Internal Risk Communication

Inside an organisation we can observe information pertaining to risks from the management to the employees and vice versa.

In this context communication needs to be understood as a two-way system. In the case of risk-related communication coming from the management, a statement should not be taken for ”communication,” as long as it is not unquestionably clear that feedback from employees is welcome.

If the risk management of a company is not fully receptive and open for serious indications from employees, it can never reach a trustworthy outcome because the complete and timely comprehension of its risk environment cannot be warranted. Receptiveness is assured if all involved know where they can share risk related information, know what to do should the route of choice be clogged by way of exception, and which emergency or urgency measures are permitted or cogently required. There should be clear and simple internal rules to govern the channels of information, the type of information (data format and type of content) and by-pass solutions. Only then will such channels prove dependable, trustworthy, and efficient where some sort of feedback to the risk messenger exists on how his information will be dealt with. Most appropriately this happens in such a way that the person is convinced that the authorities in charge will now handle the risk correctly and will not lose it out of sight in the future. Where ”doing nothing” is appropriate risk treatment, this should be made explicit and comprehensible.

All this is part of the monitoring mechanism required by § 91 II AktG (Germany) and likewise by the Sarbanes-Oxley Act of 2002 in the US. Since risk management in appropriate forms is necessary to every organisation, not just the larger ones, a risk monitoring system is required for every company and organisation, so that, as the law says, developments which may threaten their continued existence can be detected early.