Risk Tip #4 – Communication and Consultation
The fourth in my risk tip series addresses communication and consultation for an individual risk amongst stakeholders.
Stakeholders aiming for or in business for a common cause, will talk about communication, but just how many actually fathom the breadth of the stakeholder community for an individual risk? It is certainly part of the risk management process, but what does it look like?
One in all in: The shared risk
Before we look at what we do to communicate and consult in relation to a risk, it is important to understand why it is critical.
In the organisations of today, very few, if any risks, sit within just one functional area. Ownership of the risk will reside in one functional area, however, the controls will be shared across the organisation and, in some cases, may be shared across organisational boundaries.
This concept of the shared risk is critical to understand in relation to the effective management of risk.
Communication and consultation process
Communication and consultation in the risk management process is the same as any other communication and consultation in that it centres on the management of stakeholders.
As defined in ISO 31000:
Stakeholders are those people or organisations who may affect, be affected by, or perceive themselves to be affected by a decision or activity[1]
There are two categories of stakeholder in relation to the management of a risk:
- Primary Stakeholder. Stakeholders with a significant amount of influence in relation to the risk and its management and outcomes.
- Secondary Stakeholder. No decision-making influence but demonstrate an interest in the consequences of the risk.
When it comes to the management of a risk, the following characteristics give a stakeholder influence:
- ownership of the risk;
- ownership of controls;
- provision of funding and/or other resources for the management/treatment of the risk;
- regulation/policy
- approvals/sign-offs (plans as well as products); and
- delivery of outcomes/services (includes, staff and contractors).
So let’s look at the stakeholder management process as it relates to the management of an individual risk.
Stakeholder Identification
The first step in the communication and consultation process for a risk is to identify the stakeholders. To do this we can develop a stakeholder map similar to the one shown below:
Let’s look at an example using the following risk for an organisation managing a railway operation (be it government or private): Collision of trains travelling in opposite directions. Some of the causes for this risk may be:
- failure of signalling equipment;
- operator error in control centre ;
- failure of safeguards on the train;
- failure of safeguards on tracks;
- lack of/ineffective training;
- lack of staff;
- lack of oversight/supervision; and
- the list could go on.
(To put at least one of those scenarios into perspective here’s an example as reported by the BBC about an operator’s error causing a tragic train crash in Germany. Prosecutors for the case suspected the operator was playing a game on his mobile phone).
For the above risk, the stakeholder community may look something like this:
What this stakeholder map is attempting to demonstrate is that it is impossible for one director to manage this risk effectively if they are not communicating and consulting with each of the stakeholder groups.
Identifying them, however, is but one aspect of effectively managing this risk, and each stakeholder needs to be clear as to the expectations on them.
Defining stakeholder expectations
For the risk to be managed effectively, each stakeholder needs to not only understand, but to also agree with the expectations of the risk owner in relation to the management of the risk.
As an illustration, the risk owner is reliant on the GM Maintenance to ensure that the signalling network and the track network are sound and that there are no issues that could increase the likelihood of the risk. The risk owner not only needs to articulate these expectations to the GM Maintenance, but also there needs to be agreement on:
- the standard to which they are to be maintained;
- the performance measures and assurance mechanisms; and
- the reporting requirements back to the risk owner so that when the GM Operations is reporting the status of the risk to the CEO and/or the Board, they have assurance that the risk is being well managed.
You cannot manage a risk of this complexity from an office.
Develop a Stakeholder Management Plan
One thing that you may not have considered is the development of a Stakeholder Management Plan for an individual risk. Given the complexity of the risk described above, such a plan could be of significant assistance when managing the risk.
The plan may include (but is not limited to):
- stakeholder map;
- expectations for each primary stakeholder with regard to the risk;
- reporting requirements including formats and frequency; and
- details of the ongoing communication requirements with regard to the risk.
Risks that cross organisational boundaries or involve multiple organisations, that have severe/catastrophic consequences may benefit from having a Communication and Stakeholder Management Plan.
Ongoing communication and consultation in the management of the risk
So by now you have recognised that there are some risks in your organisation that are complex enough that there is a requirement to identify the stakeholder community and to develop a plan to guide the communication required for the effective management of the risk. But what now?
It is not too farfetched, I believe, that for the complex catastrophic risks we are talking about we have a stakeholder management group which meets regularly with the risk owner as the chair.
The advantages of such meetings is that where one stakeholder is having issues, the wider forum may be able to develop solutions. If the solutions were developed in isolation, they could lead to an increase in other risks or have an impact on the ability of one of the stakeholders to achieve their outcomes.
Minutes from the meetings can be used as part of the ongoing assurance program for the risk.
Conclusion
It is important to recognise that there are very few risks in an organisation that do not cross functional boundaries or organisational boundaries. Risks that cross functional or organisational boundaries cannot be managed by one person in complete isolation to other stakeholders.
It is too late after a catastrophe to discover that actions (or inactions) taken by a stakeholder in another functional area or organisation that has a role to play in the risk, has not met the requirements of them and, as a result, the incident has occurred.
Always remember – risk management is not a one-person sport.