The risk management doctrine was introduced in Israel only recently and by relatively small steps. The main milestone in its introduction into the business world in Israel is the publication of Standard 5300, which includes two parts, the first from 2007 and the second from December 2009, by the Standards Institute.
רוצים לדעת עוד?
In the world, the risk management doctrine has been known for years. After years of work, the International Standards Institute issued, on 15 November 2009, ISO 31000 – Risk Management Principles and Guidelines. Along therewith, the list of professional definitions – Guide 73, and guidelines the risk assessment – IEC/ISO 31010 Assessment Techniques, were also published.
Unfortunately, there are material differences in approach between the international standard and the Israeli standard, which is based on the Australian standard that was published already in 2004. Only in the future will we know whether the perspective behind the international standard becomes the prevalent approach in Israel or the out-of-date Israeli standard becomes dominant and turns into the conventional guide in Israel for risk management.
The changes and differences between the terms defined in the new international standard and some of the classic definitions that prevailed until the publication of the standard derive from differences between perspectives on risk management.
While the classic definition of risk was "the product of the probability of occurrence of the event and the damage it may cause", the new definition presented by the standard is "influence of the uncertainty on objectives and aims". The difference is not only in wording but, as aforesaid, also in the perspective behind it. If, hitherto, risk was something that stood on its own and could be determined through a mathematical equation only, regardless of the organization, the new definition places achievement of the organization's objectives and aims as the main variable in definition of risk. Hence, without a deep understanding of the organization's objectives and aims in any field (for example, increase of profits, safeguarding of employees' life and health, safeguarding of the environment), the risks it faces cannot at all be defined. Learning the organization, its objectives and aims is not simple or obvious, and requires in-depth work by the owners and management as a preliminary step prior to learning the risks.
The second main difference between risk management as perceived in the past and risk management presented in the new standard is the inclusion of the preparation process into risk management itself. In the past, it was assumed the risk management began with identification of the risk and continued with assessment and treatment thereof and ended with follow-up and control. The new standard presents a totally different picture. The risk management process begins with preparation of a framework for risk management at the organization, which includes a process of definition of policy for risk management, as part of which the approach of the organization to risks and the work plan for management thereof are defined and the officials that assume responsibility for all components of the process are defined. Only after all preparation work is performed can the organization begin with identification and treatment of the risks. At the last stages of the process, the stage of documentation and self-learning is added, as part of the need to continuously improve the organization's risk management.
Another substantial difference in the perspective presented in the standard pertains to the understanding that risk management is not a static, but rather primarily dynamic, process that is routinely affected by changes in the internal and external circumstances of the organization, its ability to learn and implement, the understanding that every risk has a source and a reason, and that every risk can itself, or through its treatment, be a source of other risks.
An initial and very important condition for the efficiency of the risk management process is receipt of the positive consent of all the organization's component to the entire process and turning the same into another "language" of the organization. It is important that the officials on all levels understand that risk management is not directed at catching the guilty and punishing them for mistakes, but is an essential part of the attempt to persistently improve the organization's performance. Only if all officials see themselves as part of the process and feel committed to its success will risk management bring maximal benefit to the organization and its stakeholders – the owners, employees, suppliers and customers.
It is not sufficient to speak, within the organizational framework, of the need for risk management; action must be taken. Construction of the framework for the process is not designed only in order to delimit the risk management activity, but is intended to set all rules required for its operation. Determination of the rules – that is, formation of the commitment, understanding the organization and the contexts in which it exists and operates, setting of policy, formation of work plan – must be performed before even one risks survey is done. Implementation and follow-up are the next stage. This, if you will, is the first layer of risk management – the managerial part. This part can be performed by organizational advisors, industry and management engineers, people who learned risk management and understand the process. No professional education in the fields of risks themselves (such as law, engineering, economics, etc.) is required for this sake.
Part of the first – managerial – layer is formation of the intra-organizational system that engages in risk management. Determination of supervisors, officials, risk managers for every department or project. A designated team should be formed, to be composed of the relevant officials at the organization itself, along with experts for the various fields – lawyers for legal risk management, economists for financial risk management, industry and management persons for operative risk management, environment persons for risks in this field, and so on, whether as part of the organization itself or as external advisors. The entire team will routinely engage in preparation of the surveys, identification of the risks, their assessment, finding the best ways to treat them, monitoring, follow-up, control, learning, improvement of the process and the other stages detailed in the standard.
Soon, risk management will turn into part of the organizational culture, of the organization's inward and outward business language. The results will soon follow: the quantity of events defined as "risk" for the organization will decrease, the damages will be reduced, confidence will rise, the business results will improve, and generally, as the standard puts it – the organization will be closer to achieving its objectives and aims.
In conclusion, several comments:
The word "risk" has a negative connotation in Hebrew and other languages. According to the risk management doctrine, it is possible and desirable to separate between the negative context of the term and its professional meaning within the process and regard it as the other, opposite, side of the term "chance". Since every chance embodies risk, there is no risk without chance, and they are supposed to balance each other as far as positive and negative contexts.
Risk management is not intended for provision of authorizations and certification. It is intended to be an internal tool for the organization that elects to make use thereof while understanding its true meaning and the business and other advantages embodied therein.
The organization's personnel have a vital role in risk management. They are the best source for information needed for risk management, understanding the causes of the risks, and they eventually need to introduce the insights from the process into their daily routine. Without full cooperation by employees, without exception, risk management cannot be performed. Their inclusion and full cooperation in the entire process, from start to finish, are absolutely vital for its success.
Risk management is built of two layers: managerial layer (formation of frameworks, the plan and the policy) and actual performance. Performance is performed by experts in the various fields (economy, law, industry and management personnel, etc.), in cooperation with the internal risk management layout in the organization itself.
In any case, risk management cannot be performed only through outsourcing. All officials at the organization itself must take part in the process so that it has its full significance and in order so that it may produce the optimal benefit.
The importance of the following sentence cannot be overstated: risk management is not a shelf product. In order so that it is efficient, it may be sawed to the dimensions of the organization, starting from the stage of framework formation, plan formation and policy setting, continuing with the implementation process and ending with follow-up and control processes for continuous improvement in the performance and business results of the organization.
Not only business organization can perform risk management. Public and governmental organizations, as well as third sector organizations (non-profit institutions), can also greatly benefit from managing the risks they face.
Risk management is a dynamic process, which is partly based on interaction between the various stakeholders within and without the organization. Constant and on-going improvement of the process derives, among others, from constant learning.
• התשובות לשאלות שרציתם לשאול - מאמרים ושאלות נפוצות
• בואו לקרוא מה עלול חלילה לקרות גם לכם - שטח מסוכן
• השתכנעתם? בואו נפגש - צור קשר