Most of us are aware of the ISO31000 principles for Risk Management. The creation of a framework, risk assessment workshops, risk categories and registers, mitigating actions, monitoring and reporting. This is an over summarization of an excellent set of guidelines which is globally respected.
Ultimately such principles and approaches should result in a change to behavior in managing risks at the executive top tier of an organization. It should further result in behavioral changes to middle management and supervisor personnel. And in a risk management matured company, the resulting behavioral change should be observed at the broadest workforce levels. Such an entity is considered to have a strong risk management culture.
Safety for many “nuts and bolts” companies is considered a top priority risk. It has taken companies many decades to develop a safety risk behavioral culture and most are still trying to find that reasonable "managed level of risk". The safety mitigation initiatives generally have high investment of time and money which continues towards infinity as there may never really be an end.
It may not always be possible for other top risks (Market share, Fraud, Cyber-attacks, Compliance. etc) to reach such integrated and embedded risk culture status like safety. This is probably due to the high cost and time requirements as individual risks. However, should generic risk management culture and behaviors be achieved, this would encompass all those risks and thereby deliver a broader, more sustainable solution to managing risks.
Imagine an organization where everyone, and I mean every employee from the Production plant to CEO, who constantly thinks about risks in their area of work, thinks about mitigation steps and takes the required action. Now imagine all employees who consider risks outside of their focus area of work, and raise their views which result in actions. Imagine this taking place seamlessly as an organizational or an individual behavior where risk management is owned by everyone. Now that is the reasonable "managed level of risk" that Shareholders and Board Directors should want to achieve for a sustainable future.
How many business leaders can say, "This is what we work towards and achieving embedded risk culture is no longer a risk" in their organization? Or is your company still just operating a risk management system? Managing risks should be a cultural and behavioral journey for everyone in an organization, and should also require higher investment to progress through this change cycle.
< Written by Dipesh Narsai>
No comments:
Post a Comment