Risk management needs to become part of the way business is conducted. Embedding risk management in the regular, daily affairs of the organisation is not an easy task and requires continuous effort. To achieve this measure of acceptance may take some time; however, a number of steps can be taken to help the process
SUPPORT (Sponsorship) from the Top
The implementation must be sponsored at board level and positively supported by all senior people within the organisation. There are a number of ways this can be done: presentations, devising a risk policy, inclusion on agendas
Every organisation should have a risk management policy, whatever the approach by the organisation is to risk. Such a policy should be formal and set a framework within which an organisation has to implement its risk management responsibilities and processes. The policy should include:
- Objectives and the overall purpose of risk management for the organisation (statement of intent). There should be links to other policies, for example audit (internal and external), control, governance, conduct, insurance and so on
- Responsibility for risk management should be clearly set out at board, management and operating levels. This should be repeated in specific functionresponsibilities and job descriptions throughout the organisation.
- If there is an audit and/or risk committee in an organisation their responsibilities for risk management should be clearly stated in their terms of reference. This applies also to internal audit and any other internal or external assurance activity
- Risk appetite, the level of risk the board is prepared to accept to achieve its objectives, in specific circumstances or possible events. Indicating the levels of control that are needed to mitigate against specific risks
- An explanation of the key components that sets out the overall approach to risk management, including the commitment of resources (staff and information systems), training and development
- It is necessary for key risks to be considered on a regular basis and reported up the hierarchy as required. Designated managers at various levels report upwards (on either a quarterly of half yearly basis) on the work done to keep risk and control procedures up to date and appropriate to circumstances within their particular area of responsibility.
- A common risk language, defining the terms to be used
The organisation must develop a clear articulated and communicated strategy, explaining how risk management will operate according to an implementation plan (timetable). This will be consistent with specific responsibilities and roles set out within the policy
Risk management must be linked into other activities as a matter of routine, such as business plans, project plans, team meetings etc.
Risk management must be a high priority for everyone in the organisation and must be clearly built into both departmental and individual performance objectives.
Linked to strategy there needs to be in-house expertise and sufficient resources within the business in the form of an organisational structure
TRAINING & EDUCATION (SKILLS)
Training and education are needed to help people understand their role as well providing explanation and practice of the process. This helps to ensure consistency and should be based upon clear guidelines and a simple working method that is effective. The method for identifying and assessing risk must be easy to use and not be an end in itself
A good way of helping the process is to run risk workshops. The McKinsey’s 7 S framework is a good basis for developing a risk culture