To begin the Lean transformation, companies have to have a Lean strategy. The Lean strategy should set forth the company’s goals. It should be broad enough to accommodate the company vision, but be simple and brief.  

As a part of the Lean strategy, a company must change its organizational structure and break down the silos within the company. Since Lean requires a pull strategy to connect directly to the customer, a Lean company must change how the work will be done and the employees must change their thinking about how to organize their work. The result is the creation of a value-stream organizational structure focused on the value-adding activities of the company. If a company does not break down the internal silos, waste and power struggles among the employees will harm the company’s goals and prevent the focus on the customer.

The same applies to the company’s risk management. In his seminal 1976 article, Felix Kloman, a risk management expert, called for a holistic approach to risk management (Lean risk management) that would begin with a “clear, written statement of policy supported by a board of directors, designating the administrative authority for coordinating the risk management effort.”[1]  In 1990, Kloman described this holistic approach as follows: “[R]isk management should be seen more as a function than a specific person. It should be practiced by many levels of management, with coordination and guidance from a senior level . . . .  [R]isk management becomes a planning and strategic function, not solely an assessment, financial or safety one.”[2] The risk management policy should include:  (1) the objectives of the policy and rationale for managing risks; (2) the relationship between the policy and the organization’s strategic plan; (3) the extent of risks to which the policy applies; (4) guidance on the material risks; and (5) who is responsible for managing the material risks.

Lean risk management allows a company to create value-streams to meet its strategic, operational, and reporting and compliance objectives by focusing on the interrelationships of risks across business units and at every level of the company. The result is consistent risk and control consciousness throughout the organization.