(This is part three of a three-part series on Enterprise Risk Management)
Much of what drives organizational performance is its culture. A healthy culture –a culture where issues, ideas, and opportunities for improvement are routinely addressed – is an organization where risk is minimized. The reason is simple: if you have a high-engagement environment you have a much lower risk environment.
Growing up in the early years of Lean, I learned about an organizational philosophy that held sacred the value of employee-driven continuous improvement and high engagement. To create such a culture demands that employees feel safe to raise issues. You can’t improve something if it is not okay to talk about what isn’t working. And, you must respect the very people who demonstrate the courage to improve the organization.
The overarching purpose is to ensure that risk management and internal control is defined and treated as a process reliant upon people’s commitment and capability. Therefore, risk management is intended to provide “reasonable assurance” in the achievement of the following objectives:
- Operational effectiveness and efficiency
- Financial reporting
- Legal and regulatory compliance
- Protection of assets
This is where the NOW Management System comes in.
The Now Management System is foundational to creating a high-engagement environment. It is all about establishing clear measures that define what matters, assigning ownership for those measures, and routinely improving the way work gets done in order to achieve the organization’s goals. All of that requires a culture of respect for people, a culture where the voice of our employees is core to the health of the organization.
From my perspective, I cannot separate the management of enterprise risk from the creation of a high-performance and high-engagement organization. People are the best controls that exist because people see everything that is going on. If you can see performance problems (aka risks) through facts then you can do something about those risks.
I believe it is human nature to care about success. And I believe that if you observe employees not caring it is a reflection of the culture of the organization not a condemnation of the individual. People don’t care when their caring is discounted or ignored. People don’t care when they discover that caring doesn’t matter because management has no interest in their concerns raised by employees.
Much of risk management is about testing the organizational environment to see if the risks are being appropriately managed. In a high-engagement environment people will surface and address all kinds of risks every day because that is the nature of the environment.
What we’ve learned over the past 30 years about creating high-performance organizations is that great management practices inherently manage many of the risks our organizations face.
A closing note: For organizations that are implementing the NOW Management System who want to shore up their fundamentals from a risk perspective, we recommend adding “Managing Risk” as a core process. Here are some sub-processes worth considering based on the COSO Framework:
- Assessing internal environment
- Setting risk objectives
- Identifying and prioritizing potential risk events
- Assessing current risks
- Developing risk response and mitigation
- Establishing control activities
- Communicating risks and risk responses
- Monitoring risks