Corporate Culture and Risk Management
How in the future, companies will move towards an increased organisational assurance or integrated a
During August 2018 we were fortunate to attend an IRMSA (The Institute of Risk Management South Africa) Breakfast Presentation on Combined Assurance, and how in the future, companies will move towards an increased organisational assurance or integrated assurance.
What is combined assurance?
Combined assurance is about “functional areas like compliance, risk, security, performance, the internal audit being bound towards increased assurance to oversight committees or the Board”
During the presentation, the speakers, who were Risk Managers or Risk Practitioners from the private and public sector, spoke about how combined assurance was achieved in their respective organisations. The speakers at the presentation made it abundantly clear that combined assurance and risk management is only effective as a combined effort of each and every employee in an organisation. The Risk Management function, compliance function or assurance providers within an organisation cannot be isolated.
The International Organization for Standardization (ISO) releases a revised version of ISO 31000 - Risk Management and the Chair of the technical committee, Jason Brown, that develop this standard, also emphasizes the importance of the integration of risk management when he says: “The revised version of ISO 31000 focuses on the integration with the organization and the role of leaders and their responsibility. Risk practitioners are often at the margins of organizational management and this emphasis will help them demonstrate that risk management is an integral part of a business.”
How can an organisation ensure that risk management is integrated throughout the whole organisation?
Adopt Risk Management in the organisation culture or corporate culture
An organisation should strive to develop a risk culture and move away from a tick box approach. Top management should set the tone that risk management is not just another box to tick, or a required level of compliance but rather a way of doing business, not because of a policy or procedure prescribed but rather because the individuals understand the risks and are willing to cooperate in their day-to-day activities to assist the organisation to mitigate risks.
Make employees aware of how their actions contribute to risk management
An employer should on a continued basis remind and make their employees aware of how their actions affect the companies management of risk. It can be as simple as discussing an employees job description and making the employee aware of how his or her task contributes to the risk management of the company. Are your representatives aware that by properly performing the client take on process and completing an advice record he/she contributes to the mitigation of risk?
Performance management and compensation
Ensure that risk management goals, and whether they were reached, are measured in performance appraisals linked to salary increases and bonuses.
Ensure that each department report on its contribution to the risk management outcomes.
Include employees in the risk management process
Ensure that your organisation communicate with the employees the outcomes of the risk assessment process, what risks were identified, the likelihood of the risks occurring and the impact on the business. Ask employees for suggestions on how to mitigate risks. This approach will ensure that the concept of risk prevention is spread throughout the organisation and you will ensure “buy-in” from your employees. If the method of risk mitigation is something employees understand they will more readily follow it.
Enure that employees are trained on an ongoing basis to ensure that they can conduct their duties in a satisfactory manner. Also, ensure that employees receive regulator training on risk management.