Risk management is not a compliance activity
When consulting to an organisation, it frustrated me when I heard “thanks for developing our risk management framework – now we will pass the audit” or, “we are now compliant with the legislation”. Risk management is not a “tick the box” exercise and it should never be treated as a mere compliance requirement.
I have also had a number of students attend my courses stating that their expectations were that they could learn the skills necessary to ensure their organisations are compliant with Legislation and Regulations.
Whenever I work with clients, I make it clear from the outset that effective risk management involves embedding risk management into the daily operational life of an organisation.
Those organisations that view risk management as a compliance activity are simply ‘doing risk management’ they are not managing risk – and there is a significant difference as shown in the table below:
|Doing Risk Management||Managing Risk|
|The organisation has documentation (e.g. Policy, Plan, Procedure) that it considers to be a framework.||The documentation is simply part of the wider framework|
|Risks are considered after planning has been completed as opposed to being a fundamental part of it.||Risk management is a fundamental input to the planning process, where goals, objectives, opportunities may be altered based on the risks of moving forward.|
|The organisation has a Risk Register/s that are reviewed once every 3, 6 or 12 months.||Reviews of risk registers occur, but the risks in them are continually monitored.|
|Current control effectiveness is estimated but not measured||Current controls are measured for effectiveness.|
|Treatments are identified, but rarely undertaken.||All risk treatments are completed within specified timeframes.|
|Ownership is not assigned to risks or treatments or ownership is assigned to ‘all’ or ‘XYZ Committee’.||All risks, controls and treatments have assigned owners.|
|The organisation seeks to assign individual responsibility after an incident has occurred and doesn’t undertake post-event analysis to identify the root causes i.e. a blame culture exists.||The organisation understands that every incident/event is a system failure and not the responsibility of one individual. Post event analysis is conducted so the organisation can continue to learn and grow.|
|Risk management is seen as a specialist skill that only certain personnel within the organisation are responsible for. Training is only provided to those in risk management roles.||All personnel understand that they have a role to play in the management of risk across the organisation and training has been provided accordingly.|
|Staff feel too intimidated to raise issues/risks for fear of reprisals.||Staff feel empowered to raise issues/risks so that management have all the information required to make risk informed decisions.|
|Risk reports are full of colour and charts but insufficient information to make risk informed decisions||Risk reports contain information that assists in the decision-making process.|
You DO risk management if you want to be compliant; you MANAGE risk if you want to be successful!!!!!