• Julian Talbot

How to operationalize risk management

TL;DR: It's about culture. If you have to 'operationalize' risk management, whatever you're doing isn't risk management.



Risk management isn't self-licking ice cream, and it shouldn't (in theory) exist for its own sake. The clue is in the name. Management is a process, and like any other process, there should be an input, process, output, and a feedback loop.


Management systems consist of an input, process, output and feedback loop
Management system

Risk assessments (should) lead to treatment plans, and these treatment plans become management systems (e.g., procedures, policies, protocols), projects, strategies, etc. All this requires some capability and knowledge of the management systems (e.g., via training) and then a feedback loop to check/adjust/verify that the process is working.

This diagram illustrates how management systems consist of strategy, operations, and implementation
Complex Management System

Another way to look at risk management is to think about the Strategy-Assurance-Refinement model.

To implement a management system requires some form of assurance, compliance, and feedback model
Implementing a Management System

None of which is to say that these systems are magical. They are just part of an integrated and well-managed operation. Operational risk management comes down to culture.


And culture is, quite simply, the sum of the decisions and behaviors of all the people in the organization. But the way to build culture is to start with a clear idea of the sort of risk culture you would like to see, based on the behaviors and decisions that will best support objectives.


In my years of management experience, I've heard many promises about how to change an organization's culture. But I've only found one approach that works consistently and generates lasting results.

Training changes behaviors which change attitudes which change culture
TBAC Model of Culture Change (Julian Talbot)

Practical, targeted training gives people additional tools to apply to a workplace (or life) challenge. Most people will choose the best tool available for that particular issue. That might be a socket wrench, a brainstorming workshop, communication strategy, or whatever. But if the best means to address the problem is one they recently acquired, it will result in a new behavior.


At this point, cognitive dissonance kicks in. Cognitive dissonance is experienced as psychological stress when people participate in an action that conflicts with their feelings, ideas, beliefs, values, or things in the environment. In this context, the beneficial aspect of cognitive dissonance is that it also works in reverse. When we repeatedly do things a certain way, we unconsciously align our ideas and beliefs that our behavior is 'good' and should be encouraged in ourselves and others.


When enough people share similar attitudes and behaviors, we call that culture. And when that culture aligns with the risk management systems, risk management is, for lack of a better word, 'operationalized.'




Recent Posts

See All