Why you can't manage risk with procedures

This weeks blog post

Ever had an incident and the immediate reaction is to write a procedure?

It's a common strategy, its efficient, its cheap and it feels like we are taking control of the situation.
The problem is whilst we think of procedures as a form of control there are several reasons why they shouldn't be used as your primary source of risk control and here why:

Poorly written procedures don’t provide the control that people are looking for when they write them.
When a procedure isn't clear, isn't logical or simply doesn't include the correct steps it’s a poor risk control and in fact if it’s really bad and people follow it, it could be adding risk.

We often forget to review them.
Out of date procedures can do more harm than good with people following old processes and requirements.

They aren't officially approved.
Without a clear and adhered to approval process people may be following procedures that are not aligned with company values, processes and objectives.

People don't read them.
Either because they can't find them, don't know they exist or find them too complicated to follow.

Risk management should run through everything you do. 

Risk is about the decisions you make. 

Having a healthy risk focus is key to driving quality in your business but risk management is more than procedures.

To effectively manage risk, you need a more comprehensive suite of tools:


  • Procedures
  • Training
  • Responsibilities and accountabilities
  • Communication and reporting mechanisms
  • Monitoring processes

Procedures are important but they are more valuable as part of a complete risk management approach.

Are any of these missing in your risk strategy?