Avoid This Common Risk Management Mistake
“The biggest obstacle is that risk management is often seen as a separate activity which needs specialist risk professionals in order to succeed. Many organizations feel they cannot afford to do this. In fact most organizations do not have, and will never have, a risk professional working for them. We need to encourage organizations to see that everyone in the business owns and manages risk and in acknowledging that fact integrate risk management into their normal business management processes…Risk understanding and management needs to sit at the centre of all decision making.”
This is a great answer that Marks agrees with, and so do I. In addition, there’s one part of the answer that highlights a reality for many organizations, and which can undermine efforts to successfully manage risks. Here’s the part I’m referring to:
“In fact most organizations do not have, and will never have, a risk professional working for them.”
Think about that statement for a minute, and think also about the importance of integrating risk management in various business functions (EHS management , supply chain management, product stewardship, brand reputation, etc.). For many organizations, this means that employees who are not risk professionals or specialists will need to have a risk-mindset in the exercise of their functions. If people do not have an academic or professional risk management background, they are more likely to make common risk management mistakes. One such common mistake consists of focusing only on the measures to control the risk, and not on its underlying causes. There are underlying causes that must be identified and addressed in order to effectively mitigate risks in a proactive way. Organizations must prevent, not just react. This is somewhat related to distinguishing between a hazard and a risk.
Here’s an example: A worker is exposed to hazardous dust particles that can be inhaled and potentially result in illness. To control this inhalation hazard, the worker is asked to wear personal protective equipment (PPE). It would be a mistake to confuse the lack of PPE with the cause of the risk. Rather, the cause of the risk is the fact that there is a process releasing dangerous dust particles that can be inhaled. By identifying the causes of a risk, more appropriate risk mitigation measures can be implemented. In the case of this example, the hierarchy of controls shows that there are indeed more effective ways to reduce risks than PPE. Also, process hazard analysis, as part of a program to comply with OSHA’s Process Safety Management standard, can reveal underlying causes of workplace safety risks.
As mentioned by Fiona Davidge, most organizations do not have, and will never have, a risk professional working for them. It can be discouraging to think that people might get confused about risk management concepts, which can prevent them from successfully adopting a risk-mindset in their work. But there is hope. Through the implementation and use of risk management software, users without an extensive academic or professional risk background can be guided to distinguish between causes of risks, consequences of risks, control measures and recovery measures. Software also automates the use of risk management tools, such as a risk matrix and bow-tie risk analysis, in order to clear confusion and help users avoid common risk management mistakes.
A Governance, Risk and Compliance (GRC) platform can help you enable holistic risk management in your organization to adequately prepare for threats and crises. Download The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016 report and learn more about the 14 most significant GRC vendors.