Implementing the Risk Management Strategy
After crafting a risk management strategy, management needs to consider how the strategy will be implemented in order to ensure achievement of the strategic objectives.
I am very excited to have one of South Africa’s Risk Management Specialists, Sinovuyo Kolweni, as my co-author in this article. Continuing from the last article which addressed key aspects of crafting an effective strategy for risk management and emphasised the importance of having a structured approach to managing risks, this week’s article focuses on implementation of the risk management strategy.
After crafting a risk management strategy, management needs to consider how the strategy will be implemented in order to ensure achievement of the strategic objectives. A risk management strategy document can resemble a ‘tick-box’ if the implementation thereof is flawed. Successful implementation of the risk management strategy remains valuable for both large corporates and small businesses as it ensures that all the strategic objectives are met. There should therefore be an implementation plan to ensure achievement of all the strategic objectives after crafting the strategy.
An effective strategy implementation plan supports risk maturity initiatives, which translates into the business reducing on revenue leakages and losses. This promotes robust risk management and response structures, such that when a risk materialises, the business is able to recover and to continue with its normal operations as a result of the risk management processes in place.
Risk events occur because of a direct or indirect outcome of a breakdown that was not accounted for or that resulted from inadequate preparation. This could be inadequate people, systems and processes that are often internally induced and/or external factors affecting the business’s internal operations. A well-formulated risk management strategies therefore crafted to manage or limit breakdowns due to people, systems, processes and external factors. However, the risk management strategy can fail to produce the desired outcome if it is not implemented successfully.
The process of implementing strategies for risk management involves having supporting governance frameworks and policies that provide guidance on risk treatments and outline the expected risk culture. There must also be governance forums or committees in place. With smaller businesses, this may be a risk meeting or an agenda item in staff meetings that speaks to risk management.
The governance forums track implementation of the risk management strategy. Action plans for all the strategic objectives are also discussed at these governance meetings. Tracking implementation of the risk management strategic objectives through the committee meetings enables the organisation to keep everyone charged with implementation plans and promotes accountability and ownership of the risk management programme by the relevant stakeholders. Effective implementation of the risk management strategy requires holistic integration throughout the organisation. It involves everyone in the organisation, from top management to non-management levels. An effective implementation plan also rests upon organisational readiness, such as having buy-in and support from all parties involved (tone from the top, underlying culture/attitudes/norms, skills, experience and capabilities). The strategy implementation plan must therefore have pillars that drive the risk culture to maturity.
Availability of adequate resources and functionality of systems that are in support of implementing strategies for risk are crucial. Even though systems and operational alignment is core to successful implementation of strategies for risk, failure to address the human element can present major challenges. Resourcing for the risk management strategy requires employing Risk Managers to drive the risk management programme and its strategic objectives. Furthermore, it is best practice to appoint Risk Champions within business units who are part of the business and can cascade the risk management strategic objectives at a peer-to-peer level. Risk Champions can also be very effective for SMMEs, considering their flat structures.
The management of risk and the implementation of risk strategies must be everyone’s concern in the organisation or business. There needs to be a clear understanding of how individual actions contribute to the overall risks faced by the organisation and the responsibility towards upholding the strategies put place to alleviate the impact on the business. Implementing the risk management strategy can therefore also be achieved through embedding the risk management strategic objectives into the performance scorecards for employees as one of the key performance indicators. This will ensure that managing risk is not seen by employees as additional work but is business as usual.
Another key aspect of strategy implementation is training. Training and upskilling of employees on risk management is required to ensure competence and that they are empowered to manage risks. Another aspect to consider in implementing the risk management strategy is ensuring that an adequate budget is set aside for all the activities required to carry out the plan. The budget can also be used to incentivise risk management and create reward opportunities for employees who demonstrate dedication to risk management.