3 tips to manage an enterprise-wide risk register
Once you have a few work sites up and running, it becomes a challenge to manage your risk register across the business. Here are some tips on how to manage risk registers across your business.
Tip #1 – Use standard risk measures
In Australia, we are familiar with the idea of “tyranny of distance”. In the risk field, we face a “tyranny of diverse language”. The single greatest inhibitor to managing a risk register across multiple working sites (or multiple domains) is using different measures, terminology and systems. Having a standardised risk approach across multiple sites is the organisation’s best chance to have a single, cohesive risk register.
This means having a standardised approach to:
– The language and terminology used in risk
– The measures for risk
– The process for risk management from start to finish; and
– The form and format used for every facet of risk management.
Having a single risk register spreadsheet does not create a standardised approach to risk if each risk manager makes their entries a little differently. The solution to this is to provide training and guidance to each risk manager. The solution is not to appoint a single person to do data entry for all the risk managers, because that only disengages the risk managers from the risk register. The register should be logical and accessible to all users. Complicated spreadsheets with many hidden lines of code are not a good solution because so few people understand how they actually work.
The whole purpose of having an enterprise-wide risk register is to be able to aggregate data and make high-level decisions about risk. It is not a matter of being able to prove that your organisation has a comprehensive list of every risk in the business. It is a matter of being able to confidently say that you have reviewed the risks across your business and are satisfied with the level of controls in place.
Beware the top-down approach to standardising risk practice: you need the buy-in of the people at the bottom. So often we see businesses where an expensive software solution has been implemented by senior management, but the risk managers at each site loathe the system and deliberately avoid using it. This is even more dangerous than having no standardised system because the work outside the software is hidden from view.
Any move to standardise risk must have stakeholder engagement. Senior management may have a singular vision of where the business needs to be in terms of risk. But the buy-in of risk managers and frontline workers will make or break that vision. Stakeholders need to be engaged in the vision and need to be able to make meaningful contributions to the vision.
Tip #2 – Support collaboration
An essential aspect of an enterprise-wide risk register is the creation of a shared understanding of risk. This is why engagement is important: every risk manager needs to contribute to creating this shared understanding and needs to reach the same shared understanding. The best way to achieve this is by providing an appropriate forum for collaboration.
Sometimes this needs to be a physical gathering of risk managers at head office. This can be a painful exercise to coordinate, but provides fantastic opportunities for collaboration. Risk managers learn from each other about risk and work towards a shared understanding of risk through networking.
If we carry on the language metaphor from earlier, a collaborative forum provides an opportunity for risk managers to practice speaking the language. Speaking the words aloud and hearing them used in response cements the concepts in the human brain. This increases the likelihood of the standardised risk terminology being retained and applied. The risk manager then uses the same terminology back at the site, and it becomes part of the lingua franca among everyone affected by risk.
Online collaboration is the next best alternative to this kind of forum (or can be used in conjunction with the physical meet-up). The tools, templates and processes your business uses for risk should be inherently supportive of collaboration on risk. Risk managers should be able to converse with each other, make individual contributions to risk studies, and be engaged in the standardised approach to risk. The enterprise-wide risk register should be like the old Roman Forum: a place where knowledge is found, shared and debated. It should not be like a dusty old book which only gets checked out when someone has to make an entry.
Tip #3 – Use the right tools
There’s a military saying that goes if you end up locked in a fair fight, you haven’t planned it correctly. This could be interpreted to mean that if you plan carefully and take every advantage you can get, you shouldn’t ever be stuck in a vulnerable position. In the risk profession, a fair fight is one in which there’s a fair chance that a risk event could cause harm. As risk professionals, we have a duty to take hold of whatever tools and advantages that we can to mitigate risk.
That means being aware of the environment and the advantages that can be seized. The internet has considerably expanded the available advantages. With the internet, we have access to more knowledge and intelligence than ever before. We also have access to cloud-based tools and risk management software that wouldn’t otherwise be available anytime, anywhere.
Using the right tools for your risk register takes you out of the fair fight. Good cloud-based risk management software packages are available, and it makes sense to take advantage of them. Bear in mind that it is sometimes better to use a combination of packages to do the job well, rather than invest everything into one catch-all package that actually only does one thing well. It is possible to have a standardised risk approach using two software packages that play nicely together.
The key is to work out what knowledge you need to capture, and what it needs to interact with. A risk management software package can be combined with an incident reporting/investigation software because there is limited knowledge that needs to be shared between them. Having a risk identification tool combined with a separate risk analysis package is more problematic because the two processes are so closely linked that knowledge-sharing needs to be seamless. Take a business analysis approach to your systems, and work out what capabilities you need and how they need to interact.
The finishing touches
Be aware that your risk register is a living thing. It need not be static, provided that you can always get the knowledge you need from it. Businesses often struggle once they have multiple operating sites because they expect a single spreadsheet to be a good solution. Having a spreadsheet for a risk register is an adequate solution for a single site. When you start having to cope with risk across multiple sites, it’s time to adopt a standardised risk approach.
That may mean looking at cloud-based risk register software options, or even a full risk management software product. It should definitely mean establishing opportunities for collaboration on risk management across your sites.
The golden rule of risk management is that it differs from every organisation. The best risk management system is the one that genuinely reflects how your business operates. Find the combination of standardisation, collaboration and risk management software that suits your circumstances.
How does your business manage its enterprise-wide risk register? Do the systems you have worked well for risk across multiple sites?