This week I heard Michael Davin from the University of Melbourne, talking about risk on RN's program "The Money" in the context of the recent Crowd Strike I.T. outage, and how many organisations don't manage risk effectively.
In an organisation, risk management needs 3 elements:
1 - thinking about risk appetite - it's strategic board level decision on how much risk for different types of risk the organisation can accept
2 - understanding what risks the organisation is facing, and (usually) document them in a risk register so you are aware of the issues and potential consequences
3 - investing in risk treatments - put controls in place to bring the risks back to a level the organisation is comfortable with.
But doing this once isn't effective.
Just having a risk register 'somewhere, that someone did for us once, sometime ago' can provide a false sense of security that the risks are being managed when they're not.
The message from Professor Davin was that you need someone to actively manage the risk register, or maybe don't bother having one. It needs to be someone's responsibility to manage the risk, to keep the information up to date, and to monitor the situation.
You need keep the risk register active, and also build responsibility for risk management into the way the organisation operates.
Risk management is an ongoing process
This advice from Professor Davin echoed a previous article from Quality Systems Toolbox about risk management as a PDCA cycle and an active process:
- Plan: identify and assess the risks, decide on controls.
- Do: implement the controls
- Check: risks and controls need to be monitored to make sure they are still effective
- Adjust: change the controls if they aren't working
Compiling a risk register is only the first step.
Focus on the risks, not the register
Quality Systems Toolbox software helps maintain focus on the risks and not the register by allowing the organisation to individually assign responsibility for managing each risk, rather than having a giant spreadsheet risk register assigned to one person.
To capture the whole story, each risk in QSToolbox can link to the controls you've built in to your processes, link to scheduled monitoring data, and to incident records if the risk eventuates. You can plan and assign tasks to improve or implement new controls. Due dates for review of each risk ensure information is kept up to date, with transparency on when and who completed the last review.
With your risks documented in Quality Systems Toolbox software, you'll have much better visibility of risk management - no matter what types of risks your organisation faces.