RISK: THE EFFECT OF UNCERTAINTY ON OBJECTIVES
PART 1: RISK, RISK MANAGEMENT, AND ISO 31000
Definition of risk: An effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence.
Definition links risks to objectives: The definition can most easily be applied when objectives are comprehensive and fully stated.
Risk assessment involves 1) identification and 2) evaluation / ranking
Consequences of a risk materialising may be negative (hazard risks / downside), positive (opportunity risks / upside), or may result in more uncertainty.
Strategy sets out long-term aims (3 years or more); Tactics define how change will be achieved (medium-term); Operations are routine activities (short-term).
Risk assessment involves the identification of risks followed by their evaluation or ranking.
Focus of risk management is the assessment of significant risks and the implementation of suitable risk responses. This list represents the 7Rs and 4Ts of (hazard) risk management.
1) Recognition / identification of risks
2) Ranking / evaluation of risks
3)Responding to significant risks
4) Resourcing controls
5) Reaction planning (includes business continuity planning and disaster recovery planning)
6) Reporting and monitoring risk performance
7) Reviewing the risk management framework
3) Responding to significant risks:
a) Tolerate
b) Treat
c) Transfer
d) Terminate
The initial component of the ISO 31000 framework is 'mandate and commitment' by the Board and this is followed by:
1) Design of framework (Organisation and its context; risk management policy; embedding risk management)
2) Implement risk management (Implement framework; Implement RM process)
3) Monitor and review framework
4) Improve framework
PART 2: ENTERPRISE RISK MANAGEMENT
A risk management policy should include the following sections:
1) Risk management and internal control objectives (governance)
2) Statement of the attitude of the organisation to risk (risk strategy)
3) Description of the risk aware culture or control environment
4) Level and nature of risk that is acceptable (risk appetite)
5) Risk management organisation and arrangements (risk architecture)
6) Details of procedures for risk recognition and ranking (risk asssessment)
7) List of documentation for analysing and reporting risk (risk protocols)
8) Risk mitigation requirements and control mechanisms (risk response)
9)Allocation of risk managemnt roles and responsibilities
10) Risk manageemnt training and priorities
11) Criteria for monitoring and benchmarking of risks
12) Allocation of appropriate resources to risk management
13) Risk activities and risk priorities for the coming year
Risk management responsibilities
Individual employees
- Understand, accept and implement RM processes
- Report inefficient, unnecessary or unworkable controls
- Report loss events and near miss incidents
- Cooperate with management on incident investigations
Risk manager
- Develop the risk management policy and keep it up to date
- Document the internal risk policies and structures
- Coordinate the risk management (and internal control) activities
- Compile risk information and prepare reports for the Board
Business unit manager
- Build risk aware culture within the unit
- Agree risk management performance targets
- Ensure implementation of risk improvement recommendations
- Identify and report changed circumstances / risks
Specialist risk management functions
- Assist company in establishing specialist risk policies
- Develop specialist contingency and recovery plans
- Keep up to date with developments in the specialist area
- Support investigations of incidents and near misses
CEO / Board
- Determine strategic approach to risk and set risk appetite
- Establish structure for risk management
- Understand the most significant risks
- Manage the organisation in a crisis
Internal audit manager
- Develop a risk-based internal audit programme
- Audit the risk processes across the organisation
- Receive and provide assurance on the management of risk
- Report on the efficiency and effectiveness of internal controls
Common risk assessment techniques
Inspections and audits: Physical inspections of premises and activities and audits of compliance with established systems and procedures
Flowcharts and dependency analysis: Analysis of processes and operations within organisation to identify critical components that are key to success
Workshops and brainstorming: Events that could impact objectives, stakeholder expectations or key dependencies
HAZOP and FMEA approaches: Hazard and Operability studies and Failure Modes Effects Analysis are quantitative technical failure analysis techniques
Questionnaires and checklists: Collect information to assist with recognition of significant risks
SWOT and PESTLE analysis: Structured approaches to risk recognition
Drivers of risk management
Financial risks
Externally driven:
- Accounting standards
- Interest rates
- Foreign exchange
- Funds and credit
Internally driven:
- Internal control
- Fraud
- Historical liabilities
- Investments
- Capex decisions
- Liquidity and cashflow
Infrastructure risks
Externally driven:
- Communications
- Transport links
- Supply chain
- Terrorism
- Natural disasters
- Pandemic
Internally driven:
- Recruitment
- People skills
- Health and safety
- Premises
- IT systems
Marketplace risks
Externally driven:
- Economic environment
- Technology developments
- Competition
- Customer demand
- Regulatory requirements
Internally driven:
- M&A activity
& R&D activities - Intellectual property
- Contracts
Reputational risks
Externally driven:
- Product recall
- CSR
- Public perception
- Regulator enforcement
- Competitor behaviour
Internally driven:
- Brand extentions
- Board composition
- Control environment
Risk management checklist (Details in Appendix A)
Risk protocols
Risk strategy
Risk architecture