As with business continuity management in general, risk management is much more effective if a top down, bottom up approach is adopted.
It’s all very well for executive management to make statements in the annual report about how wonderful the risk management system is, but that in itself doesn’t make the organisation more resilient. If it isn’t backed up by action then it’s not worth the paper it’s written on.
A successful risk management approach requires a two-pronged attack, which includes buy-in from both the executive and business managers. Yes, there needs to be commitment at board level, but the business also needs to be involved to make it happen.
The most successful organisations in this respect are the ones who manage to embed risk management in their culture – where executive support is visible; where risks and associated mitigation measures are identified at all levels; where risk registers are maintained by departmental managers and team leaders; and where risk management is seen by all employees as just a normal part of the way they do their jobs.
So what’s it to be – splendid isolation or a joined-up approach that actually makes a difference? The choice is yours.