Risk Management is not a one person sport
Transcript:
Well hello again, in this session I just want to talk about something really short. That is that risk is not a one person sport, or risk management is not a one person sport.
In some organisations we have this expectation that the risk manager is going to identify the risks, analyse the risks, put the treatments in place and as a result we reduce the risk within the organisation, the risk profile.
That could not be further from the truth, the risk manager or someone filling a role similar to that, needs to be a facilitator and use the corporate knowledge that is within our organisation. So, when it comes to risk identification the things that we are going to ask are; what can go wrong – but we also can ask the question what has gone wrong in the past.
And the only way we are going to know that is if we got people in the room who have been within that organisation a long time or like organisations. And they can say “well we tried this and this is what happened”. Now they’re not being naysayers but they’re saying well these are the things that have gone wrong in the past so if you wish to go down that path, well perhaps you need to put some strategies in place to stop it happening. So from an identification point of view it’s important that we engage a wider stakeholder community.
When it comes to risk analysis and identifying a likelihood rating or a consequence rating the same thing applies. If we are going to determine what the likelihood of that risk is, well it’s better to have a whole lot of people in the room who may be able to say “well, I’ve been here for 5 years or 10 years or whatever and that’s never happened”.
So we could put that down as a rare, or someone in the room said “well that thing actually happened 3 times last year and 5 times the year before that”. Now it doesn’t mean that it is going to happen 3 to 5 times the next year, but we can say that it’s almost certain or likely that it’s going to occur. The same with consequences if we have got some of those people with experience in the organisation they can say “yep that happened, but the only consequences were these”, they could also say “but we were pretty lucky that was more a near miss, and so the possible consequences are this this and this”.
And so by using that judgement and expertise we have within the workshop we can come up with more realistic likelihood ratings and more realistic consequence ratings. We can use that forum to determine whether our controls are currently effective or not, and we should have control owners in the room with those measures of effectiveness to tell us whether they are or not.
And of course we can use that judgement and experience of those people who are involved in the process to determine the most effective risk treatments if we need to put something new in place. And we can allocate those to the person best responsible or most able to be responsible for the implementation of that particular treatment.
So risk management isn’t a one person sport, you cannot just have somebody sitting in a room and doing all this stuff by themselves. You truly need a collegiate approach to making sure that the outcomes of your risk management program are going to allow you to effectively manage risks in the organisation. I hope that has been useful and as I always say, lets be careful out there.