Leadership and Commitment in the context of the Risk Management Framework

This article is the second of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.

In this particular article, we’ll be highlighting the role and importance of leadership and commitment to supporting robust risk management practices. We’ll also be looking at the benefits of such support together with some practical tips for doing so.

As we learnt in the first article of this series, good risk management practices come from the top-down. This can include your organisation’s top management, as well as any oversight bodies which you may be subject to. As a result, one of the most important roles that leadership can take on is by developing a solid and consistent commitment to good risk management practices.

It is one thing for management to say they’re committed to good risk management practices, actually doing so is a totally different matter. From a practical point of view, the majority of achieving this is through effective implementation. We’ll be doing a deep dive into the nitty-gritty of integration in the next article to this series. However, for effective integration to occur, top management needs to effectively allocate resources to enable that job to be done well. The outcome of this effective resource allocation should then be the creation and distribution of an organisational statement or policy which is relevant to the risk or risks that you’re addressing.

In this statement or policy, your organisation should be establishing its risk management approach, plan, or course of action. You may already have some of these statements or policies in place. Such an example here would be a safety manual for using high-risk, heavy machinery as part of your operations; a course of action here may make reference to regular workplace training in respect of manual handling or first aid; and a plan here may consider how regularly workplace training under your course of action may occur. Before you venture into creating these approaches however, your leadership and management team should consider what mechanisms you currently have in place and whether they are sufficient and effective. If they’re not, this is a good starting point to get you down the line of good risk management.

When top management designs these statements and policies, they should also be appropriately assigning authority, responsibility and accountability to your team members. Naturally, this acts as a tool which can help ensure that risk is effectively being managed throughout your organisation, not just at the top level. It can be especially helpful to work collaboratively with these people to garner feedback as part of your commitment to continually improving your risk management practices.

Another matter to keep in mind when designing these documents is that they should be customised to the needs of your organisation and the particular risk/s that you’re seeking to manage. With this in mind, these documents should be specific and not simply replicated from one risk to another. Your approach to risk management here needs to be tailored and relevant. Failure of your leadership team to do so may de-prioritise how risk management is perceived and practiced in your organisation.

The benefits of your leadership team having a solid and committed approach towards risk management are far from exhaustive. This is especially true when considering the objectives, strategy and culture of your organisation, of which you may be trying to achieve or shape through appropriate risk management policies and procedures. Central to doing so is the communication to your team that risk management is indeed a priority, of which can support the systemic monitoring of risks throughout your organisation. This links back to the assignment of authority, responsibility and accountability to your team members, of which is driven from the top-down.

Another benefit of leadership’s commitment to risk management is that relevant risk management practices continue to remain appropriate and relevant to your operations. Reaching this may involve regular and periodic reviews of those practices, of which can be adjusted and tailored to your risk appetite and needs at different points in time. As an example, matters which may impact said risk appetite may result from the outcome of workplace accidents. Another matter of impact may include the outcome of an audit from an involuntary or voluntary oversight body. It is important to note however that such adjustment should not be based solely on your risk appetite; you should customise your risk management approach in accordance with the principles that we discussed in the first article to this series. Failure to do so may lead to wayward practices, leading to more risk exposure for your organisation.

Although we have touched on the importance of authority and responsibility being assigned to members of your team, and how this informs conformance to those practices, top management is ultimately responsible for whether those practices are conformed to. This is why it is so critical for risk management to be approached from the top-down and managed in accordance with what we’ve touched on.

Although we have placed some emphasis on the importance of authority and accountability of your team at the different levels of your organisation, top management is ultimately responsible for managing risks. Similarly, oversight bodies are responsible for overseeing risk management. You may be subject to involuntary oversight bodies such as your local health authority if you work in food, or voluntary oversight bodies that are relevant to your organisation’s industry.

Now, the responsibilities of oversight bodies in the context of risk differ quite significantly from more “general” organisations. This is because they are expected to ensure that the objectives chosen by organisations are sufficiently considerate of the risks that may result in pursuit of those objectives. In addition to this, they are also expected to ensure that the risks that do arise are appropriate and reasonable in the circumstances.

In doing so, these bodies need to actually understand the risks being faced by the organisation. You’ll typically find that the representatives of such bodies are well versed in the industry and operational reality of the organisation they are assessing. This can be particularly helpful when reaching the closure of an oversight audit for example, where they can help provide relevant and industry specific information to help with your compliance. A downfall to this, however, is that it occurs after the fact. For this reason, risk management needs to be proactive.

Central to the role of oversight bodies is also to also ensure that the systems an organisation has chosen are actually implemented and operate effectively. For example, if you develop a robust risk management framework but fail to hold anyone accountable for adhering to it, this would obviously arise as an issue. Beyond this, if you have a plan, policy, or procedure and fail to communicate it, this would also be an issue. What these two factors come back to is the ability of management to articulate them to their teams.

In any event, effective leadership practices and management’s ongoing commitment to supporting a robust risk management framework can be established and maintained through use of the ISO 31000 Standard. In this article we’ve looked at section 5.2 of the Standard, which reflects on the importance of good leadership and management, the benefit of such an approach, as well as the role of oversight bodies. If you’re interested in reading more about the Standard and how it can be applied, stay tuned for the coming articles to this series.


If you have any stories – good or bad – about how you’ve introduced the risk management framework into your business, I would love to hear them.

If you’re looking at incorporating the risk management framework into your practices and procedures and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.