Deployment of a risk management system

ISO 31000, the risk management standard, recommends drawing up an exhaustive list of the risks to which the organization is exposed, by identifying and then evaluating all feared events, i.e. potential threats to the achievement of objectives; whether these threats are endogenous or exogenous, and whatever the level of risk control the organization possesses or can hope to possess. Compliance with this recommendation leads to the creation of a global risk map, a deliverable for which the client is the management. It provides an overview of the vulnerability of the organization, company, association... whatever its legal form. This may change the nature of certain risks, but it does not alter the risk assessment methodology. Global risk mapping was the subject of our previous article [G 9 010] .

However, the aim of the 31000 standard (which we presented and commented on in the very first [G 9 000] article of this "series") is above all to implement a management system. Of course, since we know that management involvement is a prerequisite for the success of a management system, it's a good idea to offer managers a tool adapted to their level of concern. This is a good start. However, the deployment of a genuine management system presupposes that every player in the organization, whatever his or her position, participates in the process and has access to tools to help him or her better control the risks present within his or her scope of responsibility. However, global risk mapping does not provide middle management with the analytical elements they need to act on their risks. For example, each process is summarily represented, often by a single rating summarizing the soundness of that process. This is not enough to initiate improvement actions based on process risk reduction. Similarly, global mapping deals with the organization's project management maturity, but does not detail the risks associated with a specific project. It is therefore not the right tool to energize the decision-making process and link project progress (passing milestones, allocating resources, etc.) to the evolution of project risks.

So how do you involve operational managers, process drivers...