Risk management as a change programme
Building on earlier insights into the role for training and communication to help to embed risk management into the behavioural DNA of an organisation, what follows is a synopsis of the ten key levers for addressing the implementation of strengthened risk management practices as a true people-led change management programme:
- Be clear about the reasons for managing risk throughout the organisation –including compliance requirements, regulations, competitive pressures, contractual expectations, stock exchange, ratings agency or analyst expectations, public sector governance requirements, desire for good management and optimum opportunity management. Ask yourself the question: “Can I articulate a clear set of drivers for why this business must manage risk?”
- Start with the end in mind – define the future reality for managing risk in the organisation and outcomes you wish to realise in both organisational and behavioural terms for employees and identify training and communication metrics to assist in measuring success. If necessary, engage specialists to help you to articulate these goals and in particular the outcomes and it will help to shape all your efforts going forward. This step is critical to ensure that you can continually monitor your efforts and the success of progress being made and allows you a “helicopter” view of risk management in your business.
- Define the organisation’s audiences for risk management – this is the point at which many mistakenly start. Identify the roles and/or groupings of people that need to understand and apply risk management to what they do. Examples might include what the board needs to know about corporate governance and how to manage strategic risk, what employees engaged in manufacturing or production activity need to know to perform safely and how they should behave, how staff involved in running key projects must evaluate risks in their projects, how managers must consider and mitigate for risk in their planning activities.
- Engage employees in their attitudes and perceptions of risk – interviews, workshops, focus groups, and surveys. If this is done as part of early communication with your employees, it will make addressing any gaps much easier in future. Ask interested applicants about their risk appetite during recruitment interviews, regularly poll employees about their experiences of managing risk in your business.
- Articulate a clear risk management policy and communication plan that supports it. Include specific reference to risk appetite or tolerance for risk. You must set out your stall about risk management clearly in the same way as any other policy issue in your business – write it down and assign someone with ownership for keeping it up-to-date. The same is true of the required communications to support your efforts. This need not be arduous and should be done in a way that fits your business – use your personal assistant or receptionist or whoever puts together your internal communications for you. Ideas for communication can include an article in your company newsletter, including it in any employee surveys that may be carried out, using email and team-briefings and referencing it in your briefings/forum/town-hall meetings with your staff.
- Rollout risk management in a top-down manner, supported with workshops and the communications plan, for each audience grouping to ensure knowledge of requirements for change at each level. Build in what has been learnt from step four.
- Hold relevant people accountable – ensure their performance metrics include risk management accountabilities and make performance matter. If you say you are going to hold people accountable for it then do it! Managers in your business must set the example to the rest of the business.
- Identify a matrix of the risk learning and development (L&D) needs in terms of knowledge, skills and behaviours on the one axis and the risks faced by employees on the other axis. Include the behaviours defined in step two.
- Link into existing training needs assessment processes – avoid reinventing the wheel but ensure the gaps between what people need to know in relation to risk, the skill they should possess and how they should behave versus the current reality is determined. So, if you have job descriptions and a performance management and development process, update them to include risk where relevant.
- Deliver the risk learning and development plan and solutions to address the gaps. This can be as part of a broader training or L&D plan or stand-alone. Be creative about using all sources of learning and training that suit your organisational requirements. Options might include formal classroom training, online learning, professional qualifications required for competence, free seminars by experts, conferences, workshops, job shadowing, lunch and learns, toolbox talks delivered by partners or suppliers, or the intranet or internet.
Brett Dorney, Director, Aretai Risk Management Consulting Ltd
- Risk Management