Once your risk management plan is in place, it is necessary to ensure that it remains effective. There are four elements to maintaining the effectiveness of your risk management practices:
- Identify one person who will be responsible for risk management
- Keep procedures up to date
- Re-assess risks
- Report on risk management.
These are discussed in more detail below.
Person responsible for risk management
There is an old adage which goes "if it's everybody's responsibility, then it's nobody's responsibility". It is essential that one person be given responsibility for risk management within your organisation. In this manual we refer to this person as the "risk manager".
In smaller to medium sized organisations, the risk manager will no doubt have many other responsibilities. Very large organisations may have someone whose sole or main responsibility is risk management.
The risk manager should have a number of characteristics:
- Because they will be providing ongoing advice to the management committee and staff on organisational procedures, equipment purchase and so on, it is vital that they are a well respected person within your organisation.
- They should have a sound knowledge of all facets of your organisation and its environment
- Some skills in accountancy, law or management might be helpful.
As a rule when selecting a risk manager, `quality is better than quantity'. A skilled and experienced member of staff or management committee member who can only do the work on a part time basis is generally a better choice than a less skilled and experienced person able to devote more time to the work.
Finally, the organisation will need to decide whether the risk manager should be a senior employee or management committee member. Staff members generally have a better knowledge of the day to day functioning of the workplace than do management committee members. The management committee however carry the legal and ethical responsibility for most risks within the organisation (though remember, staff members also carry risks). Considerations of availability, interests, and practicalities need to be taken into account.
Whether your organisation chooses a member of the committee or staff, that person should report on risk management issues directly to the management committee in small to medium organisations, and at least to a senior member of staff in larger organisations.
Keeping procedures up to date
Over time, circumstances change and your risk management plan may become inappropriate. Experience gained from implementing risk management procedures can be used to further refine those procedures. Also, better procedures might emerge which can be used to replace less effective procedures.
Reassessing the risks
The risks you identified in your risk management plan, and your assessment of them, were probably fairly accurate at the time you did the plan. Twelve months later it is more than likely that some of those risks will have changed. What's worse, it's Murphy's Law that the one risk you've missed will be the risk that happens.
There are two ways that you can ensure that your risk management plan is up to date.
Firstly, it should be reviewed on a regular basis. The more volatile and changeable your organisation and its environment, and the higher the level of risk you face, the greater the need to keep your risk management plan up to date. At a minimum, your risk management plan should be reviewed at least once a year.
Secondly, you should evaluate changes within your organisation, or within your organisation's environment, in terms of their implications for risk within your organisation. New legislation relevant to your organisation, taking on new roles, acquisition of new equipment, or creation of new positions should all be considered for their implications for risk management.
As well as protecting you against new risks, keeping your risk management plan up to date could well save you a significant amount of money. Routine replacement of old equipment, for instance, can lead to reduced risk exposures.
Reporting on risk management
The final step in keeping your risk management practice up to date is to report on risks. Reporting on risk should include:
- Description of any new risks
- The effectiveness of existing risk management practice
- The occurrence of risks (accidents, theft, and so forth) during the reporting period
Reporting on risk will normally be done by the person who has the responsibility for risk management. Risk reports should be filed and used in regular reviews of risks and procedures.