For low-risk and medium-risk institutions, implementing risk management is a relatively easy task. The Accounting Authority / Officer will issue an instruction that a risk assessment must take place, that a risk management plan must be drafted and that a follow-through process on the outcomes must be arranged within existing structures. Most of this activity will occur within the ranks of senior management and there is usually little difficulty in applying risk management at these levels.
High-risk entities, however, and those entities that need to implement a reasonably thorough process of risk management at all levels, face a different set of potential challenges.
Some members of staff may regard risk management as just bureaucracy with no value. Some staff may be resistant to adopting new risk management processes. The importance and benefits of risk management may not be understood.
Accountability for risk may not be clear to management, and risk management may be regarded as a series of processes rather than a series of behaviours.
The desired outcome is that managers are proactive with risk management. They will see risk management in a positive light. Senior management should be role models for desired behaviours.
Senior management encourage factual reports and they know that risk management is a leadership competency. These objectives can be achieved through simple change management techniques which are outlined below.
3. Communication and training
Risk Management in its current form is a relatively new management science. Many managers are not familiar with its principles, aims and techniques. It is therefore important to provide a communication and training plan as part of the risk management implementation process.
Risk management is a series of processes but it is equally a series of behaviours. Risk management only thrives to the extent that managers actively use its processes. It is mainly a function that operates at a management level, so it is not usually appropriate to embark upon a mass communication campaign to every employee. This may be appropriate for certain risk-related modules such as safety, but is rare in the case of entity-wide risk management.
The risk management communication campaign usually takes the form of short awareness sessions and presentations to departmental managers or regional management teams. These can be performed during existing or scheduled management meetings in order to minimise disruption.
Importantly, the risk management coordinator or risk officer needs to have a communication strategy to support this initiative. At the core of the program is the need for the central coordinator to have open communication channels to risk champions and risk officers.
The training needs of the institution will normally vary between different management levels. Senior management normally need little more than a short orientation around risk concepts and principles. Departmental risk officers often require a two-day training course on risk management practicalities.
Decide on communication and training objectives, such as increased risk awareness, compliance culture and risk management incentives. Risk management does not necessarily come naturally for many managers, who often need to understand the background to the function as well as their individual responsibilities.
A carefully crafted plan of communication, training and awareness therefore must be devised. The plan for circulating risk management knowledge and information should be aligned to the institution's existing means of organisational development and learning.
Select and implement the communication and training measures. These may include risk management training, awareness conferences, performance measurement, incentives, marketing materials, intranet information and the incorporating of risk responsibilities into management activities.
A positive approach will encourage management's support and participation for the risk management initiative. Opportunities to clarify roles and responsibilities should be encouraged and the value proposition of risk management clearly communicated.
Consider the use of research techniques (e.g. questionnaires) to measure behaviour change. Surveys can be conducted prior to starting the risk management activities in order to gauge the level of risk awareness and risk management understanding. Follow-up surveys can be carried out to see the degree of progress made with risk management. This has proven to be a valuable means of determining whether the risk strategy has succeeded.
Establish communication processes between different risk management functions. Experience has shown that it is valuable for the different risk management functions to streamline their respective reporting and communicative processes. In addition, it is often found that duplication of effort between auditing, compliance and assurance processes can be addressed by clarifying roles. The different risk disciplines must identify potential cause-and-effect relationships between their respective areas.
4. Management commitment
Management has to make the risk management plan work. It is therefore essential to work with management to design an implementation plan that will elicit the support of managers across the institution.
This may include a study of organisational charts, decision making processes and authority frameworks to determine how risk management would best be introduced into management activities. The existing lines of reporting and levels of decision making will support this process. The human resources manager can clarify how the institution assigns management responsibilities, accountability and authority.
In addition to providing leadership for the risk management plan, senior management must commit resources to the various tasks and activities. Structures and forums can be created where risk management matters can be aired and managed in a constructive climate.
Many institutions incorporate risk management objectives into scorecards and performance management processes. A good culture of risk awareness and response will allow transparency of risk decisions, make risks visible to the institution, and provide a climate of risk and control improvement.
Management may deem it necessary to conduct a skills and competency evaluation for the staff who lead the risk management process. Managers with risk responsibilities need an awareness of the risk management plan.
Risk awareness is a cultural trait that should prevail throughout all entities. An evaluation of staff competencies in risk management can be achieved with different levels of detail and formality. The institution must build risk management competencies in order for the initiative to succeed.