- Julian Talbot
How to operationalize risk management
TL;DR: It's about culture. If you have to 'operationalize' risk management, whatever you're doing isn't risk management.
Risk management isn't self-licking ice cream, and it shouldn't (in theory) exist for its own sake. The clue is in the name. Management is a process, and like any other process, there should be an input, process, output, and a feedback loop.
Risk assessments (should) lead to treatment plans, and these treatment plans become management systems (e.g., procedures, policies, protocols), projects, strategies, etc. All this requires some capability and knowledge of the management systems (e.g., via training) and then a feedback loop to check/adjust/verify that the process is working.
Another way to look at risk management is to think about the Strategy-Assurance-Refinement model.
None of which is to say that these systems are magical. They are just part of an integrated and well-managed operation. Operational risk management comes down to culture.
And culture is, quite simply, the sum of the decisions and behaviors of all the people in the organization. But the way to build culture is to start with a clear idea of the sort of risk culture you would like to see, based on the behaviors and decisions that will best support objectives.
In my years of management experience, I've heard many promises about how to change an organization's culture. But I've only found one approach that works consistently and generates lasting results.
Practical, targeted training gives people additional tools to apply to a workplace (or life) challenge. Most people will choose the best tool available for that particular issue. That might be a socket wrench, a brainstorming workshop, communication strategy, or whatever. But if the best means to address the problem is one they recently acquired, it will result in a new behavior.
At this point, cognitive dissonance kicks in. Cognitive dissonance is experienced as psychological stress when people participate in an action that conflicts with their feelings, ideas, beliefs, values, or things in the environment. In this context, the beneficial aspect of cognitive dissonance is that it also works in reverse. When we repeatedly do things a certain way, we unconsciously align our ideas and beliefs that our behavior is 'good' and should be encouraged in ourselves and others.
When enough people share similar attitudes and behaviors, we call that culture. And when that culture aligns with the risk management systems, risk management is, for lack of a better word, 'operationalized.'