Strategic and operational risk management
Risk management process
Introduction
Risk management programs vary considerably between organisations. The level of complexity of a program is dependent on many variables including the size of the organisation, its operations, how much public scrutiny it may be subjected to, and its appetite for risk. There is no single approach that fits all organisations.
We have provided examples of documentation that have resulted from the development and implementation of numerous risk management programs. They can be used as a guide to developing your own program.
The true challenge of establishing an effective risk management program extends beyond methodology and documentation. VMIA published an article in the Summer 2004 edition of risky business (see publications) that identified the key success factors of a risk management program. In summary they include:
- High level support
- Establishing a clear purpose
- Integration with business planning
- Tailored to the organisation
- Formal review process
- Focus on important issues
Risk Management Policy
The risk management policy defines the objectives of the risk management program and demonstrates the commitment to the program from the highest level of the organisation.
The policy typically is a brief, high-level document, approving a risk management approach as well as creating linkages with other corporate strategies. Ideally it should be part of an organisation's management polices.
Examples of information that may be included in an organisation's policy statement include but are not limited to: -
- The objectives and rationale for managing risk
- The links between the policy and the organisations strategic and corporate plans
- The extent or range of risks that need to be managed
- The responsibility for managing risks
Sample Documentation
Sample Policy Statement for Public Organisation (see below)
This contains a policy statement and elements of a context statement.
Establishing the Context
Put simply, the context describes the parameters within which risks will be managed and sets the scope for how the risk management program will operate.
The context helps the reader/user to understand how the risk management program will consider such things as:
- Establishing the internal/external context
- Establishing the risk management context
- Developing risk criteria
- Defining the structure for the rest of the process
By establishing the external context, the organisations external environment as well as the relationship between the organisation and its external environment is defined.
To establish the internal context a full understanding of key factors such as culture, organisational structure, core capabilities and organisational goals and objectives need to be considered.
To establish a risk management context, the goals, objectives, strategies, scope and parameters of the risk management activity should be fully defined, it is important also specify the resource and documentation requirements.
By developing risk criteria this will define how risks are measured, it is important to tailor the criteria to suit the needs of the organisation, rather than simply applying a pre-defined generic criteria.
By defining the structure for the rest of the process, a logical framework is created to assist in ensuring that significant risks are not overlooked, this structure depends on the nature of the risks and scope of the activity.
It is important to note that there is a difference between a risk management policy and the risk management context. VMIA's interpretation of the difference is that a policy statement explains why the program is in place and a context statement explains how the program is to be implemented. The two are obviously mutually dependant and it is critical that they agree.
For those organisations that are considering hiring a permanent risk manager, please click below to see a sample Risk Manager Position Description.
Risk Assessment
The Australian Standard divides the risk assessment process into three distinct steps:
1. Identification
2. Analysis
3. Evaluation
The end result of the assessment process is the risk register.
Identification:
Identifying risk is an important step in the risk management decision process. The identification of risk can be reduced to two basic steps:
- What can happen?
- How and why it can happen?
Using the parameters described by the risk framework, the aim should be to generate a comprehensive list of potential risks. The second step is to consider all the possible significant causes and scenarios that could initiate that event.
Risk identification requires imagination and insight operating within a structured methodology. This is why such tools as group brainstorming are so effective.
Sample Documentation
Characteristics of Loss Exposures (see below)
This guide provides the necessary conceptual tools; an explanation of the characteristics shared by all exposures and a description of several widely used methods of identifying and analysing exposures facing an organisation.
Methods for Identifying and Analysing Loss Exposures (see below)
This guide outlines seven widely accepted basic methods of exposure identification and analysis, which can be used as the basis of a risk profile workshop.
Analysis:
The risk evaluation criteria defined in the context documentation is used to analyse the identified risks:
- Identifying the existing controls
- Determining the consequences of an event
- Determining the corresponding likelihood of the event occurring
And from these steps, determine the risk level.
Evaluation:
The risk evaluation process involves ranking risks using the defined risk evaluation criteria and determining whether the risks are acceptable or unacceptable and therefore requiring further risk treatment(s) to bring them to an acceptable level.
The acceptability of risk is not an absolute measure. In the real world resources are finite. The risk management process deals with that reality by focussing attention on the most important matters.
Risk Evaluation – Practical Steps (see below)
This document lists the actual steps involved in risk evaluation and includes the steps to measure absolute risk.
Download
Risk Treatment Plans
Once the risk assessment has been completed and the unacceptable risks identified, the next step is to decide what to do about them.
Risk treatment involves identifying the range of options for treating risk, assessing those options, preparing risk treatment plans and implementing them. A key component in risk management, and for that matter, all management, is determining the best course of action with an understanding the cost of risk and the cost of managing that risk.
The 2004 standard considers events with a positive and negative consequence. The following list and remaining discussion is suitable for managing negative consequence events.
1. Avoiding the risk
2. Changing the likelihood
3. Changing the consequences
4. Sharing the risk
5. Retaining the risk
There are numerous factors to consider when assessing the most appropriate risk treatment strategy. This includes the extent of risk reduction, short term versus long term gain, benefits to the organisation and external stakeholders, reputation, impact on other business functions, and obviously cost.
Once it is decided which treatment strategy is the most appropriate, risk treatment plans should be developed specific to each prioritised risk. In general, treatment plans should identify responsibilities, schedules, the expected outcomes from treatment, budgeting, performance measures, reference to other risk documentation where applicable and, most importantly, a review process.
Monitor and Review
A structured review process is an essential component of a successful risk management program. By structured we mean different levels of review at different levels in the organisation. Support from senior management or the Board or Board sub committee is clearly demonstrated by requiring a review at that level. The Board is unlikely to want or need to see risks associated with routine operational matters and nor are they likely to be concerned about minor procedural changes. The level of review should be commensurate to the level at which it is reviewed. It is strongly recommended that internal audit comprise part of the review process with particular emphasis on auditing critical controls for risks where the failure of that control could result in serious consequences.
The review process should involve reporting of non-compliance against the risk management plan with resulting direction to institute corrective action.
It is difficult to justify any level of review that is not carried out at least annually regardless of the type of organisation and the risk profile.
Communication
A formal communication program requires definition of the conditions at which information should be shared with stakeholders. For example:
- Unacceptable, high level risks need to be escalated to the appropriate level in the organisation or beyond, so that they can be addressed and resolved.
- Where the responsibility and management of identified risks are shared with other government agencies then it is important to establish a communication process for sharing the relevant risk information.
To create a risk management culture requires an ongoing program of communication throughout the organisation and can involve periodic reporting on risk benchmarking or regular information or training sessions on risk management methodology applied to projects management, event management or purchasing.
