This article was updated 23 March 2018 based on comments by Rory Kilburn, Kat Kapuscinski, Pat Lisk and Clive Martin, in the LinkedIn Group ISO 31000 Risk Management Standard. Changed text looks like this, and you see credits by hovering the mouse over changed text.
Part 1 set out the basic reason to look at risk management for middle management.
This is where you come in.
I’m working on a how-to guide for managers. The guide is about risk in ‘business planning’ for the work unit within a large organisation. It’s a how-to guide, and a why-to guide, because the world is full of how-to guides that lost sight of the why. The guide is addressed to tiny work units just big enough to have ‘business plans’, through to large structures headed by a senior executive just below the C-level. The work unit manager in the audience will be responsible for some outcomes, not just for rosters and for making numbers.
A basic premise of the guide is that managers must deal with risk in ‘business planning’. Looking at it another way, organisational management of risk must include the work unit level of risk management.
So please tell me how it is for you, before I tell the world how to manage risk in annual work unit planning.
Seven distinct assumptions
These are the assumptions I am making while building the how-to guide for managers.
- Middle managers must have annual ‘business’ plans, defining work unit objectives and outcomes for the year. These plans are separate from strategic planning, and from operations and systems design. (Strategic planning should be one of the key bases for the unit objectives and outcomes. Ideally there will first have been a thorough strategic planning process, recognising strategic risk, which drives the role of the unit. Ideally the strategic risk assessment will have included the perspectives of middle management. Even if that has not happened, there should at least be a separate risk assessment of any major product/service changes planned for the year.)
- Those annual plans must take into account the effects of uncertainty. In risk jargon, annual plans must be supported by risk assessment, and must include risk treatments. Without recognition of uncertainty, and a planned response to uncertainty, the annual plan will not be credible. What the manager does need not be called ‘risk management’, but it must include ‘risk management’ within the meaning of ISO 31000.
- Risk management for an organisation must include risk in annual work unit planning. The organisation also needs many other strands of risk management, and the same middle manager may be involved in more than one of those strands.
- The risk part of annual business planning often fails to make annual planning credible, and fails to contribute usefully to risk management for the organisation as a whole.
- ERM programs, and ‘frameworks’, are changeable and often ineffective, especially for middle managers. Specialist risk coordinators come and go, and they are not a sustainable solution. Regardless of those whims and contingencies, organisations still need to manage risk effectively at work unit level.
- The gap between changeable ‘frameworks’ and the fixed basic need can be reduced by a generalised middle manager guide. The guide empowers managers to respond to uncertainty in work unit annual ‘business’ plans.
- The guide must include tailoring of the risk management process to the specific work unit and to its place in the larger organisation.
You might think differently about each of these assumptions. Please let me know which ones don’t work for you, and why.