Continuous improvement is another significant concept to understand for ISO 31000. Without a company culture strongly aligned with principles of continuous improvement, organisations will struggle to implement, let alone maintain successful risk management programs. This can be challenging in practice, as cultivating a risk management attitude within a company involves aligning risk initiatives with existing company values, policies, and, to put it simply, convincing everyone involved that risk management is worthwhile. However, improving risk culture is possible and, like many things, it becomes a lot easier when you have a process for it.
Such a process can be separated into three stages:
- Cultural awareness
- Cultural change
- Cultural refinement
Phase one: Building and strengthening cultural awareness
The first stage is the building of cultural awareness; this will take the form of communications, training, and general education initiatives within the organisation. Here is where companies set risk management expectations and objectives, define roles and responsibilities, and clearly communicate all of these things with their employees. You shouldn’t expect your employees to conform to your ideas about risk management without first taking the time to educate and inform them, whether through formal training or access to knowledge base material or similar.
Successfully building and strengthening cultural awareness about continuous improvement includes:
- Establishing a common risk management vocabulary
- Making sure communications are consistent with said vocabulary, and that everyone in the organisation has clear access to all relevant documents
- Being clear about risk management responsibilities and accountabilities.
- Launching and maintaining training programs, providing training support and guidance where needed and as required by different roles and responsibilities within the organisation
- Making sure onboarding processes adequately cover risk management.
- Making sure recruitment processes adequately cover risk management.
Phase two: Changing the way the organisation operates
Once a firm foundation of cultural awareness regarding continuous improvement has been established, it’s time to start thinking about how to gradually begin changing the ways the organisation operates to reflect these values. This phase begins by starting to recognise and reward employees for paying attention to risk and responding to risk in a way that challenges the previously established (pre-continuous improvement) status quo. These kinds of motivational systems, rewarding and penalising behaviour according to the established ideals of continuous improvement outlined in the early planning stages, will result in the gradual but certain shift towards a proliferation of continuous improvement-conscious company culture. Another important element is being able to recognise the talent that conforms with the desired vision of continuous improvement and capitalising on this alignment by placing them accordingly in relevant, optimised positions of responsibility or seniority. It’s getting people in the right place, to drive the right kind of results.
Some important considerations for this phase:
- Utilising challenge as a motivator for driving cultural change
- Gamifying and quantifying risk performance metrics and rewarding/penalising behaviour accordingly.
- Considering risk management and continuous improvement culture in talent management approaches.
Phase three: Optimising and refining the cultural ecosystem
The third and final stage of cultural adoption of continuous improvement takes place once the company culture has already matured to the point of widespread adoption and desired values are already well-entrenched. At this point, the focus shifts to monitoring performance versus expectations and attempting to tweak and refine the system to further improve cultural adoption. The expectations can and will be influenced by a wide range of stakeholders, not just top management; employees, a board of directors, analysts, customers, investors – they all have a say in the definition of cultural expectations because these expectations should directly reflect the whole entity that is the organisation, made up of all its constituent stakeholder parts.
Steps taken during this phase might include:
- Iterating feedback and observations from risk management into training, education, resources, and communications.
- Making sure stakeholders are held responsible for their actions
- Making sure any risk performance metrics or quantifiers are adjusted to reflect changes in risk strategy, goals, and objectives.
- The capacity to redeploy and reassign individuals within an organisation according to desired risk culture goals
- Continually reflecting on and refining risk culture in accordance with continually changing business goals, objectives, and strategies.