Where does your Organisation Score in Managing Organisational and Regulatory Risk?
– by Peter Murphy
In a recent presentation to a leadership group from the Australian Securities and Investments Commission (ASIC), in response to “How well are we doing in managing organisational and regulatory risks?” there is an awareness that working with risk is core to good leadership (the sign of a healthy understanding). The ensuing discussion was like that of many organisations Noetic has worked with on risk management.
Many organisations spend considerable effort identifying the risks and threats that they may face now and into the future. This may include looking at changes in their operating environments, the introduction of new technology and shifts in stakeholder groups. Some organisations are well advanced in this respect, using structured, wide ranging and dynamic processes to identify these emerging risks – this approach represents the gold standard in risk identification.
However, even for organisations who meet the gold standard for risk identification, often end up struggling with or neglecting the next step of identifying the controls, how effective they are being implemented. This is relevant to both preventative controls (which prevent the causes of risk from occurring) and mitigating controls (which help prevent the consequences from occurring).
At its heart, risk management is about the management of controls. You cannot change a risk unless you act on one or more controls. To enable this, you need to know who owns each control (who is responsible to make sure it works) and have verification checks (how do we know it is working).
Often, organisations can end up with controls listed. Even in modestly sized organisations. These can be unwieldy and can lead to an inability to effectively manage risk because the management of controls is overwhelmed by this volume.
Noetic is a leader in helping organisations to cut through this issue by implementing a program of Critical Control Management. This approach allows organisations to focus on the most important controls and by doing so makes the work of both frontline staff and management easier.
Implementation of the approach can help all organisations make needed improvements to their risk management. These improvements invariably flow through to better operational outcomes as risks are better managed across the whole organisation.
Noetic is currently running an online training course with the Risk Management Institute of Australasia, teaching the Critical Control Approach. You can learn more here.