Are you convinced of the importance of integral risk management in your organisation? Then it’s time for the real work. We explain the 6 steps you can use to invest integral risk management within your organisation.
Risk management requires time, but everyone is busy. We find it hard to distance ourselves from things and there is no time for proactive analysis and research. This makes interventions almost impossible. This can lead to unnecessary costs or other upsets.
If you involve people in risks beforehand, this has a positive effect on alertness and willingness to report incidents. So create time and attention for risks, and include people in your story. This will make risk management a lot more efficient and easier in the long run.
Sometimes discussion arises, whether the right risks have been identified, when it doesn’t have to be all that difficult. If, when creating a risk register, we take as our starting point that we need a ‘relevant’ list, rather than a ‘complete’ list, then it all becomes a lot easier.
So how do you create a list of relevant risks? By attaching the risks you want to include to objectives. This makes the risks you want to manage really relevant: the outcome depends on them.
When people take ownership, everything changes. By taking ownership, we mean taking responsibility, and being regularly accountable at the risk level.
The point is: risk management is not something you can do on your own. Integrated risk management is carried by all layers of an organisation. So successful risk management also depends on the involvement of all employees. So how do you make sure employees are involved?
Make use of a network of informal risk leaders, for example. They set the right example, while others look up to them. And a good example tends to be followed. When you give ownership to the right employees, you create support and power, right through your organisation.
Remember to regularly ask these risk leaders for feedback on what is needed, or what the status of a particular risk is. This is also a good way to keep people engaged.
Many organisations still conduct risk management in Excel. This often involves dozens or even hundreds of risks, all neatly categorised. That is a nice inventory, but to do something concrete and active with it is often more difficult. Such a list also runs the risk of being updated less frequently.
Making such a list once is fine, but this is not active risk management. Active risk management is a continuous process where risks come and go as objectives change.
A best practice for the risk manager is to structure consultations and accountability. Schedule such a consultation for accountability on a quarterly basis, for example. Then set up questionnaires with risk management software, for example, and periodically check with responsible parties and risk owners for each project or department.
With the right software (such as the Zenya software suite), making risk management a recurring process is easy to plan and automate.
A list of risks does nothing. What matters is getting information through data and feedback on how effective the measures are in practice. Do they work, reducing the chance of the risk occurring or reducing the damage? And how much does it cost to implement the measures, so that you can weigh up whether those costs are justified in relation to the costs when the risk occurs.
Measures often refer to documents, policies, work instructions, etc. These are not sufficient to act as management measures for risks. This is because these measures do nothing. They are descriptions, static measures. An example here:
During a FAFS or first aid course, you learn how to perform CPR, how to put someone in the stable side position and how to extinguish different types of fires, among other things. The certificate you get is valid for 1 or 2 years, after which you go on repeat courses to refresh your knowledge. But, hardly anyone will remember exactly how things were.
An app or a book with protocols for emergencies will give you something to go on. But for someone who has never had a course, such an app or protocol is not very useful, because they lack the basic knowledge. So an active measure is a short exercise carried out periodically.
In determining the right measures including checking effectiveness, it is important to perform only those checks that are considered useful, and that no checks are done just for the sake of checking themselves. After all, this does not help the owner’s sense of responsibility.
Your carefully built reputation can be ruined very quickly in this day and age with social media. So agree with employees on how to communicate about risks, calamities and incidents. We wrote above that we see that talking about uncertainty is difficult. Talking about incidents is even more difficult. But the days when you could solve mistakes internally without the outside world getting wind of them (aka shoving them under the carpet, or covering them up) are well and truly over.
In other words, it’s better to communicate openly and honestly yourself than to have it come out any other way. For this, it is therefore important to agree on who will communicate what, should it come to that. Furthermore, ensure that you always include the possible consequences for image when performing risk analyses.
Contact our experts without obligation! We will be pleased to brainstorm with you.