Management Systems: The Key to Effective Risk Management
Deanne Emmerson
We read about it in Chapter 13 of the Longford Royal Commission Report. We saw it with Pan Pharmaceuticals, NAB, OneTel and HIH. We continue to see it constantly when we analyse incidents.
There is usually a common denominator in the most significant adverse events and business failures of our time. This is defective due diligence, evident within the management system framework. The management system is a basic, necessary organisational component. It is the key to managing our organisational risks. And when we do this effectively, we are well-placed to manage our due diligence requirements. This is managements' obligation.
Effective due diligence ensures we apply due care, determination, prudence and judgement to the achievement of our organisational and operational objectives. Risk and due diligence go hand in glove. Why? Because risks impact our objectives. This is becoming more important in business environments that demand faster service or cycle times, better outcomes, and lower costs while offering a less forgiveness for failure than ever.
It is well known that the primary purpose of management systems is to ensure effective risk management. For example, the report of the Longford Royal Commission clearly explains this in Chapter 13: Management Systems (Dawson, 1999, P.191). In the report, the Commissioners expand the concept of management systems beyond the oft-held view of merely a static procedure manual. They also state the need for proper implementation and maintenance of management systems. It’s not enough to put them in place – they must be updated as change occurs. This maintains their relevance, so that organisational risks can continue to be controlled. Indeed risks require ongoing assessment as change inevitably occurs.
Traditionally, the focus of management systems has been on documentation. Certainly, documentation is a core element of any management system. The Longford Royal Commission adds that documentation must be clear and accessible (as does Note 2 of ISO:9001-2000, P3). Also, in order to fulfil risk and compliance obligations the management systems must comprise a range of elements beyond documentation alone, important as this is.
This documentation framework is complemented and balanced by the competency of staff to do the necessary tasks. This must be assured, or it won’t work. The commonly-expressed notion of being able to replace the entire staff at short notice, which is rarely applicable in practice, should apply a level of common sense to both the documentation and competency frameworks.
Organisational knowledge provides a context for both documentation and competency. It provide the context for applying resources when developing systems. Where organisational knowledge is well-developed, it can mitigate the need for detailed explanations in procedures. However, it also presents new and significant challenges in relation to system sustainability. Organisational knowledge needs to be retained and maintained. If it is allowed to decay, the overall management system may become less effective in controlling risk.
Now add supervision and communication to complete the picture. Together they provide the key ‘neuronal connections’ to the system. Yet their importance is often overlooked within this mix. In management systems they are often the essential element that ensures risk controls are effective.
The trend to remove management layers within organisations during the 1990's weakened the effectiveness of risk controls in many organisations, so the effect of restructure on risk exposure needs careful thought.
The communications processes have only recently been recognised within the standards frameworks, as an integral element of management systems. Together, they are essential to bringing the systems to life.
As we all know, organisations are not static entities. They are constantly evolving. So effective change management processes are essential, both within the hard technologies, such as engineering, and also within human resource impacts on the business. This is not currently a feature of many management systems. In the near future, as the need to manage risk and compliance in a robust and sustainable manner becomes more appreciated by management, the need will become more visible.
In summary, while management systems are sometimes considered somewhat passé, within the context of organisational management, they are a highly important element of organisational infrastructure. They need to be well-designed and effective in their operation if risk management is to be robust. And due diligence needs to ensure that they function properly and are correctly balanced between documentation, training & competence, organisational knowledge, supervision & communications. This is how we have a sustainable system that can withstand change.
Is your management system working as well as it should to control risks in your organisation? Not sure of how to really make it perform?
Quality Award Partners® has extensive knowhow and experience to help organisations like yours get this right!
Contact us now to find out how to get this area of your organisation to deliver real value.