Three Key Questions
Have you ever tried having a conversation with a risk practitioner about risk management concepts without using the word ‘risk’? Similarly, as a risk practitioner, have you had a conversation with a quality management practitioner without them mentioning the word ‘quality’?
One of the biggest issues we face as risk practitioners is having conversations with non-risk practitioners, especially front line people, about what we do and what we need them to do to ensure that risks, (there is that word again), are adequately identified, mitigated and monitored. Wouldn’t it be a more useful conversation to talk in terms that the front line is used to and understands? Read article 'Are you a Risk Manager?'
Front line staff know what they need to do to achieve their objectives – be it sales targets, transaction processing targets, customer satisfaction targets, quality targets, or whatever it is that they do that collectively allows the organisation to achieve its objectives. They understand their business processes and where shortcuts can be taken to ‘get things done’. They know when other staff are not following procedures – with malicious intent or not. So how do you change the risk conversation while still getting the risk management result required by the organisation? Simple! Here are some suggestions:
Don’t ask a front-line manager to list their risks. Ask instead what could go wrong in their systems, people and processes that could impact on them achieving their objectives. Then ask them what they could do to reduce those things from happening, or reduce the impact on objectives if those things occurred.
Ask the front-line managers what keeps them awake at night. What are they most worried about. Ask them why and what do they think they can do about those situations to make them less important.
Don’t ask about control effectiveness. Ask instead whether the activities / processes that are in place are sufficient to stop them worrying about things going wrong. If they are not sufficient, is there any more that can be done that is reasonable and practical, taking into consideration financial and resource constraints? Get them to tell you what more can and should be done.
In response to the above suggestions, I am often told that the ‘risk management software’ doesn’t allow for field names to be changed, or that there is no ability to add help text and user guidance in the risk identification and assessment forms and so the change of thinking stalls.
A key feature of Protecht.ERM is the ability for our clients to create and modify forms based on the language that is relevant to their user community. They can do this without needing any IT skills or engaging a vendor to make the changes. So by using Protecht.ERM, there is no excuse in not having the right conversation with the front line in a language that they understand while still embedding the organisations risk management framework.
For more information on Protecht.ERM and how you are able to create and modify forms to suit your context, please send an email to firstname.lastname@example.org.