Controlled growth, responding to external changes and making risks an integral part of everyday decisions; that’s what Integrated Risk Management (IRM) is all about. Therefore, it is not surprising that we see the trend of the business or shop floor playing an increasingly prominent role in IRM.
Intelligent and short self-assessments are increasingly being introduced to actively involve the business within the so-called ‘three lines’ model. As a result, it is no longer mainly the second (Risk & Compliance Management) and third line (Internal Audit) responsible for adequate risk management. Instead, a collective awareness of the usefulness and necessity arises by involving the people who experience the most’ pain’ when risks occur.
However, many organisations struggle with how the precious time of this first line, also known as the business owners, is minimally burdened and maximally used. We see plenty of opportunities for this, precisely by involving everyone in the organisation.
Ensuring and demonstrating that the organisation is in control is the main reason for performing control tests frequently. These are often self-assessments intended to determine the effectiveness of existing controls. However, a certain degree of risk awareness, and therefore a certain degree of risk maturity, is required from the business to perform this task meaningfully.
Getting IRM into the heads of all levels, therefore, appears to be one of the biggest challenges for many organisations. Traditionally, self-assessments or other forms of control testing are carried out according to a fixed format. Deviations from the expected result are recorded and dealt with like issues. This is where the problem lies. Issues lead to improvement measures or other activities that must be carried out and monitored. As the size of the organisation increases, maintaining an integral overview becomes highly complex.
In our opinion, it is precisely the people on the work floor who can provide daily input and increase the value of IRM. Perhaps not always in the risk analyses themselves, but by involving them in periodical checks and offering them the possibility of simply reporting various incidents. Think of reports of (near) incidents, deviations, improvement suggestions or complaints that provide valuable input and serve as input for IRM. This creates a continuous flow of insights from the business, taking risk management to the next level.
More data from different angles makes the full risk profile more valid and reliable. It enables organisations to:
Involving the business and converting their input into valuable insights stands or falls with the design of an adequate IRM system that goes beyond merely recording and managing risks. Ideally, organisations should therefore use an integrated solution in which topics such as issue management, incident management and audit management also have a place in addition to risk analysis and control testing. Making these components an integral part of the IRM tooling creates practical insights thanks to (real-time) dashboards.
These insights can then provide direct input for identifying and evaluating risks and control measures. These insights can also be used to increase risk awareness. By sharing dashboards on the shop floor (and in the canteen), people can see their actions’ positive or adverse effects. This way, your organisation grows in risk maturity!
We see another powerful tool to increase our practice’s risk awareness on the shop floor. This involves the transfer of knowledge through short questions and knowledge flashes. Take the example of compliance with safety or hygiene regulations, two divergent themes that play a role in many organisations. Practice shows that the effect of newsletters, manuals or (classroom) learning programmes is minimal. Knowledge only sticks if it is directly applicable. Therefore, the new learning is shifting towards on-the-job microlearning in the form of short, digital training courses and tests.
For example, let‘s zoom in on a subject such as GDPR, which entails all kinds of risks across an organisation. From printing CVs and leaving them lying around to sending sensitive customer information. Everyone within an organisation has to deal with it. By periodically sending out a short knowledge test, the theme remains topical, and with the right questions, much data is collected. For example, by asking people to select the GDPR pitfalls through a pointing question, they will actively think about and analyse the situation. And because they receive immediate feedback after their answer in the form of a knowledge flash, their risk awareness is immediately increased.
Heatmaps show where the total population clicked frequently or less frequently (see figure ). Knowledge gaps, and therefore risks, can thus be made immediately clear. This can lead to additional controls, training programmes or other actions.
An effective IRM system offers a set of applications that supports everyone within an organisation in better and more comprehensive risk evaluation. More data from different angles makes the overall risk profile more valid and reliable. In human terms, we are talking about introducing thermometer moments to check whether professionals on the shop floor comply with control measures and whether risk awareness is well established. Tools such as issue and incident management, audit management and microlearning are incredibly suitable for this purpose. This creates a continuously improving organisation in which all layers of the organisation provide added value. And then IRM really works as a driver for success!