One of the biggest mistakes of failure in implementing risk management is taking the risk management framework as it is without considering the organization culture
Risk Management is implemented to pursue opportunities and effectively exploit the limited internal capability instead only managing the adverse affects due to uncertainties. It is important to identify up-front the organization expectation when implementing risk management such as improved decision making process in setting corporate strategy, reduced risk exposure in key areas, improve compliance, enhance efficiency on operations and profitability, etc. Organization that is struggling to effectively implement risk management or have not implemented a formal, proactive, structured risk management framework could use ISO 31000 as a useful guidance. ISO 31000 acknowledge the importance of continually enhance the risk management framework using 5 attributes as follows:
- Continual Improvement
- Full Accountability for Risks
- Application of Risk Management in all Decision Making Processes
- Continual Communications
- Full Integration in the Organization’s Governance Structure
One of the biggest mistakes of failure in implementing risk management is taking the risk management framework as it is without considering the organization culture. In order to enhance or get the risk management right on track using ISO 31000, here is the suggested “to do list” for smooth transition.
- Refine the Benefits/Impact of implementing ERM throughout the organization lead by the Boards and ERM Unit/Project Team and create a measurement process to determine to what extent these objectives will be achieved
- Review and Update the existing risk management framework and amend the documentation to align with prerequisite elements in ISO 31000. Keep a record of enhancement as evidence of continual improvement.
- Communicate the key changes to all organization personnel and notify them that the organization now follows an international risk management standard
- Appoint the key risk owner for risk management ‘refresher’ training in order to encourage the risk owners to undertake a review of their risks and update their risk register