Two-way communication with the internal audiences (i.e. board of directors; audit/internal control steering committees, if any; all management levels; employees; integrated supply chain partners/other partners, according to an open organization vision) should be considered as a way to improve the risk management process. Facilitating risk management policy implementation and general engagement in the different process phases is crucial to the entire system effectiveness. Open communication helps decision making processes to use risk management information. Moreover, it helps in the identification of  the corporate risks[1], and elicits the cross-organizational actions to be implemented in cooperation with the different divisions.

The organization should establish internal communication flows in order to support accountability and ownership of risk, along with widespread involvement. These mechanisms ensure that key components of the risk management framework, as well as any subsequent modifications, are properly communicated and submitted for consultation. Internal communication and consultation mechanisms include the methods and tools through which an organization ensures that everybody within the organization understands the following issues, according to his/her role:

  • What the risk strategy consists of;
  • Which the risk priorities are;
  • How the accountabilities are assigned, and how the related responsibilities fit into the risk framework (who does what).

Identification of new risks (or changes in those risks already assessed) depends on maintaining a good communication network through relevant contacts and provision of information. If this is not achieved, risk priorities may not be consistently addressed. A consultative team approach may therefore be useful to help define the context for ensuring that risks are identified effectively, to bring different areas of expertise together in analysing risks, to ensure different views are appropriately considered in evaluating risks, and to make appropriate change management during risk treatment.

Risk management goals should be discussed within each organizational unit or project[2] and clearly communicated (for example through the ‘risk appetite’ statement). All staff, both management and non-management employees (and necessary internal stakeholders), should be consulted during the risk management process. Risk identification and response should result from a cooperative effort involving key elements from every project or process, as well as feedback from management on the integrated risk management process[3]. Moreover, in concrete statistical areas, cross-institutional commissions and working groups can play an important role.

To summarize, the internal communication:

  • Assists in embedding the desired behaviours throughout the organization;
  • Engages staff in risk management activities;
  • Enhances risk management process transparency, and encourages accountability and ownership of risks;
  • Facilitates cooperation among the offices/units in defining cross-cutting initiatives, and a common understanding of concepts, rules for action and integration of risk management in statistical processes, as a basis to prioritize control actions for continuous improvement.

Consequently, a risk management plan, as an internal communication plan, should include:

  • Establishing a team responsible for communicating about risk management;
  • Raising awareness about managing risks and the risk management process throughout the organization.

Plans/policy papers, methodological documents, and information resulting from the risk management system, should be disseminated and made available to all employees. Specific communication channels, can include: internal events (e.g. workshops, seminars)[4], broadcast e-mails, broadcast voice mails, databases supporting specific risk issues, letters from the board, e-mail discussion groups, intranet sites on enterprise risk management, web info sessions, conference calls, posters or signs reinforcing key aspects of enterprise risk management, face-to-face discussion, newsletters from the chief risk officer, field debriefing sessions, knowledge sharing systems (e.g. wikis).

QUESTION MARK BOX

Q. Risk management goals are clearly communicated within your organization.

R. “Strongly Agree. The procedures and other documents related to the risk management process are disseminated within the body in charge of monitoring, coordination and methodological guidance of the internal/managerial control system development of the NIS. It should be composed of top management from all statistical domains”.

Source: Romania, In-depth survey on risk management practices

 

 

[1]risks/criticalities gathered into categories according to their strategic significance, and monitored and treated as a priority.

[2] As an example, a risk matrix can be elaborated, as a teamwork task - under the direction of those responsible for any major statistical and/or organizational project - and the results should be communicated to every participant in the project, in order that they may be aware of their respective duties.

[3] Usually on a yearly basis.

[4] Especially during the start-up phase, meetings with all the organizational divisions involved should be organized to discuss various topical issues in more detail, and providing every staff member with the opportunity to express their opinion and to participate in the decision-making process. Presentations from senior leaders should show support and set expectations for staff in relation to risk, so positively grounding a risk culture.

  • No labels