Are you responsible for getting better governance, risk, compliance, quality, health, safety, environmental processes implemented where you work? Read on...
The WIIFM test
Generally we're a predicatable bunch and most of us do things because there's a pay off. It may not be financial, or immediate or even particularly significant, but it matters just enough to us to make us act.
Any organizational change has to satisfy the What's In It For Me? test and it's hard because not everybody's benchmarks are the same. Even for one person, their benchmarks may also change over time.
What's Risk Management?...What ISN'T??
First things first. Risk Management is EVERYWHERE, always has been, always will be. It may be cloaked by acronyms like "GRC" and "ERM"; organised by frameworks like "ISO31000", "COSO" or "CoBIT"; managed by "Risk Managers" or "Safety Coordinators"; but in the end, the vast majority of us spend a lot of time making sure we are not blown off course by the unexpected - and that's all that risk management is.
what does your bank statement do for you each month?
why can you only buy your office chairs from a particular supplier?
what does that 'variance' column tell you on your weekly report?
why can you only drive on one side of the road?
why keep your shoelaces done up properly?
...and so on!
Finding something we can all agree on
So - risks are everywhere and we'll all act if it matters to us but different things matter to us at different times for different reasons.
Here at High Profile Solutions, we like the approach of ISO31000 in stating that risk is
"the effect of uncertainty on objectives"
This is important because because it recognises that risks aren't all about the negative. A new scientific invention that opens up an entirely new market for products may be exciting but have a disruptive effect on your business...because you didn't manage the uncertainty that new discoveries can have.
It also places the focus squarely on the OBJECTIVE. Call it purpose, call it a mission, call it a goal - it describes where you and your organization are trying to get to with the service or product you offer.
Never lose sight of those 2 things because if you are trying to pass the WIIFM test with a new system, or project or process - then you need to keep coming back to them again and again.
For some, the jargon around Risk Management gets in the way of 'common sense' and that is always a danger to be avoided, particularly in fast moving operational environments where everyone on the frontline is just trying to 'get on with it'. But few of those same people would choose to return to a workplace where umpteen employees a year lose limbs, eyes or lives through lack of protective clothing, properly maintained machinery or safely constructed buildings. Deep down, they know that professional risk management has its place.
The key is always to start with those things that matter to the person you are talking to:
Do they manage a project? If so, what are their milestones for this month?
Do they manage a process? - what's the measure of success (KPI) for that process this week?
Do they produce a product? - what does a bad product look like?
These are all those benchmarks we talked about earlier and risk management has to demonstrate how it increases the chance of exceeding them daily, weekly, yearly - either by enabling good stuff to happen (through assessing positive risks) or stopping bad stuff (through controlling negative risks).
If you can get good at that, then you have managed the risk of all those hands shooting up at the end of your presentation and asking "yeah I get it, but what's in it for me??"