Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
This course is not about doing risk assessments, building risk registers, heat maps or risk reports. None of these things have anything to do with proper risk management. This is what I call risk management 1 – risk management for external stakeholders (Board, auditors, regulators, government, credit rating agencies, insurance companies and banks). This course is about alternative, different take on risk management, it’s about risk management 2 – risk management for the decision makers inside the company.
If there is one thing I learned in my previous role as Head of Risk of a multibillion-dollar sovereign investment fund, risk management is not about managing risks. It’s about helping management make strategic, operational and investment decisions with the risks in mind.
It sounds simple enough, but it’s anything but. Here are some of the lessons I had to learn the hard way:
A. Thinking about risks is not natural
B. Individual and corporate risks are not the same
C. Business decisions happen every day, not once a quarter
D. Integrating into business processes means knocking on people’s doors
Over the years, risk managers have tried various ways to get the business units to participate in the risk management process. Some simplified the risk identification and assessment methodologies, others complicated them. The result in both cases was the same – disappointment. Best case scenario – annual or quarterly risk assessments were perceived as a necessary evil with most employees ignoring them and few actively resisting.
Did it for example ever strike you as odd, that risk management is supposed to be a support function, yet business units are constantly required to provide the information to the risk managers and not the other way around? It almost feels like the business is there to support risk managers in doing their job.
Maybe, just maybe, it is time for the risk managers to stop living in a universe, where the business is regularly required to provide information, participate in risk assessments and to contribute to lengthy discussions about risk mitigation. After all, this does not make business sense. Why would business units take the time away from making money to supply risk managers with all this information? The only logical answer is because they must, it’s a compliance issue. And this is where it gets interesting, risk managers have for years been telling us that it’s not about compliance, it’s about generating business value. Something doesn’t add up. If an activity takes time and resources and doesn’t have an immediate impact on business decisions or business processes, something is clearly wrong.
Join me to discover how to integrate risk management principles into day to day decisions, change how investments are done, change how strategy and budgets are set and change the very culture of the organization.
– 4 future trends
– How to integrate risk management into strategic planning
– How to integrate risk management into decision making
#managerisk #riskmanagement #riskanalysis #decisionmaking #riskacademy #iso31000 #cosoerm #erm #risk
- C4. Regularly evaluate risk management culture
- C5. Include risk management KPIs into individual performance reviews
- D. CREATE A NETWORK OF “RISK-CHAMPIONS”
- E1. Include the principles of risk-based decision-making in induction training
- E2. Conduct training for senior management and the Board
- E3. Conduct training for "risk-champions"
- E4. Make risk training competency based
- E5. Develop in-house certification for employees in high risk activities
- E6. Use gamification and passive learning techniques
- F. KEEP IT SIMPLE
- G. HELP EMPLOYEES INTEGRATE RISK ANALYSIS INTO THEIR WORK
- H. RISK-BASED STRATEGIC PLANNING, BUDGETING AND PERFORMANCE MANAGEMENT
- H1. Integration into strategic planning
- H2. Integration into budgeting
- H3. Integration into performance management
- H4. Integration into decision making
- I1. Speak the business language
- I2. Include risk information in the company's external communication
- I3. Include risk information into existing internal communication channels
- I4. Create simple risk escalation mechanisms