Communication & Consultation
Communication and Consultation is an integral part of the risk management process. It informs every stage of the risk management process and should involve both internal and external stakeholders. Because it is about future uncertain events, Risk is based on opinion which in turn is based on perception. Perception can be informed by values, needs, assumptions, concepts and concerns. All of the aforementioned factors will likely vary from stakeholder to stakeholder, so getting a balance of stakeholder perspectives is essential.
As identified in ISO 31000, a consultative approach to risk management may:
- Help establish the context appropriately;
- Ensure that the interests of stakeholders are understood and considered;
- Help ensure that risks are adequately identified;
- Bring different areas of expertise together for analysing risks;
- Ensure that different views are appropriately considered when defining risk criteria and in evaluating risks;
- Secure endorsement and support for a treatment plan; and
- Enhance appropriate change management during the risk management process.
Monitoring & Review
Effective risk management is not a “tick-the-box” exercise. It is not something that can be done up front then parked in a corner somewhere. To truly add value to a project, risk management must be regularly monitored and reviewed to ensure that the risk monitoring and assessment are up to date and risk treatments are being implemented as agreed in a timely way.
Essentially, the risk management system must be proactive rather than reactive in dealing with risk. It is only by regularly re-examining the known and potential sources of risk and their potential consequences that informed decisions can be made to help reduce exposure to threats and capitalise on opportunities.
ISO 31000 identifies the benefits of effective monitoring and review processes as:
- Ensuring that controls (and treatments) are effective and efficient in both design and operation;
- Obtaining further information to improve risk assessment;
- Analysing and learning lessons from events (including near-misses), changes, trends, successes and failures;
- Detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and
- Identifying emerging risks.