Should you adopt a risk management standard in your organization? There are pros and cons either way and in this article we’ll look at both. Then – at the risk of spoiling the surprise! – we’ll conclude with some reasons why we think it’s worth considering adopting a risk management standard.
But first, let’s check we’re all on the same page with what risk management standards are.
What is a Risk Management Standard?
A risk management standard is a country-wide or global standard approach to managing risk in organizations.
ISO 31000 is the family of risk management standards recognized internationally. This framework sets out principles, guidelines and a process to provide risk management practitioners with guidance on recognized best practices for implementing risk management.
However, this standard is broad as it isn’t written for any specific industry or even specific management levels. It provides an internationally-recognized benchmark for the practice of risk management. Your industry or country might have derivative standards based on ISO 31000 that are more specific, recognized frameworks and best practices relevant to your organization.
When we talk about adopting a risk management standard, we’re talking about finding an appropriate standard and aligning the way you do risk management in your organization to that.
Advantages of Adopting a Risk Management Standard
As you can imagine, there are plenty of advantages to adopting internally-recognized ways of working in relation to risk.
- Everyone in the company will use standard terminology when discussing risk, regardless of whether they are working at project level, enterprise risk management level or somewhere in between.
- It’s easier to recruit experienced (and good) risk specialists because you can specify you need them to have experience in the standard. This will make their onboarding easier because they don’t have to learn your specific processes. Longer term, using national or international standards can also help retention and staff development as you invest in their development.
- Any standard will work with any risk management tools. Regardless of what software you are using, you should easily be able to customize the processes to fit the tools you have. There’s no need to invest in additional software (assuming you have some that does the job already).
- Adopting a risk management standard can help you win more business, as customers want to see that you take risk management seriously. Seeing that you have adopted a recognized standard makes that instantly visible to them.
- It’s easier to benchmark your performance against other organizations using the same approach.
- There’s often a community of standard users. If you need help, it’s easier to ask for help with elements of a recognized standard than it is your own bespoke methodology. Everyone in the extended community will already know what you are talking about!
Having said that, the risk management standard you choose should be your baseline. It’s OK to customize the standard to better fit your working practices or your industry. The way you do risk management is specific to your business – and while there are guidelines out there to help, ultimately you get to decide how risk management works in your own organization.
Disadvantages of Adopting a Risk Management Standard
Changing how you manage risk in your organization can be a big upheaval. There are many people to train in new methods and terminology. There is process documentation to be rewritten. And that’s on top of the bulk of the work of creating a gap analysis to establish how to do the move in the first place.
You might face challenge from senior leaders in the organization who don’t see the value in changing the way risk is managed. If the way you manage risk is perceived to be adequate already, going through a large risk re-engineering program might not be considered a priority – especially if you can’t easily tie back the work to a tangible ROI.
The changes we’re talking about aren’t cosmetic. It’s not simply a case of updating the language in your risk documentation to ensure it’s using the new standard vocab. In reality, you’re looking at a complete review of your current processes and practices.
The new standard might not easily fit to what you are doing already, so you could have to introduce new ways of working. And the standards might need customizing to your industry or business. All of this takes time and investment.
Reasons to Go For It
If you are serious about managing risk at a project and enterprise level, then it is worth seriously considering aligning your processes to a risk management standard.
The main reasons to adopt a risk management standard are:
- Improving the identification of threats (risks with a negative outcome for the business) and opportunities (risks with a positive outcome for the business)
- Allocating resources to risk management activities more effectively
- Increasing the likelihood that your organization will achieve its strategic goals due to better oversight and governance.
Yes, it can seem like a lot of work, but it only improves how your organization manages risk. And it doesn’t have to be time consuming. Experienced risk management support internal staff, or external consultants, can quickly review what you currently have in place and put together plans to make any standardization efforts as painless as possible.
If you decide that you want to improve your risk management approach at project, portfolio and enterprise level, then a good next step would be to undertake some risk management training. This will help you get all practitioners to a common level of understanding.
After that, you could look at getting a risk management maturity assessment to help build awareness in the organization about the current level of maturity around the way you manage risk. This is hugely valuable in later conversations about making process improvements.
Still not sure? This webinar will provide you with a model of best practice risk management that can help you to determine where to focus your attention to improve risk management.