Monitoring and reviewing risks in your organisation
THE TAKEAWAY: A risk management program is never finished. New risks will emerge and existing risks will disappear. You have to stay on top of it.
This is the final step in a seven-stage process of successfully tackling risk management in your organisation (go to the Insurance and Risk Management Help Centre for information about the other steps.
It is highly recommended that your organisation establish a process to monitor (continual assessment of what has been implemented) and review (a periodic assessment of the effectiveness of your actions and the environment you operate in) your risk management strategy.
This is vital because risk is not static. New risks will emerge and existing risks will disappear. Risks that you have already acknowledged may become more or less frequent, severe or relevant to your organisation. Your risk management strategy should be a fluid document that is regularly updated to take account of changes in your organisation.
Changes to your risk profile will result from changes in your organisation (your focus may shift from outdoor to indoor activities, for example, or your membership might become older), and from changes in the outside world that you have no control over (changes in the law, new technology and changes in society).
There are a number of useful ways to ensure effective monitoring and reviewing of your risk management strategy.
You need to set timelines and deadlines for ensuring risks are managed and treated. Make sure the most urgent risks are dealt with first.
Write down when things need to be checked and tick them off your risk register when they've been completed.
You will also need to make a note of when that area should be reviewed again.
The regularity of your review will depend on the activity in question. For example, smoke detectors may only need to be checked once a year but the surface of a basketball court may need to be inspected before and after each game.
It's important that you investigate and record any accidents or near-misses. This will provide you with a document trail in case you need to justify your actions, but it will also help you to avoid similar incidents happening again.
Investigate the incident - what went wrong? Why? What could have prevented it? Document the details of the incident and the answers to those questions for future reference. And act on the information.
Records you should keep include:
- Minutes of meetings - noting important decisions and the reasons for them
- File notes - a record of important conversations in person or on the phone
- Training records - documenting any training undertaken by staff or volunteers
- Incident records - notes taken or forms completed in the event of any injury or incident.
You should be consistent in the type of information you gather in relation to any incident and any investigation of the surrounding circumstances. It is a good idea to have a specific form for this kind of record.
Your records should also include regular reviews of the effectiveness of the risk management strategy itself. Ask questions such as:
- How effective is our risk management strategy?
- Are measures working the way they are supposed to?
- How accurate is the risk assessment process? Are all risks being identified?
- Have risk treatment methods made our organisation safer?
- Are safety procedures being followed?
- Are safety records accurate, consistent and up to date?
The process of monitoring and reviewing your risk management strategy may result in documented administrative procedures such as policies, guidelines, codes of practice and rules.
Produce a resource for staff/members/volunteers
Your risk management guide should include sections that invite feedback from your members on whether the risk management strategy is working.
Often it will be people "on the ground" who are best able to see what works and what doesn't, and who will be the first to notice any changes in the nature of risks faced by your organisation - new risks arising, existing risks disappearing or changing.
Adopt and follow procedures
"Good policies and procedures, always followed" should be the risk management mantra for any not-for-profit organisation.
A range of sample policies and procedures are available for downloading at www.ourcommunity.com.au/policybank.
You should also have a process in place for dealing with complaints, suggestions and other feedback from your staff, volunteers, members and the general public.
It's is important that the monitoring and reviewing of your risk management strategy is open and inclusive so that everyone connected with your organisation feels a part of the continual process of risk management, in its development, implementation and evaluation. This goes hand in hand with effective communication, which you should be working on through every step of the risk management process.