Ensuring effective risk management in any organisation is essential and fundamental to the organisation’s success.
Embedding risk practices successfully can be challenging. There are many things to consider when it comes to risk management. But it’s an essential element in the success or failure of organisations. That’s why it’s important to learn what effective risk management actually means.
How do we achieve effective risk management?
Effective risk management within organisations can only be achieved when staff are willing to engage in risk management activities. Only then can the board’s risk taking and control objectives be achieved. In short, risk management cannot be effective if it is not embedded.
To be able to do this, we need to understand how board-level risk taking and control objectives translate into the risk management activities. That includes recognising how these activities are performed within organisations.
Organisations are taking different paths to embedding risk management depending on the external environment in which they operate. A range of internal factors, such as leadership tone and the success or failure of past risk management initiatives, also contribute to the varied approach to risk management.
- Effective risk management requires the use of complementary formal and informal mechanisms and tools
- Communication is vital. This includes communication between business units and functions, as well as communication to/from the risk management function and internal audit function.
- The risk management function has a pivotal role in communication and building risk management relationships.
- The risk management function does not only design and implement risk identification, assessment and reporting tools; it must also work hard to explain and even sell the benefits of risk management to the wider organisation.
The mix of formal and informal is key
Although tools are needed, embedding risk management is about much more than formal tool design. Complex tools may not be required. Simple tools, complemented by a broad suite of regular informal mechanisms (one-to-one meetings, etc.) may be more effective than complex tools in embedding risk management.
There are no easy answers or quick fixes when embedding risk management. What works differs from one organisation to the next. Nevertheless, it is possible to identify common challenges and good practices to overcome these challenges.
"Success or failure depends on an organisation’s ability to take, mitigate and avoid risk or to exploit, recover and learn from unexpected events when they occur."
Formal and informal mechanisms
These are some of the common formal and informal mechanisms for organising risk management.
• Risk management policy
• Risk appetite statement and exposure limits
• Management committees (risk specific and general)
• 'Tone from the top' and the actions of management
• Risk facilitation by first- and second-line risk specialists
• Phone calls and face-to-face conversations that cut across hierarchical layers