Risk Management, Just a Tick Box Exercise?
Surprisingly, some companies still review risks on an annual basis, reviewing them to tick the box, only to put them in a drawer until the next compliance cycle.
Companies aim to ensure that they achieve compliance to the legislative, regulatory or best practise standard which they adhere to for risk management. Does this focus on compliance, lead to companies ticking the box of risk management compliance, rather than ensuring that the business actively manages it risks?
Many companies are achieving ISO 9001:2018 which is “an international standardised quality management system that helps organisations to analyse, control and improve their internal systems, processes, protocols and policies in preparation for any potential risks that the business may face.” These companies are audited to ensure that they have a risk policy, process and procedure, they are not audited in a way which establishes if the risk management is effective and embedded in the company. Some companies align to ISO 31000, which is a set of risk management guidelines that is not certifiable.
Other companies, which are listed on the stock exchange, have a requirement under the Financial Reporting Council (FRC) which states “The board has ultimate responsibility for risk management and internal control, including for the determination of the nature and extent of the principal risks it is willing to take to achieve its strategic objectives and for ensuring that an appropriate culture has been embedded throughout the organisation.” The Board satisfies itself that there is a risk policy, procedure and process. Most annual reports, report on the company’s significant risks and the mitigations for the coming year, how much of this translates into real active risk management?
Many companies believe that risk management is a finance or health and safety function, while it is true that there are financial and health and safety risks which face companies on different scales depending on the specific industry, these are not the only risks which will lead to a company failure. A company faces risks across each function, each department and each system.
People hear the phrase ‘Risk Management’ and think, that does not apply to me, there is a risk manager in the company that has it all covered. If this is the case, then it is an indicator that the activity of Risk Management is not embedded in the organisation in question.
“Risk management involves understanding, analysing and addressing risk to make sure organisations achieve their objectives.” Institute of Risk Management (IRM).
Active risk management occurs when companies recognise that the accountability and responsibility for risk management lies with the Board, the senior executive, the managers and employees of the company and the risks are those which may stop an organisation achieving its objectives. They review these risks on a regular basis and continually improve the controls and mitigation strategies.
For risk management to be truly embedded in an organisation, each employee should understand, even at a high level, what risk management is and what their responsibilities are for assisting the Board in the management and mitigation of the risks. Most employees mitigate risk on a daily basis by using process, procedures and systems, all of which are control, however they may not realise what they are doing is mitigating the risks of their company, because no one has explained Risk Management to them, or the importance of it within a company.
Companies face risks on a daily, weekly and monthly basis, reviewing risks annually is just ticking the box. Actively managing risks, actively owing them and the mitigation leads to embedded risk management.
Further reading:
IRM https://www.theirm.org/what-we-do/what-is-enterprise-risk-management/