How to achieve effective communication in risk management

In this class, Alejandro Orrego, CEO at Pirani, teaches us what the Quick Guide to the risk management process is, the Key components of ISO 31000, Communication and consultation, what is and what is not risk management culture, 10 tips, and Best Practices to achieve effective communication in risk management.

Communication and consultation

The purpose of communication and consultation is to assist relevant stakeholders in understanding risk, the basis on which decisions are made and the reasons why particular actions are required. Communication seeks to promote awareness and understanding of risk, whereas consultation involves obtaining feedback and information to support decision-making. Close coordination between the two should facilitate factual, timely, relevant, accurate and understandable exchange of information, taking into account the confidentiality and integrity of information as well as the privacy rights of individuals.

Communication and consultation with appropriate external and internal stakeholders should take place within and throughout all steps of the risk management process.

Communication and consultation aims to:

• bring different areas of expertise together for each step of the risk management process;

• ensure that different views are appropriately considered when defining risk criteria and when evaluating risks;

• provide sufficient information to facilitate risk oversight and decision-making;

• build a sense of inclusiveness and ownership among those affected by risk.

What is RISK MANAGEMENT culture?

Refers to the values, beliefs, knowledge, attitudes, and understanding about risk shared by a group within an organization. It influences the decisions and behaviors of individuals and teams when addressing risks.

A strong risk management culture promotes an environment where every employee understands the importance of risk management and plays an active role in identifying, communicating, and addressing risks to achieve the organization's objectives. It encourages open communication about risks, lessons learned from past experiences, and continuous improvement in risk management practices.

What is NOT RISK MANAGEMENT culture?

• Training
• Guides
• Procedures
• Games and activities
• Encouraging messages of risk

These elements are part of and tactics of risk management culture.

THE THREE LINES OF DEFENSE

1. FIRST LINE OF DEFENSE  - OPERATION

This is the operational level of the organization where the day-to-day business activities take place. It includes all employees and departments that are responsible for managing and controlling risks. The first line of defense is responsible for identifying and managing risks as they arise, and for implementing controls to prevent or mitigate those risks.

2. SECOND LINE OF DEFENSE - RISK & COMPLIANCE

This is the risk management and compliance function within the organization. The second line of defense provides oversight and guidance to the first line of defense to ensure that risks are properly identified, assessed, and managed. It also ensures that the organization is in compliance with relevant laws and regulations.

3. THIRD LINE OF DEFENSE - INTERNAL AUDIT

This is the internal audit function within the organization. The third line of defense provides independent assurance that the first and second lines of defense are working effectively to manage risks and comply with regulations. The internal audit function also identifies opportunities for improvement in the risk management processes and provides recommendations for addressing any deficiencies.

10 TIPS to achieve effective communication in risk management

1. Establish Clear Objectives and Scope

• Define Purpose: Clearly articulate the purpose and objectives of risk management activities.
• Scope: Ensure everyone understands the scope of what is being managed, including specific risks, projects, or processes.

2. Engage Stakeholders Early and Often

• Identify Stakeholders: Recognize all stakeholders, including employees, management, clients, and external partners.
• Regular Updates: Keep stakeholders informed with regular updates about risk assessments, changes, and mitigation efforts.

3. Develop a Communication Plan

• Structured Approach: Create a communication plan outlining how, when, and to whom information will be communicated.
• Channels: Utilize multiple communication channels (e.g., meetings, emails, reports, dashboards) to reach different audiences.

4. Use Clear and Consistent Language

• Avoid Jargon: Use simple, straightforward language to explain risks and their implications.
• Consistency: Ensure consistency in terminology to avoid misunderstandings.

5. Foster an Open Communication Culture

• Encourage Reporting: Promote a culture where employees feel comfortable reporting risks without fear of reprisal.
• Feedback Loop: Establish mechanisms for feedback to continuously improve risk management processes.

6. Tailor Communication to the Audience

• Audience-Specific Messages: Customize messages to fit the needs and understanding of different audiences (e.g., technical details for IT staff, high-level overviews for executives).
• Visualization: Use charts, graphs, and other visual aids to help convey complex risk information more effectively.

Make It Easy to Understand

• Give the problem a simple, positive “business name” not a “security name” - Branding matters more than you think
• Stoplight charts; red, yellow, green
• Up arrow, down arrow (trending)
• Keep it simple:
  • Problem/solution statement
  • Risk - why does this need no happen?
  • Maturity - how easy will this be?
  • Cost - how much will it cost and is there cost recovery?
  • Priority (tactical or strategic) - when should we do this?

7. Provide Training and Education

• Training Programs: Offer regular training sessions to ensure everyone understands risk management processes and their role in them.
• Resources: Provide resources such as guidelines, templates, and tools to support risk communication efforts.

8. Implement Technology Solutions

• Risk Management Software: Utilize software tools to track, analyze, and report on risks.
• Dashboards: Create dashboards to provide real-time visibility into risk status and trends.

9. Document and Share Lessons Learned

• Post-Event Reviews: Conduct reviews after incidents or risk events to identify lessons learned.
• Knowledge Sharing: Share these insights across the organization to prevent similar issues in the future.

10. Monitor and Evaluate Communication Effectiveness

• Feedback Mechanisms: Use surveys, interviews, and other tools to gather feedback on communication effectiveness.
• Continuous Improvement: Regularly assess and refine communication strategies based on feedback and evolving needs.
  

Best Practices Summary: to achieve effective communication in risk management

• Clarity: Ensure all communications are clear and understandable.
• Transparency: Maintain openness about risks and mitigation strategies
• Engagement: Involve all relevant stakeholders in the communication process.
• Adaptability: Be flexible and adapt communication strategies to meet changing circumstances and audience needs.