Bringing risk to life in your organisation
Organisations are increasingly investing considerable time, effort and resources into ensuring that risk is properly managed and that robust risk management, appropriate for the complexity of the organisations, is being implemented. A key requirement of the implementation is often being overlooked by management in the belief that simply adopting a robust top-down approach to risk management will embed an approach to risk throughout the organisations. There is so much more to bringing risk to life for employees so that risk management is embedded into the business. Training and communication are key tools to achieving the desired success and I share insights here why both are important to address and how to go about it.
Organisations where risk management is failing to embed properly are characterized by a failure to “hardwire” it into the organisation so that when employees act it is in a way that is consistent with the risk management policy and in line with the risk appetite of the organisation and that they do so repeatedly over time. In addition, employees must do so regardless of factors that might ordinarily upset that approach, for example employee turnover or significant interruption of normal activities. Only when the organisation’s expectations about how their employees behave in relation to risk has become “the way we do things around here” can managers lay claim to fully embedded risk management.
So what then is the key to bringing risk to life for your employees that will help to “hardwire” risk management into your business?
It’s all about changing individual behaviour
If those with responsibility for risk in organisations start with the end in mind when considering what embedded risk management looks like and include the knowledge, skills and behavioural responses for the employees, consistent with the risk appetite of the organisation, then a series of long-term actions, heavily dependent on training and communication, is revealed that leads to an organisational culture where risk management is integral and pervasive because the collective behaviour of employees is changed.
Also, the knowledge, skills and behavioural requirements for embedded risk management can be included into the learning evaluation approach from the outset. Doing so provides a valuable additional measure of the traction and transference being achieved in efforts to embed risk management.
Think about the human factor
Collective individual behaviour in relation to risk will not materialise simply by implementing a risk management policy, resourcing a team and assigning responsibility for risk management to it and by putting effective controls in place that assist with reporting variances. Rolling out a risk management framework top-down will improve the traction but also not guarantee it is embedded. Employees are human and operate individually instinctively. In the collective context where people come together in a workplace – your workplace – for the purposes of risk management that collective behaviour needs parameters. By supporting the implementation of risk management with a programme of thorough and relevant training, learning and development those parameters, guided by relevant and appropriate knowledge and skills, are defined. The long-term effect will be to ensure that collective actions over time operate within the risk tolerance of the organisation and become a matter of course.
This is true for any size or nature of organization. The rule of thumb is: if the organisation is large enough to employ multiple people and worry about optimising risk transfer (e.g. secures insurance for uncertain events) then it is large enough to use learning, including training, and communication to support the embedding of risk management into the culture so that it becomes ‘the way people do things around here’.
Critically, it is not just when considering risk at the strategic level for the organisation that the people and culture issue arises. Consider this likely scenario: I am an employee in a mid-sized organisation where the senior management takes risk management at the strategic level seriously, so that everyone employed there avert negative risk and realise every opportunity. As an employee, I will be faced with decisions that will reference that appetite or tolerance to risk as I go about my general duties. I may also be faced with specific additional risk because of what I am employed to do for the organisation– examples might include financial, operational and hazard type risks. I need to be prepared for dealing with risk of every type that may affect my ability to perform optimally.
Engage the people with risk
Central to the set of long-term actions is the need to engage the people of the organisation with risk so that critical mass is achieved. Managers must role-model the required behaviours to set the example and be held accountable for their actions. This must be supported and built up with regular, planned communication emphasizing: the implementation of risk management and the risk appetite; relevant knowledge, skills and behaviours required; and finally, collective parameters for risk in the organisation. The word “engage” implies communication – face-to-face workshops, focus groups and interactive sessions are best, backed up with a regular stream of update communication using media and channels appropriate to your business.
Delivering on risk training needs
With a thorough assessment in hand of needs and a matrix of requirements determining the knowledge, skills and behaviours for each risk issue by type of risk, you can now turn to matching available training and learning solutions and resources to those requirements.
Always start by giving employees the relevant risk management knowledge (‘what’). Areas that must be addressed include: understanding of risk and risk management; risk management process – risk assessment, risk reporting, risk treatment/control and monitoring; relevant specific knowledge of the type of risk or risk responsibility in relation to the specific organisational responsibilities and duties. Examples might include general understanding of risk in an organisational context; specific alternative risk financing knowledge for the CFO; risk assessment knowledge for H&S coordinators.
Moving on to giving employees the relevant risk management skills and behaviours (‘how’) presents a different challenge. Public open courses are unlikely to be able to achieve transference of ‘what’ into ‘how’ due to the challenges of delivering content to people from a variety of backgrounds, sectors and organisations at one time. The solutions invariably involve bespoke in-organisation training and learning opportunities that are more closely tied to the particular requirements of the organisation.
Special consideration of appropriate methodologies for training (classroom, e-learning, workshop-based, practical, on-the-job) will be influenced by the particular organisational size, nature, context and culture; unique organisational language/terminology prevalent in every organisation; and fit with the strategic priorities of the organisation. Solutions will be available from supplier companies that are engaged in support of risk transfer activities for organisations. They involve coordinating specialist skills with the requirements of dynamic learning or, if the organisation is large enough, by bringing the skills of the L&D and Risk Management department together to develop bespoke in-house material. These solutions will include technology and clever design with experienced facilitation to engage participants and ensure maximum application back into their jobs.
The upside of risk and success
Remember too that risk can also represent an opportunity! An embedded, enabling risk management culture will ensure that an organisation’s people are both in control of the negative risk impacting on the organisation and spotting opportunities in risk, both of which are critical to long-term organisational performance and success. What does success look like when an enabling organisational culture has risk management embedded into it?
The risk training and communications plan will deliver employees with specific risk management responsibility who know about the organisation’s approach to risk and its upside (context), appreciate risk in relation to what they should do, and do what they are required to do by the risk management policy and framework to mitigate risk in the organisation and realise every opportunity presented. They do so as a collective and repeatedly over time.
A planned programme of learning and development about risk and risk management in relation to the needs of the organisation will ensure that employees embed the expected risk knowledge, skills, and risk mitigation behaviours in relation to the requirements of their roles and the organisation.
Brett Dorney, Director, Aretai Risk Management Consulting Ltd (adapted from an article first published in Strategic Risk magazine, Sep 2007)
- Risk Management