Guest Post by Peter Holtmann (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
This article is the third of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.
In our previous articles (1st, 2nd) we introduced you to the core elements of the risk management framework. This included integration, design, implementation, evaluation, improvement, and the role of leadership and commitment.
In this article, we’ll be looking at integrating and adapting the risk management framework to your organisation. In particular, we’ll be focusing on how you can best understand your organization’s structures and context, appreciate the role of governance and strategy, appreciate risk management accountability, and the importance of being iterative and dynamic with your approach to integration.
So, why is integration important? Well, risk management doesn’t work well when it’s disjointed. For risk management practices to work well, they need to be cohesive and in tune with the rest of the organisation, and they need to be a part of all other parts of the organisation. Failing to have integrated practices can lead to poor decision making, which increases your risk exposure. When we’re able to address each of the factors that we identified above, we’re able to have the best opportunity at successfully managing risk within our organisation.
Understanding your organization’s structures and context
Firstly, we’ll begin with getting you to grasp a solid understanding of the structures within your organisation. There are three steps to understanding your organisation’s structures and context.
The first step is to begin by recognising your organisation’s structures. Structures in this sense can include the likes of organisational hierarchies, functions, and the networks within it. For example, you might begin with recognising a risk management reporting line that spans across different hierarchical levels of your organisation.
Once you’ve identified the structure, the second step is to then ask yourself about the purpose of the structure. This includes questions like ‘what does it do?’, ‘why?’, ‘is it effective?’, and ‘how can it be improved?’. If you work in a large organisation, you may find that there are a number of different structures that interact in quite a complex manner, so this step may be a little more tedious than that for smaller organisations which typically have simpler structures. Regardless of the size of your organisation, starting with simple questions like these can be the best way to help guide successful risk management integration.
Once you have a solid understanding of the structures within your organisation, the third step is to consider them in the context of your organisation. Giving thought to context is required for successful integration as it helps recognise barriers to integration. You then have the opportunity to design strategies to overcome those barriers.
This requires giving thought to both your internal and external operating environments. For internal environments you should be considering the effect that current structures have on that environment. For example, this can include whether a reporting process is too complex so your workers don’t report at all. It can also include giving thought to your organisational goals, and how well current internal structures align with those goals.
For external environments, you could consider market forces such as what others within your industry are doing in terms of risk management, as well as what you can learn from them. This doesn’t just include competitors, but can also include risk management bodies such as the ISO. You may also like to look at what your suppliers are doing in terms of risk management, depending on what industry you work in.
Regardless of the size of your organisation and the industry you operate in, your actions towards integrating the risk management framework needs to be relevant and context specific.
If you work in a small organisation, there is no benefit to creating complex risk management structures that exceed the needs of your organisation. By the same token, if you work in a large organisation, there is little benefit to oversimplifying your approach when you know the complexity of your organisational structures.
In any event, ensuring that you effectively integrate risk management into your organisation begins with having a solid understanding of its structures and context.
Governance and strategy
Governance is the steering head of your organisation. It helps to inform the decisions you do and don’t make, it regulates the relationships within and outside of your organisation, and it also ensures that the purpose and goals of your processes and procedures are being achieved to the best of their ability. In essence, good governance is holistic and doesn’t focus explicitly on one particular aspect of an organisation to the detriment of others. Rather, it gives consideration to each of these aspects in the context of the organisation as a whole. It is also key to helping to effectively integrate the risk management framework.
For good governance to be effective, it needs to work closely with your organisation’s strategy. This is because good governance informs your strategy, and strategy is a tool for good governance objectives to be executed. This assumes, firstly, that you actually have a strategy. If you don’t, you should build one. This is because strategy is particularly relevant to guiding how an organisation can perform well with its risk management activities.
Together, governance and strategy can help respond to the understanding that you built of the structures and context of your organisation. They work hand in hand, and together they can work to guide you in integrating the risk management framework to the best degree possible.
Determining risk management accountability
Your organisation’s people are central to effectively integrating the risk management framework. This is because everyone within your organisation is responsible for risk management. If they’re at the top of your organisation, they’re responsible for risk management. If they’re at the bottom of your organisation, they’re responsible for risk management. Without this holistic approach to accountability, your risk management practices would not integrate well.
Now, while everyone within the organisation is responsible for risk management, you may choose to have someone explicitly dedicated to such a role. This may take the form of a safety officer, for example. This may be a more feasible option for larger organisations, whereas smaller organisations may choose to integrate aspects of such a role into current positions. Explicit allocation of risk management can be achieved at any level of your organisational structure, and as we touched on briefly before, can help to create reporting lines across different levels of the organisational hierarchy which then vertically reinforces integration within the organisation.
Whether or not you choose to explicitly allocate accountability for risk management, you need to have effective and relevant structures, procedures and processes in place to support your team in managing risk, whether it is explicitly their job or not. As we mentioned previously, your choice on this matter will depend on the needs and context of your organisation.
Being iterative with your approach
Risk management integration is a dynamic and iterative process. It requires feedback to be taken from those within and outside your organisation to help recognise risk management pitfalls and then design proactive strategies to address them. This is essential for ensuring that your approach remains continually tailored to your organisation’s context, needs, and culture, of which can change over time. There’s no benefit to having risk management mechanisms in place if they’re not relevant or not effective to their purpose. If it doesn’t integrate and remain integrated, you don’t want it.
Integrating risk management frameworks into your organisation can be tricky. It requires considerable attention to be given to your organisation’s structures and context, governance and strategy, accountability functions, and iterative processes. When these factors are effectively attended to however, we give ourselves the best opportunity to integrate risk to the wants and needs of our organisation.
If you have any stories – good or bad – about how you’ve integrated the risk management framework into your organisation, I would love to hear them.
If you’re looking at integrating the risk management framework into your practices and procedures and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.
About the author
Peter is the Founder and Director of Holtmann Professional Services, a global provider of executive coaching, business excellence consulting and career path development. Peter has 20 years of experience in executive roles and has been the President and CEO of a global non-profit. Peter has written for many journals and blogs, is a keynote speaker and is a champion of prosperity through excellence of leadership.
If you are interested in working with Peter, please reach out to enquiries@holtmann.com.au.
Leave a Reply