Posted initially on LinkedIn: Claudia Craia
When I started in my first risk management role, one of the first things I heard, many times, was “to be successful, you will need to integrate the risk management activities into operational plans and activities.”
I am a person who acts. So, I immediately googled something like “How to embed risk management in the organisation?”. To my surprise, there was little practical advice there.
This post is about what I learnt from truly embedding risk management within the organisation.
Firstly, you should understand what does it mean? What those people meant? These are the first questions you should ask yourself.
What I do very often is to ask! Yes, I am now old and experienced enough not to be afraid to ask 😊.
So I asked: what do you mean by that? What are you thinking of?
The answers you will get will help you get started more than reading online.
In my case, embedding the risk management activities within the DNA of the organisation meant:
💡 Involving as many people as possible in the (monthly/quarterly/semi-annually) risk assessments process. Experts in their business area. Control owners (even better if they are different from risk owners).
💡 Acknowledging that there are more instances of the risk management process. For example, there is a risk management process in projects, one in strategy planning, one in product design and implementation. Introduce risk management routines in these processes. The most common routine is a risk assessment activity.
💡 Creating my own process to identify emerging events. These can be a regulatory change, a new standard that applies to your business (e.g., DORA), a new initiative. Getting involved in those initiatives and ensure they all include a risk assessment process.
💡 Creating a cost-benefit analysis framework to help with decision making. Should we address this risk in a project? Yes, if the benefit of addressing is greater than the cost of addressing the risk. Making this framework easy to be understood and performed.
💡 Being structured and creating a structured process. A structured process will attract followers and fans for the risk management discipline.
💡 Keeping it simple and to the basics. Simple: do you really need to put all those templates in the process? Are they bringing value? Basics: risk and opportunity management sounds great. However, if the Risk Management Leader deals with the opportunities as well as risks, what else would your Chief Strategy Officer or Chief Operating Officer do?
One of the best advices I can give is this. Yes, “integrate” risk management BY finding ways to operate risk management TOGETHER with THE other processes in your organisation.
