Risk Management

The single biggest concern expressed by nearly all of our clients at a senior management level is how can we better be assured that our safety related hazards and risks are being appropriately managed.

For most major organisations, this is a particularly challenging task, given that the amount of things that can go wrong is nearly infinite, suggesting we are faced with a near impossible task.

Thinking about the challenge, it appears to me that boards, CEOs and senior managers need to better focus their safety efforts and priorities on their overall governance processes, with particular emphasis being placed on risk management and compliance.

Despite this approach appearing relatively simple, we often find much confusion exists around what Governance really means and what is the real role of directors, CEOs and senior managers in discharging their governance obligations.

Simplistically, governance, risk management, and compliance (GRC) collectively form the foundation upon which an organisation’s management systems and accountabilities are determined. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps.

While interpreted differently in various organisations, GRC typically encompasses activities such as corporate governance, enterprise-wide risk management and corporate compliance with applicable laws and regulations.

Governance describes the overall management approach through which senior executives direct and control the entire organisation, using a combination of management information and hierarchical management control structures. Governance activities ensure that critical management information reaching the executive team is sufficiently complete, accurate and timely to enable appropriate management decision making, and provide the control mechanisms to ensure that strategies, directions and instructions from management are carried out systematically and effectively.

Risk management is the set of processes through which management identifies, analyses, and, where necessary, responds appropriately to risks that might adversely affect realisation of the organisation’s business objectives. The response to risks typically depends on their perceived gravity, and involves controlling, avoiding, accepting or transferring them to a third party.

Compliance means conforming to stated requirements. At an organisational level, it is achieved through management processes which identify the applicable requirements (defined for example in laws, regulations, contracts, strategies and policies), assess the state of compliance, assess the risks and potential costs of non-compliance against the projected expenses to achieve compliance, and hence prioritise, fund and initiate any corrective actions deemed necessary.