Risk management is an intrinsic part of an organisation’s governance landscape and is often talked about in risk or audit committees, by compliance teams or discussed at the C-Suite level. This outdated approach to risk is no longer an effective means of managing risk - as recently evidenced by various Australian National Audit Office (ANAO) performance audits including Grant Hubs and Superannuation Guarantee.
With governance and control frameworks being identified as only partially effective, it is time to bring managing risk to the forefront of an organisation’s corporate agenda and find ways to share the responsibility for risk more broadly.
McKinsey & Co. recommend that organisations have robust risk management capabilities in place and promote a risk-aware culture. Risk capability and risk awareness sit at a more granular level than committees and frameworks and that is where organisations need to focus their attention in the coming years.
A recent risk culture survey performed by the Australian Prudential Regulation Authority, showed that responsibility and accountability for risk was one of the lowest scoring dimensions in the survey. Building a strong organisational risk culture takes time, however it also requires investment, intention, and a sustained approach.
To devolve responsibility and accountability for risk, organisations need to understand how they can embed risk management and make managing risks a part of everyday business activities and become business as usual. When risk is managed as a project or a one-off annual event, it easily becomes a tick and flick exercise with little durability beyond a risk matrix and risk rating.
Those organisations that operationalise risk management at business unit level, are the ones that will rest easy in the knowledge that risk is shared and understood by those working with risk sources every day. The processing staff, the customers, the supervisors, and team leaders all undertake business processes that hold these sources of risk. Protecting the organisation against fraud, financial loss and mismanagement is woven into daily tasks and is barely noticeable as red tape or an impost on top of workloads.
Organisations have tried and failed to build risk-aware cultures – how many times have we seen a communication campaign on the latest Corporate Report wane after a few weeks. Risks and controls need to be operationalised and it is easier than you think.