The review of your business risks is not only a requirement of meeting ISO standards but it's an important part of your business planning and business continuity.
Your business risks continue to increase as the country, state and client's requirements increase. These could be Laws, Regulations, Standards, Information Security items and even COVID-19 requirements.
This blog comes from an ongoing series that originated from "26 Ideas for Working from Home for Compliance Professionals".
So how is the best way to review these business risks? Read on.
Most organisations will or should have recorded their risks and their controls when they were first identified. They could be quality risks, information security risks, HACCP or hazards.
But things change, controls need to be updated and adapt as the situation changes.
How Not to Conduct a Risk Review
Organisation typically do their risk register reviews in different ways:
- Via an audit process
- An agenda item in the management review process
- An annual, let’s get around the table and do this as fast as possible, method
- After the issue.
Each of these are done with a different degree of success and value.
From my experience it is mostly a "tick-and-flick" exercise with no to little value or learning.
How Do We Successfully Do Our Risk Reviews at Mango?
When we (Mango) decided to become ISO 27001 certified, as part of our GDPR risk mitigation, we realised that the normal ways to “avoid the review” wasn’t going to work and wouldn’t give us any value.
We decided to take two similar (read boring) and time consuming processes and then join them together. We joined the audit process and the risk review processes together and created an Audit and Risk committee.
The purpose of doing it this way was to ensure that we could:
- Assign time to do the audits and reviews and then identify value.
- Create a schedule so we knew what we were going to do and when.
- Who should be involved and who we would communicate the results too.
How Does the Audit and Risk Committee Work?
The committee is made up of team members from across the business.
It was selected to ensure it has the authority and expertise to discuss, identify improvement, add value and communicate the results of the systems to the company.
The committeee meets the day before the monthly Management Review meeting and other Operational meetings. This is so staff in those meetings were able to be briefed on how the company was performing in terms of risk and any changes were identified and that improvements could be suggested.
We aligned the risk and audit reviews with a high level goal to reduce waste and to capture value from our systems.
This approached enabled us to turn the risk review process into an asset.
Our unique approach to reviewing risk (and conducting audits at the same time) has given us greater employee involvement and value for Mango.
I suggest you consider doing the same for your business.