Chapter 5 discusses embedding and reviewing management of risk and observes that:
"When an organization implements or develops its risk management capability, the organization should measure this development, the benefits it brings to the organization, and therefore its success"
Very true indeed! However, the authors have not exactly defined what they mean by the term "success".
Rather, they suggest a number of "Success Factors" that are introduced by this caveat:
"There are a number of essential elements to identify when measuring success, which will probably be different for each organization.
Rather than discuss general success factors in detail, each organization should identify specific success factors for themselves at the outset of the management of risk program and define these measurable benefits that can then be monitored and managed as part of the benefits management activities within a program management practice (see the MSP publication)."
[Please pause for breath! MSP, by the way stands for Managing Successful Programmes, a companion OGC document.]
But then follows a long list of high-level success factors that includes such typical items as:
- Visible sponsorship, endorsement and support from senior management
- Regular communication on risk management within the organization
- Inclusion of risk management and a review of key risks on the board agenda
- An appointed board member responsible for risk management
- A clearly defined risk management process
- Inclusion of risk management responsibilities in job descriptions and personal objectives
- Benchmarking of risk management awareness
To us, this looks like a valuable list of activities to institute the management of risk in an organization, but activity and documentation is not an end in itself. In our view, the measure of real success is in the real benefits that the risk management program brings to the organization. The issue is payoff, contribution to the bottom line, whether shareholder value, cost effectiveness, or value for money. The last thing any organization wants is a gravy train for increased bureaucracy.
19. Ibid, p58
20. Ibid, p59