Risk management is not a compliance activity
When consulting to an organisation, it frustrated me when I heard “thanks for developing our risk management framework – now we will pass the audit” or, “we are now compliant with the legislation”. Risk management is not a “tick the box” exercise and it should never be treated as a mere compliance requirement.
I have also had a number of students attend my courses stating that their expectations were that they could learn the skills necessary to ensure their organisations are compliant with Legislation and Regulations.
Whenever I work with clients, I make it clear from the outset that effective risk management involves embedding risk management into the daily operational life of an organisation.
Those organisations that view risk management as a compliance activity are simply ‘doing risk management’ they are not managing risk – and there is a significant difference as shown in the table below:
Doing Risk Management | Managing Risk |
The organisation has documentation (e.g. Policy, Plan, Procedure) that it considers to be a framework. | The documentation is simply part of the wider framework |
Risks are considered after planning has been completed as opposed to being a fundamental part of it. | Risk management is a fundamental input to the planning process, where goals, objectives, opportunities may be altered based on the risks of moving forward. |
The organisation has a Risk Register/s that are reviewed once every 3, 6 or 12 months. | Reviews of risk registers occur, but the risks in them are continually monitored. |
Current control effectiveness is estimated but not measured | Current controls are measured for effectiveness. |
Treatments are identified, but rarely undertaken. | All risk treatments are completed within specified timeframes. |
Ownership is not assigned to risks or treatments or ownership is assigned to ‘all’ or ‘XYZ Committee’. | All risks, controls and treatments have assigned owners. |
The organisation seeks to assign individual responsibility after an incident has occurred and doesn’t undertake post-event analysis to identify the root causes i.e. a blame culture exists. | The organisation understands that every incident/event is a system failure and not the responsibility of one individual. Post event analysis is conducted so the organisation can continue to learn and grow. |
Risk management is seen as a specialist skill that only certain personnel within the organisation are responsible for. Training is only provided to those in risk management roles. | All personnel understand that they have a role to play in the management of risk across the organisation and training has been provided accordingly. |
Staff feel too intimidated to raise issues/risks for fear of reprisals. | Staff feel empowered to raise issues/risks so that management have all the information required to make risk informed decisions. |
Risk reports are full of colour and charts but insufficient information to make risk informed decisions | Risk reports contain information that assists in the decision-making process. |
You DO risk management if you want to be compliant; you MANAGE risk if you want to be successful!!!!!