Each and every organization faces risk; how much and what kind varies depending on industry and decisions by leadership. But risk is not only a purview of a company’s board of directors and CEO. All employees have a role to play. Employees need to be aware of potential risk, such as it relates to safety, cybersecurity, and fraud, and trained to reduce the likelihood of a risk event where possible. An organizational culture must be such that employees feel comfortable speaking up when they see potential hazards.
But, as Lori Gravelle writes in “Talent Development’s Guide to Risk Assessment,” today risk goes beyond hazards. For continuous performance improvement, she writes, “we need to adopt a systematic process for identifying new and emerging risks by utilizing key performance indicators.” For example, there could be risks associated with misaligned processes in achieving business objectives. Or, there could be human risk—that is, loss of knowledge, skills, or commitment of people.
To deal with the new world of risk, enterprise risk management (ERM) is needed. In other words, organizations must take an integrated approach that allows them to “assess threats and opportunities that could affect the achievement of their goals,” according to Gravelle.
Among other characteristics, an ERM includes integration with strategic planning as well as looking at risk culture, assessment, and response.
First, an organization must weigh strategic goals and objectives and consider how emerging risks might affect the ability to meet those goals. “Creating an appropriate risk culture means enabling and rewarding leaders for taking the right risks to improve business outcomes,” writes Gravelle, “and encouraging employees to discuss and report risks without fear of retaliation.”
Risk assessment will look different for each organization, based on its risk appetite as well as the likelihood of a risk occurring and the severity of it to an organization should the event occur. For example, patient safety might include, but not be limited to, the financial aspects tied to a patient accident or medical error. A cybersecurity incident could lead to loss of trust in—and business with—an institution.
Leaders need to decide how to respond to a risk. That may mean avoiding the risk by eliminating the activity or asset, mitigating risk through internal controls, or transferring risk through an insurance policy.
What is talent development’s role in risk assessment?
- An organizational risk culture begins with recruiting employees who acknowledge the importance of risk, who are ethical, and who will speak up about potential gaps or failure to act according to policy or process (such as reporting employees who take shortcuts in safety procedures).
- Risk assessment continues during onboarding, with communication of the importance of reporting.
- Talent development practitioners also should work with leaders and the chief risk officer to assess and determine solutions, according to organizational strategy. This may involve training—from using equipment, to IT malware awareness, to ensuring that managers have open doors so that employees can report.
- Communication—about policies, safety procedures, organizational vision, and so forth—is also part of TD’s role in an effective risk assessment program.
“Talent Development’s Guide to Risk Assessment” is the TD at Work March bonus issue.
