Do your teams speak the same risk language? Risk management happens at multiple levels in the organization. Project teams record risk, and pass those up to program managers. Program risks are consolidated at a portfolio level. Then departmental managers have local risk logs, passing those up through the management hierarchy.
Ultimately, you have one central repository for enterprise-level risk. This holds the big things; the risks that the executive committee and directors need to be aware of and actively leading on to keep the business moving in the right direction.
However, there’s a common problem that happens when this risk reporting framework is in place. Risk is so devolved that people start to migrate away from common standards and use their own way to talk about and record risk.
One department might have a risk assessment scale that runs from one to five, another may use one to seven. Project risk might use a different approach to categorizing risk to the categories used by operational teams. Over time, everyone starts to speak their own language about risk. What does it mean to me if a risk is classified as ‘severe’? Is that the same as a ‘major’ risk to you?
Why the confusion happens
Risk management often starts out as a local activity, with teams doing broadly their own thing, before enterprise risk management comes along. Your managers are sensible people. They know they should be managing risk, and when there wasn’t a corporate framework, they created their own.
Project managers arrived from different companies and managed risk on their projects slightly differently. But because there was no corporate standard, and they were still using best practice principles, that wasn’t a problem.
Over time, different departments issued slightly different guidance to their teams. And with all of these little actions happening across the organization, as risk gets embedded in teams with slightly different words, we start to see language diverging. Concepts are called something different. Rating scales are tweaked to better fit local department’s reporting needs.
While the business is taking risk seriously, you can’t be truly effective until everyone speaks the same risk language.
Take a pragmatic approach to risk
How do you get to the point where everyone talks about risk in the same way? Enterprise risk managers often come across this problem, and the skill is in approaching it pragmatically. Very few business cultures respond well to someone coming in with a rule book and demanding managers follow it slavishly from tomorrow.
Do a risk management maturity assessment and find out where the business is overall. That will help you identify the best next steps. Anything you do to improve enterprise risk management maturity is likely to take a little while, and looking at risk language should definitely be on your improvement plan.
It takes time to change the language people are using, and you need to manage that transition towards a standardized risk approach the same way you would manage any business process transformation. Make sure you factor in adequate employee engagement at all levels of the organization.
Understand the current position
First, understand what’s out there. Get copies of all the risk guides, rating scales, modelling tools, probability and impact grids and the rest. Look at response plans and see if everyone uses the same categories for risk response. How are risk budgets managed? Different teams may have different approaches to handling contingency and risk mitigation funding.
Look at what people are using. You will likely be pleasantly surprised by the vast majority of it and horrified by a few pieces you uncover!
Some of the “rules” might be written down in work instructions or standard operating procedures. But a lot of it will be done by learned experience and the judgment of managers. It’s worth sitting down with managers to talk to them about how their teams manage risk and what the expectations are. You will learn just as much from listening as from reviewing their documentation.
The easiest way to find out what people are using today to manage risk is to ask them. Start with the PMO, division or department heads and see what comes rolling in.
Standardize the language
Next, you need to work out what you want the standard to be. The easiest approach is to choose something that is already in common use at least somewhere in the business. It’s simpler to roll out a template or toolkit that is already working well for a team than to design and embed a whole new approach.
Take a look at what you’ve been given from the various teams and piece together the best practice standard that you want to move towards.
There may be some pieces of a whole risk framework missing. As a risk manager, you’ve got more experience (and more time) to dig into risk management strategies, so there are some elements you want to use that simply don’t exist right now.
Create your standard. Use standard language. Update documentation to reflect the way you want people to talk about risk.
Then issue the documents, with a full change management plan, explaining why the change was necessary and what the benefits are.
Reinforce the language
Habits are hard to break. If you’ve always assessed risk proximity one way, it is hard to change overnight to do it differently.
Language can help reinforce practice. Getting everyone to talk in the same way about risk will help them remember what practice changes they also have to do.
A common language for risk makes it easier to compare risks across departments and assess risks against a common framework. This makes it far easier at portfolio and enterprise level to see the true risk position of the business, so you can take appropriate action as a management team.