Effectively managing risk is essential to every business. To achieve this, companies will typically have several programs to address different sources of risk such as: asset integrity, damage prevention, injury reduction, process safety, corporate risk, and others. All of these programs inherently serve to reduce risk to business, people, assets, and the environment.
However, each program may differ in how they think about about risk and how it should be addressed. This can lead to confusion when cross-functional teams are brought together to identify risk when changes are being considered.
It is common during organizational changes to bring various groups together to assess any new risks arising from the proposed changes. Far too often, these discussions are not as productive as they could be because of the definition each group has for risk. For example to:
Engineers, risk is a hazard,
Management, risk is about uncertainty on system objectives,
Health and Safety, risk is a threat to personnel,
Finance, risk is threat to return on investment,
Project Managers, risk are threats to schedule, cost, and quality
In addition, in recent years, regulators and standards organizations have started using broader definitions for risk beyond just simply referring to hazards.
These different views of risk can lead to uncertainty concerning what assessment tools to use, how risks should be treated, and the controls and measures that need to be in place.
For example, to those involved with process safety, risks are tightly connected to hazards. If you remove the hazard, you remove the risk. So the discussions tend to focus on hazard identification and barriers. However, this technique does not have parallels when considering impacts arising from organizational changes, cyber threats, and other sources of risk. For the latter, there are other techniques that need to be used to identify and address risk.
To help reduce confusion when discussing risk it is helpful to use the same definition for risk. Using a consistent risk framework and specifically for the definition of risk across compliance programs can help ensure that risks are adequately identified and treated. The ISO 31000 risk management framework offers a definition for risk that can be used across multiple risk domains. This definition focuses on the effects rather than the chance that a risk will occur:
With some work, compliance programs can be re-framed using this definition (or one similar to it) to provide a consistent vocabulary for talking about risk. Over time, this change will improve the outcomes of risk identification discussions, minimize the misapplication of risk assessments and treatments, and bring greater clarity as to the level of risk contained in corporate risk registers.
Plan-Do-Check-Act Questions:
In what ways has different meanings of risk affected your compliance programs?
How would your risk program benefit from using a common risk framework?
What step could be taken to increase the effectiveness of risk management within your organization?