Risk Competencies and Risk Training

ISO 31000:2018, Uncategorized 27 Minutes

Risk practitioner competencies refer to the skills, knowledge, and abilities required by individuals responsible for managing risks within an organization. These competencies enable risk practitioners to identify, assess, manage, and mitigate risks effectively, ensuring that the organization achieves its objectives while minimizing potential threats. Competencies typically cover technical, analytical, interpersonal, and strategic aspects of risk management. To determine risk practitioner competencies, organizations can follow several steps:

  1. Define Core Competencies: Identify the essential skills and knowledge areas required for effective risk management in the organization. These may include risk assessment techniques, regulatory compliance, financial analysis, strategic planning, and communication skills.
  2. Use Established Frameworks: Leverage industry standards or frameworks such as ISO 31000, COSO ERM, or the IRM Risk Management Professional Competency Framework to outline specific competencies and proficiency levels expected from risk practitioners.
  3. Role-Based Competency Mapping: Different roles in risk management require different competencies. For example, a risk analyst may need strong data analysis skills, while a Chief Risk Officer (CRO) requires strategic thinking and leadership. Organizations can create role-specific competency profiles.
  4. Assess Current Skills: Conduct assessments to determine the current skill levels of risk practitioners. This can be done through self-assessments, manager evaluations, or third-party audits.
  5. Gap Analysis: Compare the current competencies against the desired competency framework to identify areas where practitioners need improvement or additional training.
  6. Training and Development: Develop targeted training programs to address competency gaps. This could include workshops, certifications, on-the-job training, or mentoring programs.
  7. Performance Metrics and Feedback: Implement systems to measure the effectiveness of risk management activities and provide ongoing feedback to practitioners. This ensures continuous improvement and alignment with organizational goals.
  8. Adapt to Organizational Needs: As the organization evolves, so do the risk management challenges. Regularly update the competency framework to reflect changes in the business environment, regulatory landscape, and organizational objectives.

Risk management is now seen as a professional field rather than just a set of tasks. Like any profession, it requires a clear framework of skills and abilities (competencies) that practitioners need to perform their roles effectively. These frameworks outline the key stages of the profession and define the skill levels needed at various levels of responsibility. Professionals in risk management must have both technical (hard) skills and interpersonal (soft) skills to succeed. Technical skills are essential for handling specific risk management tasks, while soft skills, such as communication and collaboration, are equally important for effectively implementing risk management strategies within an organization. Risk practitioners need expertise in two key areas. First, they must have a strong understanding of risk management practices and processes. Second, they must possess business skills to understand the organization’s internal and external environment. This knowledge helps them design and implement a risk management framework that aligns with the organization’s goals and operations. While developing business skills is important, the primary focus for a risk practitioner is building technical skills directly related to risk management. These technical skills are closely tied to the steps involved in implementing a successful risk management program.

Risk management technical skills

  1. Skills associated with planning risk management strategy
    • Evaluate status: Evaluate the organizational context and objectives and map the external and internal risk context
    • Develop strategy :Develop risk strategy and risk management policy and develop the common language of risk
  2. Skills associated with implementing a risk management architecture
    • Design architecture: Design and implement risk management architecture, roles and responsibilities
    • Develop processes: Develop and implement the risk management processes, procedures and protocols
    • Build awareness : Build a culture of risk awareness aligned with other management activities
  3. Skills associated with measuring risk management performance
    • Facilitate assessments: Facilitate the identification, analysis and evaluation of risks, and design record-keeping procedures
    • Evaluate controls: Evaluate existing performance and evaluate efficiency and effectiveness of existing controls
    • Improve controls : Facilitate the design and implementation of necessary and cost-effective control improvements
  4. Skills associated with learning from risk management experience
    • Evaluate framework: Evaluate risk management strategy, policies and processes, and introduce improvements
    • Design reports: Develop understanding of reporting requirements, design reporting formats and produce appropriate reports

Risk Skills

Risk competency refers to the ability of an individual or organization to effectively understand, assess, manage, and communicate risks. It encompasses a combination of knowledge, skills, experience, and judgment that enables someone to perform risk-related tasks effectively. Risk competency is broader than technical expertise; it involves applying critical thinking, understanding the context of risks, and aligning risk management activities with organizational goals. Competency is also about consistently demonstrating the ability to handle risks professionally and efficiently in varying circumstances. Risk skills, on the other hand, are specific abilities or techniques that contribute to effective risk management. These can include skills such as risk identification, risk assessment, data analysis, stakeholder communication, and scenario planning. Risk skills are often developed through training, practice, and exposure to real-world situations. While skills are actionable and task-specific, they do not guarantee competence unless they are applied appropriately and effectively within a broader framework of knowledge and understanding. The difference between risk competency and risk skills lies in their scope and application. Risk skills are individual components that contribute to performing risk-related tasks, whereas risk competency represents the overarching ability to integrate these skills with knowledge, experience, and judgment to achieve successful outcomes. Competency is the result of combining various skills in a coherent and effective manner, supported by a strong understanding of the organizational and external environment. In essence, while risk skills are building blocks, risk competency is the complete structure that ensures effective risk management.

A successful risk management practitioner needs a mix of technical and interpersonal (soft) skills. Technical skills can be split into two categories: risk management-specific skills and broader business-related skills. Risk management skills can be outlined in a competency framework, while business skills will vary depending on the organization. These typically include knowledge in areas like finance, accounting, legal matters, human resources, marketing, operations, and IT. Soft skills, or people skills, have become increasingly important as communication within and between organizations evolves. Technical skills are often linked to intellectual intelligence, while soft skills rely on emotional intelligence. To excel, a risk practitioner needs both types of intelligence and skillsets. In addition to technical and interpersonal skills, a good risk manager must also focus on self-management and personal development. These skills are common among professionals and are often guided by a code of ethics or conduct. Self-development involves improving one’s abilities and potential, leading to greater job satisfaction and future opportunities. It also includes helping others grow, whether as a teacher, mentor, trainer, or coach. The people skills needed in a business environment can be grouped into communication, relationship-building, analytical thinking, and management (CRAM) skills. While technical skills can be learned through training and experience, people skills depend more on an individual’s personality, making them harder to develop. Mastering these interpersonal skills is often a greater challenge for risk practitioners but is crucial for success.

People skills for risk management practitioners

  1. Communication
    • Excellent written and oral skills
    • Presentation and public-speaking skills
    • Committee and meeting participation skills
  2. Relationship
    • Influencing skills to work with ‘challenging’ behaviour
    • Negotiating skills to defuse conflict and identify solutions
    • Networking skills across organizational silos
  3. Analytical
    • Strategic thinking skills and creativity skills
    • Data-handling skills to get to the heart of a problem
    • Research skills to present arguments based on facts
  4. Management
    • Time-management skills to manage teams and projects
    • Leadership skills to motivate and develop staff
    • Facilitation skills to assist with setting priorities

Soft Skillls: Calling them “soft” might make people skills seem less important than technical skills, but they are actually vital for any business and can determine its success or failure. Employees with strong people skills are more effective when interacting with others, which is especially crucial for businesses that rely on face-to-face client interactions. Just like technical skills, people skills can be learned and improved. While these skills naturally develop over a lifetime, businesses can actively support this growth through workshops, seminars, and encouraging employees to share their ideas, suggestions, and advice during discussions. This helps foster continuous improvement and collaboration.

Clear communication about risk is essential. Within an organization, internal communication happens through the risk architecture, which serves as the formal structure for sharing information about risk control activities and gathering data for external reporting. For instance, a road haulage company might focus on operational efficiency and give proper attention to risk management by introducing measurable loss-control programs. The board may request regular reports on metrics like road accidents, vehicle breakdowns, fuel consumption, and delivery incidents. These reports allow the board to compare performance against competitors and the company’s past performance. However, while the board monitors these results, it is the responsibility of line management to implement and manage improved risk performance.

Communication skills

In some cases, risk communication within organizations can be informal, such as discussions during risk assessment workshops or training sessions. These communication practices are part of the organization’s risk culture. Externally, risk communication involves engaging with stakeholders like the media, the public, and other groups. For example, if a road haulage company plans to expand its storage depot, it must communicate with local stakeholders and planning authorities. This involves preparing honest, clear arguments that address concerns about community risks, ensuring stakeholders that adequate risk controls are in place. Public perception of risk may differ from scientific evidence, so communications should go beyond facts and address emotional concerns to build trust. Effective communication skills also include running training sessions and facilitating workshops. Risk practitioners often lead risk assessment workshops, which require clear structure and inclusive discussions where all participants can contribute equally. A common technique in such workshops is using sticky notes to capture ideas, which are then grouped based on the questions posed. The facilitator plays a crucial role in identifying common themes and consolidating similar ideas into a manageable list of issues or risks. This process requires skill to ensure productive and meaningful discussions.

Running training courses requires a specific set of skills, but the main goal is always to keep all participants engaged. A common method for structuring training sessions is the three-step approach: first, explain what will be covered, then go through the content, and finally, summarize what has been discussed. While this method might seem overly simple or repetitive, it is often the most effective way to make sure the key messages are clearly communicated and understood. Essentially, training sessions are best broken into three clear parts for better organization and learning.

  • Stage 1 Set up: This stage will describe what the course will provide. It is often achieved by delegate introductions and expectations, a group exercise or a simple quiz to get everybody thinking about the topic of the day.
  • Stage 2 Set out: This stage provides the detailed information that the training course is intended to impart. It can be a combination of structured inputs, group tasks, discussion exercises, feedback sessions and training films.
  • Stage 3 Set down: This stage summarizes what the course has covered and confirms general understanding. It will often ask delegates to confirm what they have learnt and/or indicate what actions they will take following the course.

Effective communication also includes strong verbal and written presentation skills. This involves the ability to write reports tailored to the organization’s needs, whether for internal use or external distribution. The format and style of reports can vary widely depending on the organization. Many organizations prefer short summaries for the board, supported by detailed documents available if needed. A risk practitioner should align their communication style with the organization’s culture. If reports typically include graphics, risk information should also use visuals. If reports are text-based, it becomes a challenge to make the content engaging without visuals. Similarly, presentations to the board should match the usual style of other board presentations. Thorough preparation and familiarity with the topic are crucial. When presenting to the board, the risk practitioner should clarify the purpose of the presentation. A simple informational update requires a different approach than a report seeking approval for action. Understanding the audience’s expectations is essential, especially when communicating with the board. To ensure effective communication, it helps to follow the “5Cs”:

  • Complete: Provide all the necessary information so the audience can take the appropriate action.
  • Clear: The message should be easy to understand, making your purpose obvious.
  • Concise: Stick to the point and keep it brief to maintain attention.
  • Coherent: The message should flow logically, with all points connected to the main idea.
  • Credible: Show that you understand the audience’s concerns and priorities to build trust.

Relationship skills

Relationship skills are essential, especially the ability to influence and negotiate effectively. These skills also include motivation and navigating workplace dynamics, which must be used in a way that aligns with the organization’s culture and internal environment. Listening skills are equally important, as understanding the perspective of someone you are negotiating with or trying to influence is vital. Influence is often achieved through positive energy and enthusiasm for the changes being proposed. Successful influencing requires the ability to gain support, inspire others, form strong connections, and engage people’s imaginations. Improving risk management often involves ongoing negotiation, which calls for an understanding of established negotiation techniques. Political skills, though sometimes misunderstood, are also critical. They involve understanding group dynamics, handling difficult individuals, and managing conflicts with flexibility. These skills also require sensitivity to cultural differences and varying stakeholder needs. Political skills become especially important when chairing meetings. The chairperson must allow all attendees to express their views clearly and concisely while maintaining neutrality and guiding the group toward a fair consensus. The core of relationship skills is building and maintaining connections with diverse stakeholders, including customers, staff, financiers, suppliers, regulators, and society (CSFSRS). Each stakeholder group has unique interests, and not all will prioritize risk management. This makes excellent communication and relationship skills essential for the risk practitioner. Addressing differing opinions requires a high level of interpersonal skill and tact.

Analytical skills

Analytical skills cover a wide range of abilities, including strategic and logical thinking. Sometimes, especially in problem-solving situations, creative and out-of-the-box thinking is essential for risk practitioners. Many practitioners work with numbers, such as calculating risk for compliance with regulations like Basel II or determining appropriate insurance coverage. However, not all analytical skills involve mathematics; strong problem-solving abilities are also crucial. Research skills are another valuable tool for risk practitioners. Being able to quickly find and analyze information is an asset, especially when large amounts of data need to be evaluated. Practitioners often need to identify patterns or connections in the data and present their findings clearly and logically, whether in reports, training sessions, or presentations. Analytical skills are especially beneficial during risk assessment workshops, where participants may have differing opinions about the risks involved in a specific situation. A skilled facilitator listens carefully, identifies the assumptions underlying each perspective, and challenges these assumptions to help the group reach a shared understanding. Analytical skills involve understanding, questioning, and clearly defining problems to make informed decisions based on the available data. This includes applying logical thinking to gather, analyze, and test potential solutions. The goal is to evaluate different options critically and develop the best course of action. Problem-solving and decision-making are closely related and essential for business success, particularly in risk management. Some individuals may naturally excel at making decisions but may need to focus on improving their quality, while others might have strong analytical abilities but need to act more decisively. Creativity is vital in generating and exploring options, often using tools like SWOT and PESTLE analysis. Effective decision-making combines creativity, clear judgment, decisive action, and practical implementation.

Management skills

Risk management teams are often small, but this isn’t always the case. Regardless of team size, even if a risk practitioner doesn’t directly manage others, they still need to understand management skills. These skills are useful for influencing other managers to consider alternative actions and for handling tasks like team management and delegation of authority. Many people skills, such as those discussed earlier, are equally relevant for management. Among these, motivation stands out as particularly important for risk practitioners, especially when promoting a risk-aware culture or encouraging changes in behavior. Practitioners must inspire individuals, managers, and directors to adopt different approaches and mindsets. Self-management skills are also critical. These include setting clear priorities, meeting deadlines, and maintaining personal motivation. Time management, organization, and staying motivated are essential throughout a risk practitioner’s career. It’s also important to understand the distinction between management and leadership. A manager might focus on controlling a team’s activities to ensure everything is done as planned. A leader, on the other hand, sets clear priorities, empowers the team to take ownership of their tasks, and involves them in developing goals. Effective leadership combines guidance with collaboration, ensuring everyone works towards shared objectives.

Leadership Skills

The main difference between managers and leaders lies in how they motivate people, which influences their overall approach. Managers typically have subordinates who work under their authority, following instructions to achieve specific tasks. Their focus is on getting things done efficiently, maintaining control, and avoiding conflicts. Managers tend to be cautious and prefer to minimize risks as part of their role. Leaders, on the other hand, inspire followers rather than commanding subordinates. While some leaders may also hold managerial positions, when they lead, they rely less on formal authority and more on influence and vision. Leaders are open to challenges, embrace risks, and view obstacles as opportunities. They may take unconventional paths and, at times, bend rules to achieve their goals. This distinction highlights the difference in mindset and approach between managing and leading.Leadership skills are essential in Enterprise Risk Management (ERM) as they enable risk practitioners to guide organizations in navigating uncertainties while aligning risk strategies with overall business objectives. A strong leader in ERM demonstrates the ability to influence decision-making processes at all levels, from senior management to operational teams. This requires clear communication, strategic thinking, and the capacity to articulate how risk management supports the organization’s goals and enhances its resilience. An ERM leader fosters a risk-aware culture by promoting open dialogue about risks and encouraging all employees to take ownership of their role in managing risks. They inspire confidence and collaboration, ensuring that stakeholders understand the importance of integrating risk management into daily operations. By building trust and credibility, ERM leaders can motivate teams to adopt proactive risk practices and implement changes that may initially face resistance. Decision-making is another critical aspect of leadership in ERM. Effective leaders analyze complex information, weigh alternatives, and make informed decisions while balancing risk and opportunity. They use analytical and problem-solving skills to address challenges, anticipate potential disruptions, and develop strategies that mitigate risks without stifling innovation or growth. Adaptability and vision are also vital leadership traits in ERM. Leaders must be agile in responding to rapidly changing environments while maintaining a forward-looking perspective. They ensure that ERM frameworks evolve to address emerging risks and align with the organization’s strategic direction. By demonstrating resilience and a commitment to continuous improvement, ERM leaders set an example for others and help organizations thrive in uncertain conditions. Ultimately, leadership in ERM involves not only managing risks but also inspiring teams, building a strong risk culture, and aligning risk practices with the broader objectives of the organization. This holistic approach ensures that ERM becomes an integral part of the organization’s success.

Development of risk Communication

Risk communication as a field started developing in the late 1970s, mainly in response to public concerns about nuclear and chemical technologies in the United States. At the time, the belief was that providing clear, simple information would be enough to convince people that these risks were not as serious as they feared. However, this approach has largely failed. Experts now recognize that understanding risk involves more than just facts—it also depends on emotions, instincts, and personal experiences. Simply sharing factual information without considering these emotional and psychological factors is incomplete and often ineffective. Many people associate risk communication with what to say during a crisis, but this view is too narrow. While communication during emergencies is important, experience shows that its effectiveness depends heavily on the groundwork laid beforehand. Preparing and building trust before a crisis makes communication during the event much more effective.

The main goal of sharing risk information and providing risk training is to ensure the organization responds consistently to similar risk events. Achieving this requires sharing knowledge and experiences. A consistent approach is needed for handling hazard, control, and opportunity risks. If an organization has an intranet, it can be a great tool to provide access to relevant information and ensure uniform responses. It’s also important to define and communicate clear risk protocols and maintain a consistent approach to individual risks. This includes identifying risks ahead of time and confirming the controls in place for them. This method applies to strategic, project, and operational risks. Providing training and establishing clear communication practices helps the organization maintain consistency in how it handles risks. For every capital expenditure request, a risk assessment should be included. This assessment should address both the risks the project aims to manage and the risks within the project itself, such as potential delays, budget overruns, or failure to meet specifications. Similarly, attaching risk assessments to strategic analyses is critical to maintaining consistency in risk management. Creating an “issues manual” can be a useful tool for identifying risks, circumstances, or events that require action. This manual helps communicate risks across the organization and supports consistent responses. Providing the necessary information, supervision, and training further ensures that risk management procedures are followed effectively. When new risks emerge or existing risks change significantly, it’s crucial to have escalation procedures in place. These procedures ensure that senior management is alerted to the changes, and staff must be trained on how to handle risk escalation effectively. Consistency in risk response becomes especially critical during a crisis. Training is essential for directors, managers, and staff on how to follow disaster recovery and business continuity plans. Clear communication and thorough preparation ensure that everyone knows what to do in challenging circumstances. Establishing effective risk communication involves several key steps to ensure clarity, consistency, and engagement with stakeholders. These steps create a structured approach to sharing risk-related information and promoting a risk-aware culture within the organization.

  1. Define Objectives: Clearly outline the purpose of risk communication. Objectives might include raising awareness, ensuring consistent responses to risks, or facilitating informed decision-making across the organization.
  2. Identify Stakeholders: Determine the internal and external stakeholders involved in risk communication. Internal stakeholders could include employees, managers, and the board, while external stakeholders might be regulators, customers, suppliers, or the public.
  3. Select Communication Channels: Choose the appropriate methods to deliver risk information. Internally, this could involve emails, reports, intranet updates, or workshops. Externally, it may include press releases, stakeholder meetings, or public announcements.
  4. Develop Standardized Protocols: Create templates, guidelines, and standardized language for risk communication. This ensures consistency in how risks are described, assessed, and addressed across the organization.
  5. Provide Training and Awareness: Train employees on risk communication protocols and their roles in the process. Workshops and awareness campaigns can help embed a consistent understanding of risks and responses.
  6. Encourage Two-Way Communication: Establish mechanisms for feedback and discussion. Risk assessment workshops, surveys, or open forums can help stakeholders share their perspectives and raise concerns.
  7. Align Communication with Context: Tailor messages to suit the audience and situation. For example, technical details may be appropriate for internal experts, while broader summaries might be better for public stakeholders.
  8. Incorporate Risk Escalation Procedures: Define how risks are escalated to senior management when they are new or significantly changed. Provide training to ensure employees understand and follow escalation protocols.
  9. Monitor and Evaluate: Regularly review the effectiveness of risk communication strategies. Use feedback and performance metrics to identify gaps and make improvements.
  10. Adapt and Improve: Update communication practices as organizational needs evolve or external circumstances change. This ensures that risk communication remains relevant and effective over time.

By following these steps, organizations can establish a strong risk communication framework that enhances awareness, supports decision-making, and builds trust with both internal and external stakeholders.

Risk training and risk culture

Risk training refers to educating employees, management, and stakeholders about the principles, processes, and practices of risk management. It aims to build knowledge and skills needed to identify, assess, respond to, and monitor risks effectively within an organization. This training ensures that everyone understands their roles and responsibilities in managing risks and contributes to the development of a proactive and consistent risk-aware culture.The organization’s risk culture can be described using five key elements: leadership, involvement, learning, accountability, and communication (LILAC). These elements also highlight the steps needed to successfully integrate risk management into the organization. Involvement, learning, accountability, and communication are especially important when it comes to risk training and communication. Clear risk management documentation helps managers and employees understand their roles and responsibilities, as well as the level of accountability expected. Proper risk training fosters learning and communication, strengthening the organization’s overall risk-aware culture.

To foster a robust risk culture, specific types of risk training are necessary. These include:

  1. General Risk Awareness Training
    • Educates employees and managers about the concept of risk, its types (strategic, operational, financial, etc.), and its potential impact on the organization.
    • Emphasizes the importance of risk management in achieving business objectives.
  2. Role-Specific Risk Training
    • Provides tailored training for employees based on their roles and responsibilities. For example, frontline staff may receive training on operational risks, while senior management focuses on strategic risks and decision-making.
  3. Risk Assessment and Analysis Training
    • Teaches employees how to identify and assess risks using tools like risk matrices, SWOT analysis, or PESTLE analysis.
    • Enhances skills in evaluating the likelihood and impact of risks and determining mitigation strategies.
  4. Compliance and Regulatory Training
    • Covers industry-specific regulations, legal requirements, and compliance standards.
    • Helps ensure that all employees understand the importance of adhering to these guidelines to avoid penalties or reputational damage.
  5. Crisis Management and Business Continuity Training
    • Prepares employees and leaders to handle crises and emergencies effectively.
    • Focuses on disaster recovery plans, communication protocols, and maintaining operations during disruptions.
  6. Risk Communication Skills Training
    • Develops skills for clear and effective communication about risks to internal and external stakeholders.
    • Includes training on delivering concise, coherent, and credible messages.
  7. Ethics and Decision-Making Training
    • Encourages ethical decision-making in risk management.
    • Promotes transparency and accountability in identifying and responding to risks.
  8. Cultural and Behavioral Training
    • Encourages behaviors that align with the organization’s risk culture, such as open communication about risks, proactive reporting, and collaboration.
    • Includes workshops or activities that reinforce the organization’s values and attitudes toward risk.
  9. Scenario-Based Training
    • Uses simulations or real-life scenarios to test risk responses and decision-making in a controlled environment.
    • Builds confidence in handling risks and prepares employees for real-world challenges.
  10. Leadership and Change Management Training
    • Focuses on leaders’ roles in driving a risk-aware culture.
    • Equips leaders with the skills to inspire, motivate, and guide their teams in embracing risk management practices.

Consider a company managing health and safety risks. To address these risks, the organization should create clear guidelines, protocols, and procedures, which include awareness training for all staff. Detailed processes for managing specific risks, such as libel and slander, should reflect the level of exposure. The focus on these risks may vary depending on the nature of the business, and the following steps could be suitable:

  • Provide all employees with basic health and safety training.
  • Implement specific review procedures for politically sensitive topics.
  • Require legal reviews for every issue of a satirical publication.

Staff should be trained on updated procedures, and information should be made available on the company’s intranet. Managers and employees should be encouraged to provide feedback on these procedures to improve them as part of the company’s learning culture. Risk training is crucial for fostering understanding and communication about risks and for engaging managers, staff, and stakeholders. It should cover various topics, enhance awareness of risk-related issues, and provide information on control measures. Employees should understand their critical role in implementing these controls effectively. When determining health and safety training needs, consider the following:

  • Assess employees’ abilities, knowledge, and experience to ensure they can perform their tasks safely.
  • Make sure job demands align with employees’ capabilities to avoid risks to themselves or others.

Some employees may need specific training, such as:

  • New hires requiring basic safety induction, including first aid, fire safety, and evacuation protocols.
  • Employees transitioning to new roles or responsibilities needing training on potential safety impacts.
  • Young or inexperienced employees, who are more prone to accidents, requiring extra attention, supervision, and prioritized training.
  • Workers needing refresher training to update their skills.

Your risk assessment should identify any additional training needs to ensure everyone can perform their duties safely and effectively.

Examples of when risk training is needed:

  • When a manager is newly hired or takes on new or extra responsibilities.
  • When an employee starts a new role or when procedures have been updated.
  • After a recent incident or loss within the organization or at a competitor’s site.
  • As a refresher, which might be required by law in some cases.

Risk information and communication

Risk communication begins by identifying the stakeholders involved or affected by a specific risk. Once they are identified, it’s important to decide what information needs to be shared and why it’s important for each group to receive it. Stakeholders usually have their own views on risks, so any communication should take these perceptions into account. Clear guidelines help set rules for sharing risk information with a wide range of stakeholders, and these become even more crucial when dealing with external parties. However, they are just as useful for communicating with internal teams. Internal stakeholders, like managers and staff, often need risk information because they are expected to actively participate in managing those risks, unlike external stakeholders who may not have such responsibilities. Risk training should be integrated with the organization’s other training programs and tailored to fit job requirements. It is needed in situations such as when new risks arise, existing risks change significantly, an individual takes on a new role or additional duties, or after an incident that leads to updated procedures. Training ensures that everyone understands their role in managing risks effectively.

Risk communication guidelines

  • Identify the stakeholders, both inside and outside the organization, and understand their interests and concerns.
  • Use simple language and presentation, but don’t oversimplify complex topics when detailed explanations are necessary.
  • Share objective information, clearly separating facts from opinions.
  • Communicate honestly and clearly, considering how much the audience already understands.
  • Address uncertainties by explaining what isn’t known and what can be done to resolve these gaps.
  • Be careful when comparing risks, but use familiar examples to help explain unfamiliar ones.
  • Focus on a few key messages that are clear, concise, and limited to three points at a time.
  • Be ready to answer questions and offer additional information later if needed.

Whistleblowing investigation process: An important part of risk communication is making sure there are proper systems for “whistleblowers.” Employees and others may have confidential information about the organization that should not normally be shared, but there should be a way for them to report concerns if they believe serious wrongdoing has occurred. The person receiving the report will review the information and decide if there is a valid case. They will then determine if an investigation is needed and how it should be conducted. Depending on the issue, the investigation might be:

  • Done within the organization,
  • Referred to external auditors,
  • Investigated by an independent party.

After the investigation, some issues may need to be reported to outside authorities, such as the police or funding bodies. If the person handling the report decides not to investigate, they should explain their decision to the person who raised the concern. The individual can then choose to report the issue again to someone else or to the audit committee chair.

Shared risk vocabulary

To communicate effectively about risk, it’s important to develop a common language around risk. Sometimes, an organization needs to create its own specific risk vocabulary for unique situations. What’s more important than the exact meaning of a term is that everyone within the organization has a shared understanding of risk, based on the language they use. To make sure risk management is part of daily operations, the risk manager might use the existing terminology within the organization. Even if that language doesn’t match formal risk management definitions, it’s better to use the familiar terms to improve communication. A standard vocabulary can help explain risk management concepts, even if it doesn’t fully align with ISO Guide 73. Creating and agreeing on definitions can take time and may require compromises, but it’s crucial for everyone to have the same understanding when discussing risk. Having a shared language is especially important for building a strong risk culture. In any organization, different people at various levels and in different departments need to be involved in managing risk. A common language helps bridge gaps between layers of management and various departments. Without it, the risk management team would spend too much time fixing communication problems instead of focusing on their main tasks.

Risk information on an intranet

Risk information can be shared with stakeholders in various ways. Many organizations create simple guides or leaflets to inform stakeholders about current risk issues. The method of communication will depend on the stakeholder and how complex the message is. When an organization needs to report to financial stakeholders, formal risk communication methods are used. This could include a report to the stock exchange or other financial bodies, which might be supported by informal communication methods like videos, slide presentations, or conference calls. Another option for risk communication is an intranet, which many organizations use to share information with staff. Large organizations often use their intranet to communicate health and safety details and business continuity plans. The intranet can also provide information about general risk assessments, control measures, and updates on any current risks. It’s important that risk information aligns with other management information systems within the organization. Treating risk information as a separate system can lead to it becoming disconnected from other activities, making it less relevant to managers. A dedicated risk management information system (RMIS) can increase the risk of the information becoming irrelevant to the organization.

Risk management information systems (RMIS)

A Risk Management Information System (RMIS) is a specialized software or system used by organizations to collect, manage, and analyze risk-related data. It helps organizations track and monitor risks, assess their potential impact, and implement strategies to mitigate them. RMIS can store information about various types of risks (e.g., operational, financial, health, safety, compliance risks), the effectiveness of control measures, and any risk mitigation efforts that have been made.Risk management guidelines, protocols, and procedures can be shared using a Risk Management Information System (RMIS) software. This RMIS can be placed on the organization’s intranet. It helps collect and share risk information, including reports of incidents from local management as they happen. RMIS systems have been used for years to track insurance claims. Recently, their use has become more advanced. Now, RMIS can record details about risk exposure, risk controls, and action plans. For RMIS systems related to insurance, they can also store information about insurance policies, claim procedures, and claims history, which can be accessed by authorized users. These systems can also pool information about risk exposure and report incidents that may result in an insurance claim. In addition to basic information-recording systems, there are other RMIS software tools that support risk management. These include software packages for analyzing risks and systems that can perform risk analysis and dependency modeling. It is widely agreed that using RMIS software for enterprise risk management (ERM) can be very beneficial. However, a common challenge is that entering a large amount of risk data into a database can take a lot of time. Despite this, having the data available for in-depth analysis can make the effort worthwhile.

Sharing risk information throughout an organization is essential to raise risk awareness and improve risk management. In most cases, individuals within the organization have the best understanding of the risks and the practical actions needed to reduce them. Communication is also crucial for sharing details about incidents, lessons learned, and the steps taken to prevent them from happening again. The advantages and disadvantages of RMIS are summarized below. Generally, an RMIS becomes more valuable when risks are complex or there is a large amount of data to be recorded.

Features of RMIS

  1. Data Collection: RMIS gathers data on risks across the organization, which can come from different departments and business units.
  2. Risk Assessment: The system can assess and prioritize risks based on factors like probability, impact, and severity.
  3. Risk Reporting: RMIS provides reporting tools to generate reports for management, stakeholders, and regulatory bodies.
  4. Monitoring and Tracking: It helps track how risks evolve over time, monitor the effectiveness of control measures, and ensure that actions are taken to address risks.
  5. Decision Support: RMIS offers tools to assist management in making informed decisions regarding risk responses and strategies.

How to Establish a Risk Management Information System (RMIS) in an Organization:

  1. Define Risk Management Objectives: Before implementing RMIS, the organization must clearly define its risk management objectives. These objectives should align with the organization’s overall goals and strategies.
  2. Identify Key Risk Areas: The organization should identify the different types of risks it faces (financial, operational, strategic, regulatory, etc.) and how they will be managed within the RMIS.
  3. Select the Right Software or Platform: Choose an RMIS software that meets the organization’s needs. It should be capable of handling the types of risks identified, provide appropriate reporting capabilities, and be scalable as the organization grows.
  4. Data Integration: Integrate RMIS with other existing management systems in the organization. This can help to ensure that risk data aligns with financial, operational, and other management systems, avoiding fragmented or irrelevant data.
  5. Customization: Tailor the RMIS to the specific needs of the organization. This includes configuring the system to reflect the types of risks the organization manages, the roles and responsibilities of staff, and the processes for assessing and mitigating risks.
  6. Train Employees: Training staff on how to use the RMIS effectively is crucial. They need to understand how to input data, assess risks, and generate reports. The training should also cover how to use the system for decision-making and risk mitigation.
  7. Establish Data Collection and Reporting Protocols: Set clear guidelines on how risk data will be collected, stored, and reported. This includes determining who will provide risk data and how often the system will be updated.
  8. Monitor and Evaluate the System: Once the RMIS is in place, monitor its effectiveness. Regularly evaluate whether it is meeting the organization’s risk management needs and make improvements as necessary.
  9. Review and Update Regularly: As the organization’s risks evolve, the RMIS should be updated to reflect these changes. Periodic reviews help ensure that the system remains relevant and effective in managing risks.

The following types of information may be handled, stored, managed, distributed and communicated using a risk management information system (RMIS):

  • Risk management policy and protocols
  • Risk profile data, values and information
  • Emergency contact arrangements and contact details
  • Insurance values and cost of risk data
  • Insurance claims handling and management protocols
  • Historical loss/claims experience/information
  • Insurance policy coverage and other information
  • Risk management action plans (risk register)
  • Risk improvement plans and implementation
  • Business continuity plans and responsibilities
  • Disaster recovery plans and responsibilities
  • Corporate governance arrangements and reports

Without advanced RMIS technology, risk managers can only track the company’s risk data and past losses using methods like modeling and scenario simulations. Developing a strong RMIS to support Enterprise Risk Management (ERM) might cost more than the benefits it provides. While the costs are clear and immediate, the benefits are harder to measure or prove. Risk managers already find it challenging to show the value of preventing or covering a loss. Even if risk reduction is significant, it’s a potential future benefit, not an immediate reduction in costs. Whether the risk assessments from RMIS are worth the cost of data tracking and analysis depends on the company’s risk profile. Larger companies are likely to benefit the most, but as the cost of the technology used for data collection and modeling continues to decrease, even smaller companies can benefit. In the end, RMIS might pay for itself by helping the organization avoid or effectively manage a major loss that could otherwise seriously harm the company’s finances.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply