Controlled growth, responding to external changes and making risk an integral part of everyday decisions: this is what Integrated Risk Management (IRM) is all about. Not surprisingly, we are seeing the trend where, in addition to the risk manager(s), people on the shop floor are playing an increasingly prominent role in IRM. Today, we will explain why this is important and how integrated risk management will really come to life within your organisation.
The Institute of Internal Auditors’ (IIA) Three Lines model is widely used worldwide for risk management. Within the Netherlands, it is mainly used by large organisations. The model explains the three layers of responsibility within an organisation, which can be used to lay the foundations of sound integral risk management. The three layers are as follows:
The first two lines have the common goal of realising actions that enable the organisation to achieve its goals. The role of the first line in this is to provide customers with services and goods and manage risks, while the second line provides support to the first line on all risk-related matters. This includes sharing expertise, providing support, monitoring risks and addressing risk challenges. The third layer provides the management layer with advice to achieve organisational goals.
Smart and short self-assessments are increasingly being introduced in organisations, to involve the business more actively within the so-called Three Lines model. No longer are the second and third lines mainly responsible for adequate risk management. It is precisely by involving the employees who experience the most ‘pain’ when risks occur that a collective sense of usefulness and necessity is created.
However, many organisations struggle with how to minimise and maximise the precious time of this first line, aka the business. Marieke Kessels, CEO of Infoland and a PhD on the subject, explains: “At Infoland, we see plenty of opportunities for this, precisely by involving everyone in the organisation in risk management.“Ensuring and demonstrating that the organisation is in control is the main reason for carrying out control tests on a frequent basis. These are often self-assessments, intended to ascertain the effectiveness of existing management measures (controls). However, it requires a certain degree of risk awareness – and thus a certain level of risk maturity – from the business to meaningfully perform this task.
Ensuring that integrated risk management is supported at all levels therefore proves to be one of the biggest challenges in many organisations. For instance, self-assessments or other forms of control testing are traditionally carried out according to a fixed format. Deviations from the expected result are recorded and settled as issues. Marieke: “This is where the shoe often breaks. Issues lead to improvement measures or other activities that need to be implemented and monitored. As the organisation size increases, maintaining an integral overview is extremely complex.”
It is precisely the people on the shop floor who can provide daily input and increase the value of risk management. Perhaps not always in the risk analyses themselves, but by involving them in periodic checks and by allowing them to easily report various incidents. Think of reports of (near) incidents, deviations, suggestions for improvement or complaints that provide a lot of valuable input and serve as food for integral risk management. This creates a continuous flow of insights from the business, taking risk management to the next level.
“Indeed, more data from different perspectives makes the overall risk profile more valid and reliable,” Marieke explains. It enables organisations to:
Marieke: “Engaging the business and converting their input into valuable insights hinges on setting up an adequate IRM system that goes beyond simply capturing and managing risks.” In an ideal world, organisations therefore use an integrated solution in which themes such as issue management, incident management and audit management have a place alongside risk analysis and control testing. Making these components an integral part of the IRM tooling creates practical insights thanks to (real-time) dashboards. This ensures effective risk management.
Zenya RISK is a solution that makes this possible. The software helps you optimally identify, evaluate, manage and monitor operational and strategic risks and their controls. The insights that tools like RISK give you can then provide direct input for identifying and evaluating risks and control measures. These insights can also be used to increase risk awareness. For example, by sharing dashboards also on the workfloor (and in the canteen), people see the positive or negative effects of their actions. This way, your organisation grows in risk maturity!
“Engaging the business and converting their input into valuable insights hinges on the establishment of an adequate risk management system that goes beyond simply capturing and managing risks.”
Marieke Kessels, CEO Infoland
“In practice, we see another powerful tool to increase risk awareness in the workplace. It involves knowledge transfer through short questions and knowledge flashes,” says Marieke. Did you know that we recently made a Zenya module available for this too? Discover the benefits of microlearning with Zenya BOOST.
Take, for example, compliance with safety or hygiene regulations, two disparate topics in many organisations. Practice shows that the effect of newsletters, manuals or (classroom) learning courses is very limited. Knowledge only sticks if it is directly applicable. The new learning is therefore shifting towards on-the-job microlearning in the form of short, digital training courses and tests.
As an example, let’s zoom in on an issue like GDPR: one that poses all sorts of risks organisation-wide. From printing and leaving CVs ‘lying around’, to sending sensitive customer information. Everyone within an organisation has to deal with it.
Sending around a short knowledge test periodically keeps the topic topical and collects a lot of data with the right questions. For instance, by asking people to select the GDPR pitfalls with a pointer question, they start thinking actively and analysing the situation. And because they receive immediate feedback after their answer in the form of a knowledge flash, their risk awareness is immediately raised. Heatmaps reveal where employees clicked often or less often. Knowledge gaps, and therefore risks, are immediately revealed this way. This can lead to additional measures around risk management (controls), learning programmes or other actions.
“In summary, an effective risk management system provides a set of applications that supports everyone in your organisation in better and more comprehensive evaluation of risks. Indeed, more data from different perspectives makes the overall risk profile more valid and reliable,” Marieke explains.
In easy terms, it means introducing thermometer moments, checking whether professionals on the shop floor are actually complying with control measures and whether risk awareness is well established. Resources such as issue and incident management, audit management and microlearning are suitable for this purpose. This creates a continuously improving organisation in which all layers add value. And then integrated risk management really works as a driver for success.
Request the brochure to have all the information easily to hand.
Want to see for yourself what Zenya RISK can do for your organisation?
Read all about it on our Zenya RISK page. On this page, you can also request a free demo.