In order to embed risk management throughout an entire organisation, we are told that it must be led from the top and be seen as a cultural issue. It will also require constant attention.
Clearly, risk management is a matter for everyone in an organisation to think about - only then can you call it fully embedded. And I believe that a company's human resources department has a specific role to play.
Perhaps a core competency on 'concern for risk' should be developed?
Many high reliability organisations, such as power and utility companies, and the military, have concern for safety as a core competency for all, and it seems to work. They are risk takers and accordingly must understand risk and the risk and reward equation, and, as such, often have a zero tolerance approach. There are few accidents in such companies due to their robust approach to safety, coming from the top, culturally embedded and given constant attention.
So having concern for risk as a core competency and performance objective, evaluated at each appraisal, should have a measurable effect on reducing the number of surprises a business has to face. People will see greater management attention being focused on this area, and clear action plans to close gaps. This in turn would enhance success and lead to the embedding of a risk management culture, behaviour, framework and core values acceptable across the organisation and a more positive regulatory approval rating.
Engendering commitment
The challenge is to engender a cultural commitment to risk management.
How can we in risk management link people management systems to business risk management success? Core competencies are clearly one way to do this, as they focus on how an employee creates value for the organisation.
It is interesting to note, when reviewing core competencies, that the headings that appear are generally used throughout most businesses - headings such as: 'strategic thinking'; 'problem solving'; 'relationship management', and 'team building'. So how can an organisation develop competency in the workforce for risk management?
The first step is to define what is needed. Is risk management already one of the organisation's core corporate values? Is it a requirement of employee behaviour?
A risk management competency framework can be designed to align with the organisation's strategic goals without diminishing overarching objectives.
On the contrary, it can support those objectives - minimising risk and maximising success by incorporating the risk management and assessment considerations within the strategic and operational planning processes of an organisation. Organisations are now under constant scrutiny by stakeholders, looking to see how they manage themselves. Putting risk at the heart of a skilled workforce clearly shows good corporate governance.
That is why the human resource function needs to play a greater part in driving the behaviour needs of an organisation to include concern for risk and be seen as a partner in making risk management everyone's business.
Today the risk management brief is widening to include corporate social responsibility, conduct, ethics, operational risk, reputation, regulation and compliance to a greater extent than ever before. With a core competency evaluation of concern for risk, such things can be dealt with from the outset and as part of the normal course of a business, rather than being major shifts in how it operates.
I have included an example of how a competency table for concern for risk could look. The table includes a few suggested examples of 'concerns for risk'. This is not intended to be a definitive list of examples, nor does it represent the range of issues that we consider at Lloyd's, but nevertheless risk advisers and their human resource leaders may find it useful as they consider what elements may be applicable or otherwise for their own organisation.
David Herratt is risk executive, Lloyd's, Tel: 020 7327 6550, E-mail: david.herratt@lloyds.com