What You Should Know about Risk Management
Risk Management and the corresponding Management of Risk (MoR Framework) is intended to help organisations put in place an effective framework for taking informed decisions about the risks that affect their performance objectives across all organisational activities, whether these be strategic, program, project or operational.
What You Should Know about Risk Management
Before we explain more about Risk Management, it would be good to understand the official definition of risk:
“Risk is an uncertain event or set of events which, should it occur, will have an effect on the achievement of objectives. A risk consists of a combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives”.
Within this definition ‘threat’ is used to describe an uncertain event that could have a negative impact on objectives or benefits; and ‘opportunity’ is used to describe an uncertain event that could have a favorable impact on objectives or benefits. The first edition of this guide was published in 2002 in response to the Turnbull Report to provide a generic framework for risk management across all parts of an organisation. The latest edition, published in 2010, was produced to reflect the further developments in the world of risk management such as:
- In the UK public sector HM Treasury had revised its Orange Book which outlines the principles and concepts of Risk Management.
- In the private sector change had been instigated by new regulatory environments such as the Combined Code on Corporate Governance 2014 (UK), Basel II Accord (Europe), and Sarbanes-Oxley (US).
The Management of Risk (MoR) Framework
The MoR framework is based on four core concepts:
- MoR Principles. These are essential for the development of good risk management practice. They are all derived from corporate governance principles in the recognition that risk management is a subset of an organisation’s internal controls.
- MoR Approach. The principles need to be adapted and adopted to suit each individual organisation. Accordingly, an organisation’s approach to the principles needs to be agreed and defined within a Risk Management Policy, Process Guide and Strategies, and supported by the use of Risk Registers and Issue Logs.
- MoR Processes. There are four main process steps, which describe the inputs, outputs and activities involved in ensuring that risks are identified, assessed and controlled.
Embedding and Reviewing M_o_R. Having put in place the principles, approach and processes, an organisation needs to ensure that they are consistently applied across the organisation and that their application undergoes continual improvement in order for them to be effective.
The four core concepts are graphically depicted in the figure below:
The MoR Principles
The MoR principles (the outer ring of the figure) are not intended to be prescriptive but provide supportive guidance to enable organisations to develop their own polices, processes, strategies and plans to meet their specific needs. They are evolutionary in nature in that the way they are applied may need to change over time to reflect changes in circumstances.
The Management of Risk Approach
The way in which the MoR principles are implemented will vary from organisation to organisation. Collectively they provide a base on which the organisation’s risk practices can be developed. These practices describe how risk management will be undertaken throughout the organisation (i.e. the Risk Management approach). To capture and communicate these practices it is common to create a series of living documents called:
- Risk Management Policy
- Risk Management Process Guide
- Risk Management Strategies
- Risk Register
- Issue Log.
Management of Risk Processes
The MoR process diagram (inner circle of the figure above) shows the overall risk management process, consisting of four main steps represented as a circle of arrows, as it is common for the entire process to be completed several times in the lifecycle of an organisational activity. The activity ‘Communicate’ deliberately stands alone as the findings of any individual step may be communicated to management for action prior to completion of the overall process.
Embedding and Reviewing Management of Risk
Risk management needs to be integrated into the culture of the organisation. How an organisation manages its risks demonstrates a part of that organisation’s core values and improves stakeholder confidence in the organisation’s ability to cope with and manage its risks. The organisation therefore needs to ensure that risk management has been integrated effectively, has the necessary support, is addressed in an appropriate way and is successful.
A key component of the management of risk integration is the cultural acceptance and change required to embed management of risk principles and values within the organisation. This can best be achieved through a structured programme of activities that lead to the achievement of risk knowledge, understanding and education.
An organisation needs to be able to measure the effectiveness and appropriateness of risk management, including the organisation’s progress in embedding management of risk, and also its ability to develop its management of risk capability and maturity. The latter can be assessed using a maturity model and the appropriateness of risk management can be assessed against the organisation’s risk appetite.