Risk, Innovation & Change

Or How to Implement Risk Management in Organizations?

Martin van Staveren
Deltares & Delft Cluster, The Netherlands

Managing risk is difficult. Applying risk management is more difficult. Implementing risk management in organizations is the most difficult. Failure is more the rule than success and large sums of money, seemingly invested in implementing risk management, are actually wasted. While many organizations struggle with this issue, there was hardly any scientific research about this topic. This article presents a scientifically developed and practically tested approach for implementing risk management in organizations. A synthesis of risk, innovation, and change management concepts and practices makes this approach new and unique.

The need for risk management implementation 
As anyone dealing with risk management experiences, risks are inherently subjective and intangible. Risk management is basically handling uncertainty, with which most people feel rather uncomfortable. Moreover, risk management has a preventive character. This means doing something to avoid something else happening. Unfortunately, often there is no direct relationship between application and benefits of risk management. Nevertheless, public organizations operating in our rapidly changing world are highly vulnerable to risk. Therefore, an increasing number of politicians, regional and local government chief executives and senior managers acknowledge that not routinely applying risk management cannot be justified anymore. It is unacceptable for the sake of our communities. However, embedding the application of risk management in an organization in an effective, efficient and persistent way is by far not easy. It is an ill-defined and messy problem. Perhaps, that is why there hardly existed any scientifically validated and practically applicable knowledge, about how to implement risk management in organizations.

Risk management implementation research
After many years of debates about why to apply risk management in organizations, the increasing need for adequate risk management implementation creates a new type of question:

How to implement risk management in organizations? 

This how-question seems even more difficult to answer than the why-question, which was the trigger to start in-depth risk management implementation research. The term implementation is here defined asroutinizing the application of risk management, at a regular basis and at all levels within an organization. Comprehensive literature surveys and field research have been performed. Academic and professional experts from The Netherlands, the United States, the United Kingdom, and South Africa, were in-depth interviewed. All of these results were used for the development of an entirely new risk management implementation approach.

The new risk management implementation paradigm

Soon after starting the research, a major problem emerged. The current state of our risk management discipline seemed not able to answer the how-to-implement question in a convincing way. Indeed, despite the availability of numerous risk management concepts, procedures and tools. This situation required a new risk management implementation paradigm, with a shift from an instrumental to an organizational approach:

Risk management is an organizational innovation that requires change.

This is merely because well-implemented risk management is new to most organizations, which is the key feature of an innovation. Contrary to the risk management discipline, innovation management does include a considerable knowledge base about implementation issues. Furthermore, the discipline of change management revealed abundant useful knowledge about creating the appropriate organizational conditions for implementing risk management in organizations. In conclusion, risk, innovation, and change form one fundamental triangle for risk management implementation.

Four main implementation lessons

The risk management implementation research provided four main lessons. First, the form, function and meaning of risk management within organizations are largely intangible and subjective. This makes effective, efficient, and persistent implementation a highly complicated adventure. Second, specific managerial attention to routinize the use of existing risk management methodologies in organizations is highly underdeveloped. A knowledge base of how to implement risk management was missing. Third, implementing risk management in organizations requires a well-designed, yet flexible and learning, approach. Appropriate organizational conditions need to be created by purposeful interventions in the organizational structure and culture. This calls for a synthesis of proven risk management, innovation management, and change management concepts and practices. Fourth, any risk management methodology needs to be adapted to the demands of distinct groups of risk management users. They have different types of motivation, or no motivation at all, for routinely applying risk management. The first two lessons confirm the mentioned ill-defined and messy implementation problem, for which the last two lessons provide solutions.

Four practical research products

The developed and tested research products are two models and two instruments. The conceptual model presents the main mechanisms for effective, efficient, and persistent implementation of risk management in organizations. The three dimensions of the model are (1) risk management users, (2) social systems in organizations, and (3) risk management methodologies. The design process model  has been developed for context-specific design of risk management implementationprocesses. The model distinguishes the feasibility phase, the explicitdecision phase, and the execution phase. Moreover, it defines rolestasks, and responsibilities of all actors during the risk management implementation process. The audit instrument allows measuring the degree of implementation readiness of organizations. In addition, it measures implementation progress over time. The audit instrument consists of three questionnaires. Completed questionnaires reveal the differences in individual implementation perception of actors before, during, and after the risk management implementation process. Finally, the intervention proposition assists the selection of adequate key interventions with supporting activities. These purposeful actions aim to increase the degree of motivation and commitment of distinct groups of risk management users. All of these research products incorporate the synthesis of proven risk, innovation and change management knowledge. The use of these products aims to professionalize the design, preparation, execution, and monitoring of risk management implementation processes in organizations.

Final remarks

Currently, the research results are successfully applied in a number of Dutch public organizations. Using the developed approach contributes considerably to more effective, efficient, and persistent implementation of risk management in a variety of organizations. This generates individual and collective benefits. For individual employees at different organizational levels, improved risk management implementation raises their efficiency and job satisfaction. For public organizations, fostering more professional implementation processes reduces implementation costs and increases accountability. In conclusion, professionalized implementation increases the material and immaterial benefits of routinely applied risk management.

For more information, please contact Martin van Staveren by e-mail: martin.vanstaveren@deltares.nl