Holistic Risk Management

My 10 October 2020 post provides an overview of the risk management process under the ISO 31000 Risk Management Standard. It explores how organizations identify, analyze, evaluate, and treat risks. The focus of that post is the prevention, avoidance or mitigation of risk event occurrences. Barriers are typically put into place to prevent or mitigate risk event occurrences. Contingency plans are developed for risk events. What, if anything, should an organization do after a risk event happens? Risk management does not end with the planning and event response – it occurs up-front and after-the-fact in a never-ending circular process.

 Risk management in a learning organization ensures that risk events and near-misses are tracked and investigated to continuously improve. Risk event investigations analyze facts to understand what barriers failed and identify root causes. From that, opportunities may be identified to improve barriers, such as risk management plans, procedures, training, equipment, PPE, and other safeguards.

 Some organizations may be good at developing risk management plans but do a poor job of investigating and analyzing risk events. Those organizations miss important opportunities to learn and improve their management systems and may repeat the same mistakes. That could be called the “Ground Hog Day” movie approach. Other organizations may do a poor job of identifying risks and planning, but aggressively investigate what happened after the fact. Those organizations are often looking for people to blame rather than attempting to improve the overall risk management system. That could be called the “King Henry VIII” approach. Some organizations do a poor job on both ends and just react to whatever risk events come their way. That could be called the “Seat-of-your-pants” approach. These are not these best ways to run a company.

 Instead, organizational risk management should be a holistic process that seeks to identify and plan for risks upfront and learn from risk events through investigation. Organizational improvement is fostered when that occurs in a transparent, no-blame, culture. In a blame culture, mistakes are often hidden because of disclosure fear. No one learns from them. 

 The main takeaway is that the risk management process is circular and never ending. It is a core aspect of managing any organization. In the graduate level courses I taught for many years as an adjunct professor, risk management was an essential aspect of each course. We discussed ISO 31000 risk management processes in the project management course. We learned how to identify compliance and liability risks in the environmental law course. We discussed strategic planning to address sustainability risks in the sustainability course.

 Holistic risk management is essential to organizational success. It leads to improved safety, regulatory compliance, environmental protection, efficiency, strategic performance, and revenues.

 Primarium can help.