The risk management field has come a long way since its roots in insurance. We no longer think about risk treatments purely in terms of insurance. We think about enterprise risk management rather than just operational or project risk.
There have even been debates about whether risk management is an “art” or a “science”.
But when asked to improve risk management, many of us still turn first to improving documents (whether it be policies, processes, templates, frameworks, or matrixes) rather than looking at the people.
These documents are important, but they’re not the whole story. If improving policy and process isn’t accompanied by trying to change people’s behaviours, it can be wasted effort.
I’m not just talking about training your staff on the ISO 31000 process. This is important, but in isolation, it can result in your people wondering how they fit this into their day job.
“I understand the process, but I still don’t know what I’m supposed to do when I get back to my desk,” somebody once said to me after attending an external risk training session.
That offhand comment really resonated with me. Most risk training courses are very good at teaching you the academic theory behind risk management, telling you step-by-step how to establish your context, identify risks, then analyse risks.
But in reality, this doesn’t always help you in your day job.
This might come as a surprise, but I don’t always use the typical seven-step risk management process made so well-known by ISO. In a previous role, I’ve managed risks by doing SWOT analyses, or running a workshop to identify future challenges and opportunities or using risk principles to design a process. Other times, I find it’s better to step through the full seven-step process.
I don’t think there’s a perfect way to manage risks. In fact, I think sometimes, we can get ourselves tied up in thinking about “risk management” as a scientific discipline, rather than thinking about the skill of “managing risks”.
What I do find useful is thinking about a series of risk behaviours that people need to stop or start doing:
I think about these behaviours in every decision I make. In that way, I make sure that I’m thinking about risk all the time, rather than just when I’ve set aside time to walk through a seven-step process.
So whether you view risk management as “science” or “art”, it’s vital to remember that people are managing the risks and that if they don’t understand the why and the what, then you won’t get the value you want.
And my personal view? I think that risk management is on that fine line between an art and a science.
Changing people, not documents is first in a series of articles on corporate governance. Coming up next month is an article on facilitating planning and risk workshops.
The real risk when it comes to automation of upstream process is not doing it.Read more
In recent years, one of the biggest shifts to take place in public sector compliance has been the evolution of the internal audit remit; transforming it from a commoditised service into an increasingly dynamic operative function.Read more
Callida © 2018 all rights reserved