Skip to content

Risk Management the Right Way

​EFFECTIVE RISK MANAGEMENT, like effective security and safety management, should be unobtrusive when it is functioning well. However, if not properly integrated, it may be seen as intrusive to operational staff and regarded as just another layer of administration.

The key is to develop a positive risk culture, but that does not just happen; it has to be developed and maintained. Many organizations rely on risk workshops, training, and formal meetings to achieve this, but such strategies are usually aimed at the management level and only enjoy short-term gains in terms of cultural change. Also, senior managers often develop programs without input from front-line staff. At best, such a program will be viewed as irrelevant by staff; at worst, it will have a negative impact on the workplace because it won’t have been integrated into workloads or production forecasts.

To ensure that a risk management plan is embraced by the entire organization, companies must get employees involved in the planning process, keep them engaged in implementing risk management principles, and encourage them to embrace these principles as part of the corporate culture.


Companies must get staff at all levels of the organization actively involved in the risk management process. As a part of that effort, managers should take the time to speak with staff and understand their operational needs and level of risk awareness. They should also ask for suggestions regarding how risk can be mitigated during operations.

For this employee-level involvement to achieve the desired results, decision makers must seriously consider staff input. In doing so, they will not only get employee buy-in, they will increase the chances that the risk management systems developed will be relevant to each organizational level. The next step will be to ensure that risk management protocols are actively integrated into existing work systems and practices.


What can organizations do to establish and maintain a positive risk management culture?

As many investigation and security professionals will testify, discussing issues over a cup of coffee can defuse tensions and reduce the perceived formality of a situation, providing a more amicable atmosphere. Metaphorically, the setting indicates that risk management is a routine activity, one that is undertaken as a matter of course. It symbolizes that risk management can be nonintrusive and that staff at all levels of an organization can participate with varying levels of formality.

I recently put this theory to the test when I served as risk manager for a large multiagency design and construction team tasked with delivering a major infrastructure development project in Asia. The design team was staffed by engineers with professional backgrounds in legislation, specifications, and standards. I had to get them thinking about more nebulous topics, such as project safety and security and reputational issues. They also had to factor in principles of crime prevention through environmental design (CPTED). Not only did I have to compete with tight program deadlines and commercial pressures, but I also had to facilitate a positive culture that did not see risk management as an additional burden in what was already a high-pressure setting.

The approach I adopted was two-pronged in nature, combining the facilitation of formal risk workshops with regular informal meetings that involved nine design teams and manager groups. While the workshops successfully led to brainstorming issues and bringing multidisciplinary teams together, the pace of the project made these difficult to arrange and facilitate. So, I focused more on the regular risk catch-ups and on being visible to the design teams.

My strategy entailed booking regular coffee meetings with individual design teams and manager groups, made up of the team leader and a maximum of four team members as needed. Participants were chosen based on required technical expertise and the nature of the issues to be discussed.

Occasionally, we had larger meetings, but not often. These meetings were also deliberately held in the office’s coffee or break areas rather than in formal meeting rooms. The gatherings lasted from 15 minutes to slightly over an hour.

Reflecting the settings in which they were held, the meetings themselves were informal in nature. Attendees were asked to bring the required data for their area of expertise, and they were provided with a copy of the relevant risk report and associated documents at the start of the meeting. In working through the reports, which dealt with risk issues ranging from project delays and data quality to environmental and security design considerations, the need for additional information and one-on-one follow-up meetings was noted, and those responsible for mitigations were identified.

These meetings were also used as an opportunity to clarify issues raised at formal risk workshops and design team meetings, with additional data gathered from the project’s information management system—a tool through which project staff could identify potential risks and opportunities online. In the earlier stages of this project, it had been observed that, although a wide range of risks had been identified, no solutions were documented. These shortcomings were quickly addressed by these regular catch-up meetings, during which teams were encouraged to regularly dedicate small, manageable periods of time to documenting the issues raised in the meetings and the follow-up actions. Through this approach not only were identified risks addressed, but the risk management documentation was better maintained and more regularly reviewed.

The goal was not just to ascertain and clarify risk-related data but, more importantly, to facilitate the process in a manner that made the whole practice a part of daily routine. In response to the new approach, one design team began to readily identify potential CPTED issues within areas and proposed designs as a matter of course, rather than waiting for a formal CPTED review session.

Encourage Cultural Change

After approximately two months of formal and informal meetings, I started to see indications that inroads were being made from an organizational culture perspective. Project team members were starting to contact me regarding potential risk issues that had been identified, actively discussing how best to document and manage them. I also started to see more staff members coming to me with risk governance questions. I started to see them thinking of risk management as a decision support tool, as part of their routine, not merely a product.

To maintain and build on this progress, I then commenced unplanned drop-in chats with project team members. Arriving with coffee cup in hand, I engaged team members in general conversation, blending the discussion of risk management and project-related issues with other areas of interest and general chit-chat. The scope of issues raised, both in terms of quantity and quality, improved, with one design team actively considering the risks and opportunities linking landscaping-related CPTED with environmental sustainability, whereas their primary focus had been designing roads and bikeways.

As this illustrates, the project teams were becoming more aware of the risk management cycle as an overall process, and of the different risk exposures to be considered. More importantly, however, they were thinking of risk management as a proactive and logical business practice rather than as a chore.

After working for 15 months on this project, which is now in the hands of the construction contractors, I was redeployed. The positive risk culture that was developed and maintained over the preceding months survived after I left. The company identified team members who could take over and monitor the existing risk issues and risk management plans in my absence.

As my coffee cup strategy shows, a risk management plan doesn’t have to be complex; it just has to engage the work force. The key is to talk to them and get them involved—to make risk management a more user-friendly experience for staff and keep it at the front of their minds. Doing so will help make risk management part of the corporate culture.

Paul Johnston, Ph.D., is a principal consultant with AECOM and the adjunct coordinator for the risk management program at the Centre for Environment and Population Health at Griffith University in Queens land, Australia. He is a member of ASIS International.