As a company that provides technology, software and consultancy to oil refineries, nuclear power stations and rail systems, Invensys cannot afford to take risk management lightly. Over the past two years, it has introduced a new structure and process for managing risk that relies on embedding risk management within its functions and divisions under a framework controlled by a central risk function and committee.
"You have to make risk management a living part of the business so that operational divisions don't see it as an add-on but an integral part of their day-to-day job," says Chris McGloin, vice-president for risk management and insurance at Invensys. "Risk management has to be part and parcel of their normal way of managing and reviewing their business."
Divisions and functions within Invensys are responsible for maintaining their own risk registers and updating these on a regular basis. These are then reviewed on a quarterly basis and consolidated into a group risk report. A risk committee, which reports into the audit committee, is responsible for overseeing the risk management process and also monitors the risk mitigation process undertaken by the individual operations.
The success of this programme depends on developing a system that managers see as adding value to their job. "If you just give managers a form to fill in and ask them to tick some boxes, they'll ignore it and see it as extra bureaucracy," says Mr McGloin. "But if they see it as something that helps them to make decisions and focus their priorities, then they'll do it. It's all about making it simple, streamlined and linked into the business."
Risk managers at Invensys communicate regularly with operational and functional managers in order to educate them about the process and help them to understand the benefits. In addition to technical skills, risk managers need a deep understanding of the business and the ability to make connections between different parts of the business.
"The people in the central risk function who are facilitating the management of risk need to have a proper understanding of what the guys out in the business are doing and how they're trying to do it," says Mr McGloin. "You're taking part in the business at a slightly higher level than the experts, but in a way that is informed enough to be able to translate and deal with issues in a non-jargonistic, consistent way."
In addition to helping the business develop a broader risk awareness and culture, the process also facilitates an environment in which business managers are encouraged to share information with each other about their risk priorities. This helps to disseminate best practice and builds up knowledge about the interaction between risks across the business.
"Managers very quickly recognise that sharing and communicating risk priorities means that they receive information in return, and that helps to inform the process and add value," says Mr McGloin.
