Risk management challenges #4: Integration
As a risk management coach I see first hand some of the challenges organisations have when it comes to risk management. Many of the challenges are recurring and seem to be present regardless of times and trends. Other challenges come with changes in standards and expectations from stakeholders.
The new ISO 31000:2018 has great focus on integration of risk management in the organisations processes. Further on, integration between different management systems has become easier after standards such as ISO 9001 for quality management systems, ISO 14001 for environmental management systems and the upcoming ISO 45001 for health and safety management systems all follow the same high level structure.
Synonyms to integration are fusion, combination or blending. From a management systems perspective integration helps align our management systems in order to be more effective. From a risk management perspective integration is about information and action on all levels.
The integration challenge in risk management is two fold. We have to ask ourselves; how do we create a culture where risk is something that is identified and acted upon in all levels of our organisation and in all activities? In other words, how can we ensure that our leaders use risk management techniques and systematics to evaluate which factors introduce uncertainty and how these factors might affect the overall goals of the organisation? And how can we train employees to identify, evaluate and handle threats and opportunities that appear in their field of vision?
On the other hand, risk management integration means that risk management is a constant activity. To succeed in risk management integration, organisations have to, to some degree, move from running monthly risk meetings, to a more constant flow of risk identification and evaluation. The monthly touch down may not be obsolete, but there should also be a constant question appearing in operations and conversations: What are the risks in this specific situation, and what can I do about it?
My usual formula for risk management integration looks something like this:
Training (top to bottom and back)
Establishing common ground (across the organisation)
Patience and continuity mindset
Management focus (make risk mindset a requirement from leaders to employees)
Empowerment to act (ensure that people feel safe to act and report upon risk and current challenges)