A question often asked is how broadly or how deeply do we need to design risk reporting in our risk management frameworks. Of course there is no easy answer. Let me give you a short anecdote before I give you my usual few dot points on the topic.
I was at a UNSW Australian School of Business "Meet the CEO" forum featuring David Thodey, CEO of Telstra late last year. David was asked what his greatest issue was in managing such a large organisation and he answered with words to the effect: Ensuring that I hear the issues I need to know about from the extremities of the organisation through all the other issues that are being raised with me. He went on to say: "You have to create a culture where it's okay to tell the truth, good and bad. Unless you create that culture of greater transparency, you can't fix issues". I wanted to yell out from the crowd of 400+ that risk management and, in particular, risk reporting should be in his mix to create that culture.
It is a fundamentally important question in risk management to ask how best to ensure a culture where the people with "the need to know" are "in the know".
Here are my tips:
* Business Planning - If you don't do anything else, ensure that managers that report regularly against budgets or business plans also report on risk to their budgets or plans using risk terminology.
* ERM or Operational Risk Committees - A fantastic way for emerging risks to surface in an organisation is via operational risk committees. OHS Risk Committees worked for safety issues, so why not ERM or Operational Risk Committees for organisational risk reporting? So, either broaden the responsibilities of the Safety Risk Committee or form an ERM or Operational Risk Committee and have them report on risks identified, progress on risk treatments and any newly identified risks.
* Risk and Opportunity Hotline - I have not seen this explicitly anywhere, however, the concept has forerunners in "whistleblower" and "idea" hotlines. Put simply, advertise to staff there is a hotline for general staff to inform us of their thoughts, without prejudice, on the emerging risks and opportunities of the organisation. Move it from "whistleblower", which is more akin to staff alerting you to shut the barn door just after the horse has bolted, to a respected avenue for staff to alert us about "risky behaviour". Move it from "ideas" to identification of opportunities that fit within our advertised risk appetite.