Forget the old-fashioned risk information flows from business units to risk managers who develop risk reports and present them to executives, the audit committee or the Board. There is a better way. Based on the research and interviews we conducted, the internal risk communication should be two-way:
- Business units should be reporting on their own risks as part of normal performance reporting (be it weekly, monthly or quarterly performance reporting) as well as for any significant decisions;
- Risk managers should be reporting on risks when there is an alternative point of view that is contradictory to business unit opinion or risk managers have additional information which should be considered when making a decision.
One thing is clear, information about risks should flow in the organisation every day and every time a decision is being made, not once a week or month when a risk assessment is done.
There are several ways to significantly improve internal risk management communication:
- Include the requirement to share / disclose risk information in policies and procedures;
- Change performance reporting / management reporting templates to include risk analysis results;
- Get involved in report and document preparation to make sure risks are adequately captured;
- Create own communication channels (newsletters, intranet site, email alerts);
- Take ownership of some internal reporting on risks.
HERE IS A QUICK CHECKLIST TO TURN THIS SECTION INTO ACTIONS
| ☐ | Identify existing information flows (management performance reporting, decision making / approvals, information bulletins) |
| ☐ | Change internal policies and procedures to require risk information to be included / disclosed |
| ☐ | Change existing reporting templates to include risk management information |
| ☐ | Provide methodologies to business units to help them accurately disclose risk information |
| ☐ | Review / validate results to check for quality, accuracy, consistency and completeness |
USEFUL VIDEOS
| https://www.youtube.com/watch?v=AOGrobGzeaQ |
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
2 thoughts on “Practical ideas: Include risk information into existing internal communication channels”