Risk management consultancy and training services

Call Us:

(+61) 400 666 142


Canberra ACT 2600

Risk management is not a compliance activity

Risk management is not a compliance activity

Apr, 30, 2019
by Karen

When consulting to an organisation, it frustrated me when I heard “thanks for developing our risk management framework – now we will pass the audit” or, “we are now compliant with the legislation”. Risk management is not a “tick the box” exercise and it should never be treated as a mere compliance requirement.

I have also had a number of students attend my courses stating that their expectations were that they could learn the skills necessary to ensure their organisations are compliant with Legislation and Regulations.

Whenever I work with clients, I make it clear from the outset that effective risk management involves embedding risk management into the daily operational life of an organisation.  

Those organisations that view risk management as a compliance activity are simply ‘doing risk management’ they are not managing risk – and there is a significant difference as shown in the table below:

Doing Risk Management Managing Risk
The organisation has documentation (e.g. Policy, Plan, Procedure) that it considers to be a framework. The documentation is simply part of the wider framework
Risks are considered after planning has been completed as opposed to being a fundamental part of it. Risk management is a fundamental input to the planning process, where goals, objectives, opportunities may be altered based on the risks of moving forward.
The organisation has a Risk Register/s that are reviewed once every 3, 6 or 12 months. Reviews of risk registers occur, but the risks in them are continually monitored.
Current control effectiveness is estimated but not measured Current controls are measured for effectiveness.
Treatments are identified, but rarely undertaken. All risk treatments are completed within specified timeframes.
Ownership is not assigned to risks or treatments or ownership is assigned to ‘all’ or ‘XYZ Committee’. All risks, controls and treatments have assigned owners.
The organisation seeks to assign individual responsibility after an incident has occurred and doesn’t undertake post-event analysis to identify the root causes i.e. a blame culture exists. The organisation understands that every incident/event is a system failure and not the responsibility of one individual. Post event analysis is conducted so the organisation can continue to learn and grow.
Risk management is seen as a specialist skill that only certain personnel within the organisation are responsible for.  Training is only provided to those in risk management roles. All personnel understand that they have a role to play in the management of risk across the organisation and training has been provided accordingly.
Staff feel too intimidated to raise issues/risks for fear of reprisals. Staff feel empowered to raise issues/risks so that management have all the information required to make risk informed decisions.
Risk reports are full of colour and charts but insufficient information to make risk informed decisions Risk reports contain information that assists in the decision-making process.

You DO risk management if you want to be compliant; you MANAGE risk if you want to be successful!!!!!


Written by Karen