In Quality Management and Risk Management we mention the steps established by the AS / NZS 4360: 1999 standard on Risk Management, which we will expand on in greater detail below. The steps are the following:
Step 1: Support from senior management
Similar to what is established within all management philosophies and standards, including in the development of the Balanced Scorecard, the decisive support of senior management is important, which must be responsible for maintaining this new philosophy and being an example of awareness on 'risk management'. In any organization without the support of top management, it is preferable not to undertake any project of this nature. In the public sector it is mandatory, regardless of superior support, although it is always convenient.
Step 2: Develop the organizational structure and policy
Like ISO 9000 and ISO 14000, a corporate risk management policy is required to be developed and documented, endorsed by the organization's executive and implemented throughout the organization.
The recommended aspects are:
- Define the objectives from the policy and how to manage the risks; As in the other standards, it is important to establish the links between the policy and the strategic / corporate plan of the organization; The scope, or the range of aspects to which the policy is applied; A guide to what can be considered as acceptable risk; Definition of who is responsible for managing risks; Establishing available support to assist those responsible for managing risks; Level of documentation required; yPlan to review organizational performance against policy, somewhat similar to ISO internal audits. In one way or another, the Continuous Improvement circle of Plan, Do, Check and Act must be applied.
Step 3: Communicate the policy
Ensure that risk management becomes an integral part of the Strategic Planning processes and the culture of the organization.
The standard recommends the following aspects:
- Establish a team responsible for internal communication of the policy; Strengthen awareness about risk management; Communicate the scope of risk management throughout the organization; Develop a risk management culture, and develop competencies in the personnel through training (education and training); Establish appropriate schemes of recognition, rewards and sanctions, a point that we do not always share for not believing in punishments and rewards.
Step 4: Manage risks at the organizational level
Develop and establish an organization-wide risk management program.
The risk management process must be integrated with the strategic planning and management processes of the organization.
For this, the standard recommends:
- Analyze the context within which the organization is located and the risk management; Identify the potential risks for the organization; Analyze and evaluate these risks through the use of the FMEA (Failure Mode and Effects Analysis); Define the strategies with the which will treat the detected risk; Establish mechanisms to review the action plans; yEstablish strategies to promote awareness, the acquisition of experience, training and education.
Step 5: Manage risks at the program, project, and team level
Develop and establish a program to manage risks for each area of the organization, program, project or team activity. In this regard, it is convenient to follow what is established under the ISO 14000 standard for Environmental Management in environmental management programs.
Step 6: Monitor and review
Develop and implement mechanisms to ensure on-the-go risk reviews, similar to audits of ISO management systems.
Management must review the effectiveness of the risk control system in a planned way.
