Risk management initiatives can promote employees’ sense of belonging to a group, as well as their own significance within the organization. (People can cooperate to set up a risk management system, an asset management, to define the cross-organizational measures, and so on.) Moreover, risk management provides a systematic standard mechanism of internal control, that obliges all staff to come together from different areas to discuss, and identify issues and solve problems. These activities also contribute to the quality of the working culture, and allow staff to feel valued and engaged in the process of achieving a broader organizational objective.

Human resources are recognized as one of the key elements for organizations’ successfulness[1] and some uncertainties which give rise to risks can actually come from the organization’s internal environment.[2] For example, the way in which top management reacts to the results of monitoring may affect the behaviour of employees; the organization should be quite clear about the uncertainty arising from reliance on a single individual to make a large modification to risk, and should properly reward efforts by individuals. When designing the framework, and implementing the risk management process, specific actions are needed in order to integrate such human and cultural factors.

Change, and cultural change in particular, is a weakness in risk management: the process is not the problem, but rather people’s perception of it. Two important lessons learned from implementing risk management are: embedding clear risk-based thinking at the highest level of the organization, while ensuring that it cascades down to lower management and employees; presenting the risk based thinking not as something totally new (to reduce resistance to it) and showing it as an important feature of any change process.

Job profiles (outlining role, performance expectations and development objectives), should be identified for staff responsible for risk management matters, and specific descriptions on particular issues should be included in the job profiles of the general risk manager and risk officers.

An organization should establish preventive human resource controls to reduce the likelihood and/or impact of adverse and critical events like noncompliance and misconduct[3]. Consequently, the organization should enhance and/or revise the prioritized risk matrix and, as needed, the risk optimization plan to reflect implemented human resource incentives, according to current residual risk analysis and performance against planned residual risk analysis.

QUESTION MARK BOX

 Q. Have job profiles been identified for the staff assigned to run risk management matters?

R1. “Specific descriptions on risk management issues are included in the job descriptions of risk officers and heads of units”

Source: Romania, In-depth survey on risk management practices

R2. “Yes, done. There is a job description for the general risk manager. The risk manager of Statistics Austria holds a certificate of senior risk manager with regard to ÖNORM EN ISO 31000 and ONR 49003 (Austrian Economic Chamber, WIFI-Zertifizierungsstelle)”

Austria, In-depth survey on risk management practices

R3. “All staff have a Development and Performance Agreement (DPA) which outlines their role, performance expectations and development objectives. Roles in relation to risk will be articulated in broad planning and in the individual DPAs but it may not be reflected in a title. In addition, roles in relation to managing specific risks are identified in the risk management documentation”

Australia, In-depth survey on risk management practices

  

[1] Cf. Porter M.E., 1990.

[2] ISO/TR 31004:2013(E) reports common types of error related to human and cultural characteristics: a) failure to detect and respond to early warnings; b) indifference to the views of others or to a lack of knowledge; c) bias due to simplified information processing strategies to address complex issues; d) failure to recognize complexity.

[3] At this end, as an example of potential sub practices, an organization can also: define which duties should be segregated to prevent critical events; develop awards and other incentives for contributions by individuals or units that result in reduced residual risk or compliance failures, enforcement actions or other positive challenges to the organization.

  • No labels