4 Communication and consultation
Risk management, done well, is an excellent way of breaking down silos, sharing information across an organisation and allowing different parts of the organisation to learn from one another.
At its most basic this could involve learning from incidents in one part of the business to prevent them occurring in another part.
In some industries or for certain types of risk this information is shared across the industry; examples include fraud risk in the financial services industry and health and safety risks in the chemicals industry.
Communication is important in each of the different steps of the risk process and can be broken down as follows:
Identification: A broad span of skills and experience is important to make sure that all risks have been identified and that no risks have been missed. Learning from past incidents is important as is learning from other parts of your own organisation or learning from other companies.
Assessment: Quantification of risks often requires the support of finance teams (who can fully model the financial impact of risks). Understanding of past incidents and the actual performance of existing controls (and assurance findings) also help to inform assessment of risk. Risk assessment and treatment are closely related. As the situation changes the risk assessment should be updated.
Treatment: Treatment of risk is often done by many different parties; some risks can have many different people accountable for treatment actions or controls. The risk owner needs regular conversations with action and control owners to make sure that their treatments are effective and deliver the required level of risk mitigation. Treatment owners may be treating many different risks so communication and consultation is very important.
Reporting and review: Most organisations have scarce resources and cannot afford to grasp all the opportunities that are presented or treat all of the risks they face. It is important that decisions are made about which risks will be treated and which will not, and to communicate these decisions in a way where people are clear which risks will be treated and which will be accepted. In this way the organisation can then plan accordingly to account for the decisions that have been made.