LTT Business Bulletin - October 2014
James Field, MD of CompliSpace, and LTT1 member,
explains why risk is a four letter word.
In the world of mid-sized business the phrase ‘risk management’ tends to be bandied around fairly liberally these days. Whilst risk management can mean different things to different folks, the reality is that the discipline of risk management is simply ‘management’ with a four letter word in front that denotes the linking of this discipline to a structured methodology such as the Enterprise Risk Management Standard, ISO 31000.
And, if truth be told, after you have read and understood the methodology set out in ISO 31000, you would be forgiven if you felt it appropriate to simply replace the four letters R-I-S-K with G-O-O-D as a more appropriate description of the discipline.
At a practical level we practise risk management every day and have been doing so since Joseph played fullback for Jerusalem. Don’t leave home without your keys, read the instructions before use, are we insured, have we hired the right people for the job? These are all simple and effective controls for risks in our personal and professional lives.
So what is the biggest risk in your business? Stop thinking about it, it’s simple – your biggest risk is your people.
So what is the best control for your biggest risk? Stop thinking about it, it’s simple – your policy management systems are the foundation for controlling the risks associated with your people.
In very simple terms, policies set out guiding principles as to how management expect an organisation to operate, whilst procedures set out the detail of actions that should be taken to achieve policies. Sometimes policies and procedures are all wrapped up in the same document that is referred to as a “program”. Sometimes they stand alone. Don’t get caught up in the semantics!
Having a robust set of documented policies and procedures and, perhaps more critically, effectively implementing them, is a must for any organisation seeking a sustainable future. Here are more than a few reasons why!
Driving Strategic Goals & Objectives: Whatever your organisation’s goals and objectives, a well designed and properly implemented policy framework will allow management to provide clear direction to your employees, which will in turn allow them to clearly focus on, and carry out, key activities which will ultimately deliver your organisation’s vision.
Want to be an “employer of choice”? Start by documenting a high performance human resources program. Want to have “happy customers”? Document your customer relationship management processes. And on and on it goes…
Individual Accountability: Documented policies and procedures are the first step toward achieving accountability by clearly establishing expectations with respect to the conduct, roles and responsibilities of individual staff members. If this is properly managed then your policies and procedures will allow management to guide operations without constant and costly intervention.
Controlling Risks: Whilst many organisations don’t think in formal risk management terms the simple fact is that the primary reason policies and procedures are written is to control perceived risks. If you haven’t documented your disaster recovery program the chances are you don’t have one. If you do not have a documented compliance program then this means an ad-hoc approach to compliance etc. You get the picture.
Ensuring Compliance: Of course, a critical risk within any organisation is that it may fail to comply with its legal and regulatory and/or contractual obligations. Documented policies and procedures are key to ensuring compliance. In many cases (e.g. workplace safety) the maintenance of documented policies and procedures is, in fact, part of the compliance obligation.
Protection of Corporate and Personal Assets: Anyone who has ever been involved in litigation knows that at the end of the day, it often comes down to whether policies and procedures have been documented and whether they have been followed. What was your organisation’s safety policy, how was it communicated to staff, did they understand it, what levels of assurance did management have that the policy was being followed? Can you prove all of the above?
Developing a Corporate Culture: Anyone who has genuinely been through the process of defining an organisation’s vision and values knows that it’s not an easy task. Unless you write it down and develop a strategy and policy framework for developing your desired culture and what is acceptable and unacceptable behaviour (e.g. code of conduct, email and internet usage policy) it will morph, often with unintended negative consequences.
Whilst consultants often refer to Corporate Culture as ‘what we do around here’, we prefer to view Corporate Culture as ‘what we do around here when no one is looking’. Policies and procedures that are adequately communicated, trained, tested and maintained ensure that all employees (from CEO to mailroom) know what is expected of them – especially when no one is looking.
Succession Planning: Documenting policies and procedures is a key part of the succession planning process. Rather than thinking about replacing the CEO, think about replacing the accounts/payroll/IT officer who has been happily running the back office for years. Without proper policy management these employees can become “irreplaceable”, not because of the standard of their work, but rather because they play a critical role in your organisation, and no one actually knows what they do.
Training Staff: If you don’t document your key policies and procedures how can you effectively train your staff? The simple answer is that you can’t. The more complex answer is that you can. However, you may be relying on the “buddy system” where an “experienced staff member” trains the “inexperienced staff member”. Sounds great in theory, but the “buddy system” leads to inconsistent outcomes and is extremely labour intensive (i.e. expensive).
Increasing Productivity: Well documented policies and procedures which are effectively implemented mean it is easy to train staff to achieve consistent outcomes. Well trained staff mean uniformity and consistency in the delivery of products and services. If your staff are all consistently doing what you want them to be doing, mistakes are reduced, fire fights (think customer complaints, supplier disputes) are avoided, and productivity will increase as management are released from fire fighting duty to focus their full attention on achieving your organisation’s strategic goals and objectives.
Continuous Improvement: Last, but not least, is continuous improvement. Documenting policies and procedures forces you to focus on the whys, the whats, the who’s, the hows and the whens. Once you have thought through the policy and documented it, the process of ongoing monitoring, review and continuous improvement is a relatively straight-forward one. Without documented policies and procedures the process of continuous improvement is close to impossible.
CompliSpace combines specialist risk management expertise with practical, technology-enabled policy management solutions. Their comprehensive suite of online risk and compliance modules are built in accordance with relevant standards, kept up to date with regulatory changes, and are tailored to each customer’s needs. Contact CompliSpace at www.complispace.com.au