The “How To” of Risk Monitoring and Review
This article is the thirteenth of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so, we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.
In previous articles we’ve looked at the core elements of the risk management framework and the role of leadership and commitment, integration, design, implementation, evaluation and improvement more specifically. We’ve also briefly looked at the risk management process in a general sense, the importance of communication and consultation, how to set your scope, context and criteria, identifying, analysing and evaluating risks, as well as treating risk. In this article, we’ll be looking at how you can monitor and review your risk management process.
Introduction
At this point in the game your risk management process is pretty well evolved. You’ve designed it, you’ve implemented it, you’re continually evaluating it, you’re continually improving it, you’re communicating it effectively, you’ve customised it to your organisation, you’re using it to treat risks in your organisation, and now, you’re needing to monitor and review how and if all of this is working together cohesively. The purpose of asking whether or not everything is indeed working is based on the fact that monitoring and review is to assure and improve the quality and effectiveness of the risk management process design, implementation and outcomes. This comes back to the core principles of continual improvement, dynamicity, and above all else, the creation and protection of value within the ISO framework, and therefore your organisation. Below we’ll take a look at when you should be monitoring and reviewing your risk management process, the activities associated with monitoring and review, as well as actioning the findings of your monitoring and review activities.
When to monitor and review
The question of when and if you should monitor and review your risk management process has a simple answer: you should be monitoring and reviewing that process on an ongoing and periodic basis. This is applicable to the risk management process holistically as well as to each individual aspect of that process – being (1) communication and consultation, (2) scope, context and criteria, (3) risk assessment, (4) risk treatment, and (5) recording and reporting. This periodic and ongoing basis may be conducted monthly or even quarterly. However, the frequency of your monitoring and review process should be determined with your organisation’s needs and objectives in mind. This also includes consideration of the resources which are available for you to actually conduct such activities, such as the people on your team and their time availability for doing so.
Activities involved with monitoring and reviewing
Your organisation’s monitoring and review activities should be a planned process, ideally on an ongoing and periodic basis as we’ve mentioned above. As part of this process, you should be focusing on planning, gathering, analysing available information, recording the results and then providing feedback on those results. From these activities, what you’ll be aiming to do is improve the quality and effectiveness of risk management process design, implementation and outcomes. We’ll look at each of these activities in a little more detail below.
- Planning: Planning in the monitoring and review process can take many forms. It may take the form of planning the time at which you’ll be conducting your monitoring and review process, it may involve developing a plan around how you’ll address the feedback that results from the activities we touched on above, and it may also include planning for any matters or issues that you’re wanting to specifically address or investigate through your monitoring and review process. While you may have matters or issues that you’re specifically seeking and planning to target, you should be conscious of the fact that the monitoring and review process is a holistic one.
- Gathering: Gathering refers to the availability of data and how you collect that data. You may choose a certain source of data to exclusively monitor and review, such as internal data on the number of incident reports regarding a workplace health and safety risk, or you may choose to rely on less structured data concerning your process such as the qualitative comments taken from staff in respect of the process as a whole. You may even choose to consider these two sources in tandem for a more holistic data set. It should be noted however, that your data gathering process will depend on the risk itself, the risk management process aspect that you’re analysing, as well as the fact of whether or not there is actually any data available concerning that aspect or process. You need to ensure that you actually have data to gather and analyse.
- Analysing: Once you’ve gathered your data together, you will need to analyse it. This involves considering the data through the lens of your risk management process and framework. What you’ll be trying to determine during this analysis phase is, once again, dependent on the needs of your organisation; you may even seek to simply take away as much as you can from the data. Beyond this, you may discover something that you weren’t necessarily looking for which can help to refine and improve your risk management process.
- Recording results: How you record the results from your data collection will depend entirely on the systems and process in place in your organisation. Whatever those systems and processes may be, you will need to at the very minimum be documenting the findings of your data analysis in one way or another, even if it is as simple as a word or proforma document that you develop to address this aspect of the process. This will also depend on the resources available to your organisation, such as the time which can be invested in developing complex reports which record and document the findings from your data analysis.
- Providing feedback: The feedback that you provide following your data gathering, analysis and recording activities is critical. To this end, feedback should be constructive and relevant to addressing the risk at hand and to improving the risk management process more generally. You also need to ensure that this feedback is effectively communicated back to the relevant stakeholders within and external to your organisation. Without correct communication here, your entire monitoring and review process can be deemed redundant.
Actioning your monitoring and review process
Following your monitoring and review process, you’ll want to ensure that whatever the outcome is, that you effectively incorporate it into the organisation’s performance management, measurement and reporting activities. This will act as a control mechanism to ensure that you’re fully capturing the benefit of your work and that you’re adhering to the continual improvement principle of the ISO Standards.
Conclusion
Monitoring and review is a critical aspect of the risk management process. It ensures that everything within that process together with the risks that it is seeking to address are working effectively and efficiently. Through monitoring and review, you are able to iterate and improve the risk management process through continual improvement and iteration on a periodic and ongoing basis through the activities of planning, gathering, analysing, recording results, and providing feedback on those results.
If you have any stories – good or bad – about how you’ve approached monitoring and review in your organisation, I would love to hear them.
If you’re looking to improve your risk management process and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.