance with safety or hygiene regulations, two varied topics in many organisations. Practice shows that the effect of newsletters, manuals or ( classical) learning courses is very limited. Knowledge only sticks if it is directly applicable. The new learning is therefore shifting towards on-the-job microlearning in the form of short, digital training courses and tests.
Let’s zoom in on an issue like GDPR: one that poses all sorts of risks organisation-wide. From printing and leaving CVs ‘lying around’, to sending sensitive customer information. Everyone within an organisation has to deal with it.
Sending around a short knowledge test periodically keeps the topic up to date and collects a lot of data by asking the right questions. For example, by asking people to select the GDPR pitfalls with a pointer question, they start thinking actively and analysing the situation. And because they receive immediate feedback in the form of a knowledge flash after their answer, their risk awareness is raised immediately.
Heatmaps provide insight into where employees have clicked on frequently or less frequently. Knowledge gaps, and therefore risks, are immediately visible this way. This can lead to additional risk management measures (controls), training programmes or other actions.
“In a nutshell, an effective risk management system provides a set of applications that supports everyone in your organisation in better and more comprehensive evaluation of risks. In fact, more data from different perspectives makes the overall risk profile more valid and reliable,” Marieke explains.
In simple terms, it means that you can introduce thermometer moments, checking whether professionals on the work floor actually comply with control measures and whether risk awareness is well established.
Resources such as issue and incident management, audit management and microlearning are suitable for this purpose. This creates a continuously improving organisation in which all layers add value. And then integrated risk management really works as a driver for success.