A key goal for the design of any organisational framework should be to integrate it into business-as-usual. So that it is simply “how things are done around here”. Especially for a risk framework.
Risk management, not risk taking, still suffers from an abundance of misperception of it being a compliance activity. Something that has to be done as an extra and not really related to “real work”.
Last week I gave a tip on how to make your risk framework easily digestible by a leader so they take the time to understand its value. My number one tip for integrating risk into business-as-usual is to integrate performance and risk reporting. Such that, a leader reports on their performance and the risk to future performance, all in one breath so to speak.
Too often I see risk reporting only occurring because the risk team made contact. What follows is delays in getting information back, followed by postponement of the meetings in which risk was to be discussed. By the time the discussion is had, everything is pretty much old news and of little value.
Still, at least they can say we “ticked the box” on that one!