Reply To: Addressing broad causes (Inadequate Change Management, People Management)

Thanks for question brave_Michael.

You are absolutely right, there are causes that relate to multiple risks. What we need to recognise, however, is that they may be the same causes but the controls will differ.

To illustrate: We have 2 risks in the same organisation:

Risk 1: Wrong body issued to a funeral home from the mortuary

Risk 2: Inappropriate invoices sent to next of kin

Both of these risks could have these causes:

a. Lack of training of staff
b. Lack of supervision and oversight
c. Failure to follow policies and procedures.

Where we see the delineation is in the controls.

In the first risk there would be very different training requirements to those in the second risk and these need to be highlighted specifically in the controls.

So let’s look at the specific examples you provided:

Inadequate change management is definitely a cause and not a risk, as is inadequate people management.

But as you point out – what is the risk?

I would have a broad risk in the risk register: XYZ organisation introduces a new capability or program that is not adopted or is not fit for purpose. The causes in this case could be:

a. Inadequate consultation with stakeholders in the development of requirements
b. Developed requirements do not adequately reflect the needs of the organisation
c. Inadequate change management
d. Lack of/ineffective training of staff
e. Lack of/ineffective communication of the program with the stakeholder community
f. .etc.

I hope this helps a little bit and answers your question.