Avoid This Common Risk Management Mistake

December 08, 2016

In our latest , the first article is about the biggest obstacle to effective risk management. In the article, Norman Marks shares the answer given by Fiona Davidge, head of the British Standards Institute and a 15-year risk manager, to the following question: “What are the biggest obstacles for integrating risk management in all organizational activities for managers in the UK?”. Here’s Davidge’s answer:

“The biggest obstacle is that risk management is often seen as a separate activity which needs specialist risk professionals in order to succeed. Many organizations feel they cannot afford to do this. In fact most organizations do not have, and will never have, a risk professional working for them. We need to encourage organizations to see that everyone in the business owns and manages risk and in acknowledging that fact integrate risk management into their normal business management processes…Risk understanding and management needs to sit at the centre of all decision making.”

This is a great answer that Marks agrees with, and so do I. In addition, there’s one part of the answer that highlights a reality for many organizations, and which can undermine efforts to successfully manage risks. Here’s the part I’m referring to:

“In fact most organizations do not have, and will never have, a risk professional working for them.”

Think about that statement for a minute, and think also about the importance of integrating risk management in various business functions (EHS management , supply chain management, product stewardship, brand reputation, etc.). For many organizations, this means that employees who are not risk professionals or specialists will need to have a risk-mindset in the exercise of their functions. If people do not have an academic or professional risk management background, they are more likely to make common risk management mistakes. One such common mistake consists of focusing only on the measures to control the risk, and not on its underlying causes. There are underlying causes that must be identified and addressed in order to effectively mitigate risks in a proactive way. Organizations must prevent, not just react. This is somewhat related to .

Here’s an example: A worker is exposed to hazardous dust particles that can be inhaled and potentially result in illness. To control this inhalation hazard, the worker is asked to wear personal protective equipment (PPE). It would be a mistake to confuse the lack of PPE with the cause of the risk. Rather, the cause of the risk is the fact that there is a process releasing dangerous dust particles that can be inhaled. By identifying the causes of a risk, more appropriate risk mitigation measures can be implemented. In the case of this example, the hierarchy of controls shows that there are indeed more effective ways to reduce risks than PPE. Also, , as part of a program to comply with OSHA’s standard, can reveal underlying causes of workplace safety risks.

As mentioned by Fiona Davidge, most organizations do not have, and will never have, a risk professional working for them. It can be discouraging to think that people might get confused about risk management concepts, which can prevent them from successfully adopting a risk-mindset in their work. But there is hope. Through the implementation and use of , users without an extensive academic or professional risk background can be guided to distinguish between causes of risks, consequences of risks, control measures and recovery measures. Software also automates the use of risk management tools, such as a risk matrix and bow-tie risk analysis, in order to clear confusion and help users avoid common risk management mistakes.

Webinar GRC Operational Excellence