ISO Risk management standard pdf

new risk management standard and quality risk management standard operating procedure and risk management framework standard model
Dr.AshleyBurciaga Profile Pic
Dr.AshleyBurciaga,France,Researcher
Published Date:04-07-2017
Your Website URL(Optional)
Comment
ARiskManagementStandardIntroduction This Risk Management Standard is the should be viewed not just in the context of result of work by a team drawn from the the activity itself but in relation to the major risk management organisations in many and varied stakeholders who can be the UK, including the Institute of Risk affected. management (IRM). There are many ways of achieving the In addition, the team sought the views and objectives of risk management and it would opinions of a wide range of other be impossible to try to set them all out in a professional bodies with interests in risk single document. Therefore it was never management, during an extensive period of intended to produce a prescriptive standard consultation. which would have led to a box ticking approach nor to establish a certifiable Risk management is a rapidly developing process. By meeting the various discipline and there are many and varied component parts of this standard, albeit in views and descriptions of what risk different ways, organisations will be in a management involves, how it should be position to report that they are in conducted and what it is for. Some form of compliance. The standard represents best standard is needed to ensure that there is an practice against which organisations can agreed: measure themselves. • terminology related to the words used The standard has wherever possible used • process by which risk management can be the terminology for risk set out by the carried out International Organization for • organisation structure for risk management Standardization (ISO) in its recent • objective for risk management document ISO/IEC Guide 73 Risk Importantly, the standard recognises that Management - Vocabulary - Guidelines for risk has both an upside and a downside. use in standards. In view of the rapid developments in this Risk management is not just something for area the authors would appreciate feedback corporations or public organisations, but for any activity whether short or long from organisations as they put the standard term. The benefits and opportunities into use (addresses to be found on the back cover of this Guide). It is intended that regular modifications will be made to the standard in the light of best practice. Published by IRM: 2002 A Risk Management Standard © IRM: 2002 12.1 Examples of the Drivers of Key Risks 1. Risk Risk can be defined as the combination of negative aspects of risk. Therefore this the probability of an event and its standard considers risk from both consequences (ISO/IEC Guide 73). perspectives. In all types of undertaking, there is the In the safety field, it is generally recognised potential for events and consequences that that consequences are only negative and constitute opportunities for benefit (upside) therefore the management of safety risk is or threats to success (downside). focused on prevention and mitigation of harm. Risk Management is increasingly recognised as being concerned with both positive and 2. Risk Management Risk management is a central part of any It must be integrated into the culture of organisation’s strategic management. It is the organisation with an effective policy the process whereby organisations and a programme led by the most senior methodically address the risks attaching to management. It must translate the their activities with the goal of achieving strategy into tactical and operational sustained benefit within each activity and objectives, assigning responsibility across the portfolio of all activities. throughout the organisation with each manager and employee responsible for the The focus of good risk management is the management of risk as part of their job identification and treatment of these risks. description. It supports accountability, Its objective is to add maximum sustainable value to all the activities of the performance measurement and reward, organisation. It marshals the thus promoting operational efficiency at understanding of the potential upside and all levels. downside of all those factors which can affect the organisation. It increases the 2.1 External and Internal Factors probability of success, and reduces both The risks facing an organisation and its the probability of failure and the operations can result from factors both uncertainty of achieving the organisation’s external and internal to the organisation. overall objectives. The diagram overleaf summarises examples Risk management should be a continuous of key risks in these areas and shows that and developing process which runs some specific risks can have both external throughout the organisation’s strategy and and internal drivers and therefore overlap the implementation of that strategy. It the two areas. They can be categorised should address methodically all the risks surrounding the organisation’s activities past, further into types of risk such as strategic, present and in particular, future. financial, operational, hazard, etc. 2 A Risk Management Standard © IRM: 2002 32.1 Examples of the Drivers of Key Risks 1. Risk Risk can be defined as the combination of negative aspects of risk. Therefore this the probability of an event and its standard considers risk from both consequences (ISO/IEC Guide 73). perspectives. In all types of undertaking, there is the In the safety field, it is generally recognised potential for events and consequences that that consequences are only negative and constitute opportunities for benefit (upside) therefore the management of safety risk is or threats to success (downside). focused on prevention and mitigation of harm. Risk Management is increasingly recognised as being concerned with both positive and 2. Risk Management Risk management is a central part of any It must be integrated into the culture of organisation’s strategic management. It is the organisation with an effective policy the process whereby organisations and a programme led by the most senior methodically address the risks attaching to management. It must translate the their activities with the goal of achieving strategy into tactical and operational sustained benefit within each activity and objectives, assigning responsibility across the portfolio of all activities. throughout the organisation with each manager and employee responsible for the The focus of good risk management is the management of risk as part of their job identification and treatment of these risks. description. It supports accountability, Its objective is to add maximum sustainable value to all the activities of the performance measurement and reward, organisation. It marshals the thus promoting operational efficiency at understanding of the potential upside and all levels. downside of all those factors which can affect the organisation. It increases the 2.1 External and Internal Factors probability of success, and reduces both The risks facing an organisation and its the probability of failure and the operations can result from factors both uncertainty of achieving the organisation’s external and internal to the organisation. overall objectives. The diagram overleaf summarises examples Risk management should be a continuous of key risks in these areas and shows that and developing process which runs some specific risks can have both external throughout the organisation’s strategy and and internal drivers and therefore overlap the implementation of that strategy. It the two areas. They can be categorised should address methodically all the risks surrounding the organisation’s activities past, further into types of risk such as strategic, present and in particular, future. financial, operational, hazard, etc. 2 A Risk Management Standard © IRM: 2002 32.2 The Risk Management Process 3. Risk Assessment The Organisation’s Risk Assessment is defined by the ISO/ analysis and risk evaluation. Strategic Objectives IEC Guide 73 as the overall process of risk (See appendix) Risk Assessment 4. Risk Analysis Risk Analysis • Financial - These concern the effective 4.1 Risk Identification Risk Identification management and control of the finances of Risk identification sets out to identify an Risk Description the organisation and the effects of external organisation’s exposure to uncertainty. This Risk Estimation factors such as availability of credit, foreign requires an intimate knowledge of the exchange rates, interest rate movement and organisation, the market in which it operates, Risk Evaluation Formal other market exposures. the legal, social, political and cultural environment in which it exists, as well as the Audit • Knowledge management - These concern Risk Reporting development of a sound understanding of its the effective management and control of the Threats and Opportunities strategic and operational objectives, knowledge resources, the production, including factors critical to its success and the protection and communication thereof. threats and opportunities related to the Decision External factors might include the achievement of these objectives. unauthorised use or abuse of intellectual Risk identification should be approached property, area power failures, and Risk Treatment in a methodical way to ensure that all competitive technology. Internal factors might significant activities within the organisation be system malfunction or loss of key staff. Residual Risk Reporting have been identified and all the risks • Compliance - These concern such issues as flowing from these activities defined. health & safety, environmental, trade Monitoring All associated volatility related to these descriptions, consumer protection, data activities should be identified and protection, employment practices and categorised. regulatory issues. Risk management protects and adds value to the organisation and its stakeholders through Business activities and decisions can be Whilst risk identification can be carried supporting the organisation’s objectives by: classified in a range of ways, examples of out by outside consultants, an in-house which include: approach with well communicated, • providing a framework for an use/allocation of capital and resources consistent and co-ordinated processes and • Strategic - These concern the long-term organisation that enables future activity within the organisation tools (see Appendix, page 14) is likely to be strategic objectives of the organisation. They to take place in a consistent and more effective. In-house ‘ownership’ of • reducing volatility in the non essential can be affected by such areas as capital controlled manner the risk management process is essential. areas of the business availability, sovereign and political risks, • improving decision making, planning legal and regulatory changes, reputation • protecting and enhancing assets and 4.2 Risk Description and prioritisation by comprehensive and and changes in the physical environment. company image The objective of risk description is to structured understanding of business • Operational - These concern the day-to- display the identified risks in a structured • developing and supporting people and activity, volatility and project day issues that the organisation is format, for example, by using a table. The the organisation’s knowledge base opportunity/threat confronted with as it strives to deliver its risk description table overleaf can be used • contributing to more efficient • optimising operational efficiency strategic objectives. to facilitate the description and assessment 4 A Risk Management Standard © IRM: 2002 5 Modification2.2 The Risk Management Process 3. Risk Assessment The Organisation’s Risk Assessment is defined by the ISO/ analysis and risk evaluation. Strategic Objectives IEC Guide 73 as the overall process of risk (See appendix) Risk Assessment 4. Risk Analysis Risk Analysis • Financial - These concern the effective 4.1 Risk Identification Risk Identification management and control of the finances of Risk identification sets out to identify an Risk Description the organisation and the effects of external organisation’s exposure to uncertainty. This Risk Estimation factors such as availability of credit, foreign requires an intimate knowledge of the exchange rates, interest rate movement and organisation, the market in which it operates, Risk Evaluation Formal other market exposures. the legal, social, political and cultural environment in which it exists, as well as the Audit • Knowledge management - These concern Risk Reporting development of a sound understanding of its the effective management and control of the Threats and Opportunities strategic and operational objectives, knowledge resources, the production, including factors critical to its success and the protection and communication thereof. threats and opportunities related to the Decision External factors might include the achievement of these objectives. unauthorised use or abuse of intellectual Risk identification should be approached property, area power failures, and Risk Treatment in a methodical way to ensure that all competitive technology. Internal factors might significant activities within the organisation be system malfunction or loss of key staff. Residual Risk Reporting have been identified and all the risks • Compliance - These concern such issues as flowing from these activities defined. health & safety, environmental, trade Monitoring All associated volatility related to these descriptions, consumer protection, data activities should be identified and protection, employment practices and categorised. regulatory issues. Risk management protects and adds value to the organisation and its stakeholders through Business activities and decisions can be Whilst risk identification can be carried supporting the organisation’s objectives by: classified in a range of ways, examples of out by outside consultants, an in-house which include: approach with well communicated, • providing a framework for an use/allocation of capital and resources consistent and co-ordinated processes and • Strategic - These concern the long-term organisation that enables future activity within the organisation tools (see Appendix, page 14) is likely to be strategic objectives of the organisation. They to take place in a consistent and more effective. In-house ‘ownership’ of • reducing volatility in the non essential can be affected by such areas as capital controlled manner the risk management process is essential. areas of the business availability, sovereign and political risks, • improving decision making, planning legal and regulatory changes, reputation • protecting and enhancing assets and 4.2 Risk Description and prioritisation by comprehensive and and changes in the physical environment. company image The objective of risk description is to structured understanding of business • Operational - These concern the day-to- display the identified risks in a structured • developing and supporting people and activity, volatility and project day issues that the organisation is format, for example, by using a table. The the organisation’s knowledge base opportunity/threat confronted with as it strives to deliver its risk description table overleaf can be used • contributing to more efficient • optimising operational efficiency strategic objectives. to facilitate the description and assessment 4 A Risk Management Standard © IRM: 2002 5 Modificationof risks. The use of a well designed structure detail. Identification of the risks associated Table 4.3.1 Consequences - Both Threats and Opportunities is necessary to ensure a comprehensive risk with business activities and decision making identification, description and assessment may be categorised as strategic, project/ High Financial impact on the organisation is likely to exceed £x process. By considering the consequence and tactical, operational. It is important to Significant impact on the organisation’s strategy or operational activities probability of each of the risks set out in the incorporate risk management at the Significant stakeholder concern table, it should be possible to prioritise the conceptual stage of projects as well as key risks that need to be analysed in more throughout the life of a specific project. Medium Financial impact on the organisation likely to be between £x and £y Moderate impact on the organisation’s strategy or operational activities 4ABLE 2ISKESCRIPTION Moderate stakeholder concern 1. Name of Risk 2. Scope of Risk Qualitative description of the events, their size, type, Low Financial impact on the organisation likely to be less that £y number and dependencies Low impact on the organisation’s strategy or operational activities 3. Nature of Risk Eg. strategic, operational, financial, knowledge or compliance Low stakeholder concern 4. Stakeholders Stakeholders and their expectations 5. Quantification of Risk Significance and Probability 6. Risk Tolerance/ Loss potential and financial impact of risk Appetite Value at risk Table 4.3.2 Probability of Occurrence - Threats Probability and size of potential losses/gains Objective(s) for control of the risk and desired level of Estimation Description Indicators performance 7. Risk Treatment & Primary means by which the risk is currently managed High Likely to occur each year Potential of it occurring several times Control Mechanisms Levels of confidence in existing control (Probable) or more than 25% chance within the time period (for example - Identification of protocols for monitoring and review of occurrence. ten years). Has occurred recently. 8. Potential Action for Recommendations to reduce risk Improvement Likely to occur in a ten Could occur more than once within the Medium 9. Strategy and Policy Identification of function responsible for developing strategy year time period or less time period (for example - ten years). (Possible) Developments and policy than 25% chance of Could be difficult to control due to some occurrence. external influences. Examples are given in the tables overleaf. Is there a history of occurrence? 4.3 Risk Estimation Different organisations will find that Risk estimation can be quantitative, semi- different measures of consequence and quantitative or qualitative in terms of the Not likely to occur in a ten Has not occurred. Low probability will suit their needs best. probability of occurrence and the possible year period or less than 2% Unlikely to occur. (Remote) consequence. chance of occurrence. For example many organisations find that For example, consequences both in terms assessing consequence and probability as high, of threats (downside risks) and medium or low is quite adequate for their opportunities (upside risks) may be high, needs and can be presented as a 3 x 3 matrix. medium or low (see table 4.3.1). Probability Other organisations find that assessing may be high, medium or low but requires consequence and probability using a 5 x 5 different definitions in respect of threats and opportunities (see tables 4.3.2 and 4.3.3). matrix gives them a better evaluation. 6 A Risk Management Standard © IRM: 2002 7of risks. The use of a well designed structure detail. Identification of the risks associated Table 4.3.1 Consequences - Both Threats and Opportunities is necessary to ensure a comprehensive risk with business activities and decision making identification, description and assessment may be categorised as strategic, project/ High Financial impact on the organisation is likely to exceed £x process. By considering the consequence and tactical, operational. It is important to Significant impact on the organisation’s strategy or operational activities probability of each of the risks set out in the incorporate risk management at the Significant stakeholder concern table, it should be possible to prioritise the conceptual stage of projects as well as key risks that need to be analysed in more throughout the life of a specific project. Medium Financial impact on the organisation likely to be between £x and £y Moderate impact on the organisation’s strategy or operational activities 4ABLE 2ISKESCRIPTION Moderate stakeholder concern 1. Name of Risk 2. Scope of Risk Qualitative description of the events, their size, type, Low Financial impact on the organisation likely to be less that £y number and dependencies Low impact on the organisation’s strategy or operational activities 3. Nature of Risk Eg. strategic, operational, financial, knowledge or compliance Low stakeholder concern 4. Stakeholders Stakeholders and their expectations 5. Quantification of Risk Significance and Probability 6. Risk Tolerance/ Loss potential and financial impact of risk Appetite Value at risk Table 4.3.2 Probability of Occurrence - Threats Probability and size of potential losses/gains Objective(s) for control of the risk and desired level of Estimation Description Indicators performance 7. Risk Treatment & Primary means by which the risk is currently managed High Likely to occur each year Potential of it occurring several times Control Mechanisms Levels of confidence in existing control (Probable) or more than 25% chance within the time period (for example - Identification of protocols for monitoring and review of occurrence. ten years). Has occurred recently. 8. Potential Action for Recommendations to reduce risk Improvement Likely to occur in a ten Could occur more than once within the Medium 9. Strategy and Policy Identification of function responsible for developing strategy year time period or less time period (for example - ten years). (Possible) Developments and policy than 25% chance of Could be difficult to control due to some occurrence. external influences. Examples are given in the tables overleaf. Is there a history of occurrence? 4.3 Risk Estimation Different organisations will find that Risk estimation can be quantitative, semi- different measures of consequence and quantitative or qualitative in terms of the Not likely to occur in a ten Has not occurred. Low probability will suit their needs best. probability of occurrence and the possible year period or less than 2% Unlikely to occur. (Remote) consequence. chance of occurrence. For example many organisations find that For example, consequences both in terms assessing consequence and probability as high, of threats (downside risks) and medium or low is quite adequate for their opportunities (upside risks) may be high, needs and can be presented as a 3 x 3 matrix. medium or low (see table 4.3.1). Probability Other organisations find that assessing may be high, medium or low but requires consequence and probability using a 5 x 5 different definitions in respect of threats and opportunities (see tables 4.3.2 and 4.3.3). matrix gives them a better evaluation. 6 A Risk Management Standard © IRM: 2002 7Table 4.3.3 Probability of Occurrence - Opportunities 6. Risk Reporting and Communication Estimation Description Indicators • have systems which communicate )NTERNAL2EPORTING variances in budgets and forecasts at High Favourable outcome is Clear opportunity which can be relied Different levels within an organisation need (Probable) likely to be achieved in one on with reasonable certainty, to be appropriate frequency to allow action to be different information from the risk year or better than 75% achieved in the short term based on taken management process. chance of occurrence. current management processes. • report systematically and promptly to The Board of Directors should: senior management any perceived new Medium Reasonable prospects of Opportunities which may be achievable • know about the most significant risks (Possible) favourable results in one but which require careful management. risks or failures of existing control facing the organisation year of 25% to 75% chance Opportunities which may arise over and measures • know the possible effects on shareholder of occurrence. above the plan. value of deviations to expected Individuals should: performance ranges Possible opportunity which has yet to be Low Some chance of favourable • understand their accountability for • ensure appropriate levels of awareness fully investigated by management. (Remote) outcome in the medium individual risks throughout the organisation Opportunity for which the likelihood of term or less than 25% • understand how they can enable success is low on the basis of management chance of occurrence. • know how the organisation will manage a resources currently being applied. continuous improvement of risk crisis management response • know the importance of stakeholder treatment efforts. This ranks each identified confidence in the organisation • understand that risk management and 4.4 Risk Analysis methods and risk so as to give a view of the relative risk awareness are a key part of the • know how to manage communications techniques importance. with the investment community where organisation’s culture A range of techniques can be used to applicable This process allows the risk to be mapped analyse risks. These can be specific to • report systematically and promptly to to the business area affected, describes the • be assured that the risk management upside or downside risk or be capable of senior management any perceived new primary control procedures in place and dealing with both. (See Appendix, page 14, process is working effectively risks or failures of existing control indicates areas where the level of risk for examples). • publish a clear risk management policy measures control investment might be increased, covering risk management philosophy and decreased or reapportioned. 4.5 Risk Profile responsibilities 6.2 External Reporting The result of the risk analysis process can Accountability helps to ensure that A company needs to report to its Business Units should: be used to produce a risk profile which ‘ownership’ of the risk is recognised and stakeholders on a regular basis setting out gives a significance rating to each risk and the appropriate management resource • be aware of risks which fall into their area its risk management policies and the provides a tool for prioritising risk allocated. of responsibility, the possible impacts these effectiveness in achieving its objectives. may have on other areas and the consequences other areas may have on Increasingly stakeholders look to 5. Risk Evaluation them organisations to provide evidence of • have performance indicators which allow When the risk analysis process has been economic and environmental factors, effective management of the organisation’s them to monitor the key business and completed, it is necessary to compare the concerns of stakeholders, etc. Risk non-financial performance in such areas as financial activities, progress towards estimated risks against risk criteria which evaluation therefore, is used to make community affairs, human rights, objectives and identify developments which the organisation has established. The risk decisions about the significance of risks to employment practices, health and safety require intervention (e.g. forecasts and criteria may include associated costs and the organisation and whether each specific benefits, legal requirements, socio- risk should be accepted or treated. budgets) and the environment. 8 A Risk Management Standard © IRM: 2002 9Table 4.3.3 Probability of Occurrence - Opportunities 6. Risk Reporting and Communication Estimation Description Indicators • have systems which communicate )NTERNAL2EPORTING variances in budgets and forecasts at High Favourable outcome is Clear opportunity which can be relied Different levels within an organisation need (Probable) likely to be achieved in one on with reasonable certainty, to be appropriate frequency to allow action to be different information from the risk year or better than 75% achieved in the short term based on taken management process. chance of occurrence. current management processes. • report systematically and promptly to The Board of Directors should: senior management any perceived new Medium Reasonable prospects of Opportunities which may be achievable • know about the most significant risks (Possible) favourable results in one but which require careful management. risks or failures of existing control facing the organisation year of 25% to 75% chance Opportunities which may arise over and measures • know the possible effects on shareholder of occurrence. above the plan. value of deviations to expected Individuals should: performance ranges Possible opportunity which has yet to be Low Some chance of favourable • understand their accountability for • ensure appropriate levels of awareness fully investigated by management. (Remote) outcome in the medium individual risks throughout the organisation Opportunity for which the likelihood of term or less than 25% • understand how they can enable success is low on the basis of management chance of occurrence. • know how the organisation will manage a resources currently being applied. continuous improvement of risk crisis management response • know the importance of stakeholder treatment efforts. This ranks each identified confidence in the organisation • understand that risk management and 4.4 Risk Analysis methods and risk so as to give a view of the relative risk awareness are a key part of the • know how to manage communications techniques importance. with the investment community where organisation’s culture A range of techniques can be used to applicable This process allows the risk to be mapped analyse risks. These can be specific to • report systematically and promptly to to the business area affected, describes the • be assured that the risk management upside or downside risk or be capable of senior management any perceived new primary control procedures in place and dealing with both. (See Appendix, page 14, process is working effectively risks or failures of existing control indicates areas where the level of risk for examples). • publish a clear risk management policy measures control investment might be increased, covering risk management philosophy and decreased or reapportioned. 4.5 Risk Profile responsibilities 6.2 External Reporting The result of the risk analysis process can Accountability helps to ensure that A company needs to report to its Business Units should: be used to produce a risk profile which ‘ownership’ of the risk is recognised and stakeholders on a regular basis setting out gives a significance rating to each risk and the appropriate management resource • be aware of risks which fall into their area its risk management policies and the provides a tool for prioritising risk allocated. of responsibility, the possible impacts these effectiveness in achieving its objectives. may have on other areas and the consequences other areas may have on Increasingly stakeholders look to 5. Risk Evaluation them organisations to provide evidence of • have performance indicators which allow When the risk analysis process has been economic and environmental factors, effective management of the organisation’s them to monitor the key business and completed, it is necessary to compare the concerns of stakeholders, etc. Risk non-financial performance in such areas as financial activities, progress towards estimated risks against risk criteria which evaluation therefore, is used to make community affairs, human rights, objectives and identify developments which the organisation has established. The risk decisions about the significance of risks to employment practices, health and safety require intervention (e.g. forecasts and criteria may include associated costs and the organisation and whether each specific benefits, legal requirements, socio- risk should be accepted or treated. budgets) and the environment. 8 A Risk Management Standard © IRM: 2002 9Good corporate governance requires that The formal reporting should address: Firstly, the cost of implementation has to compliance. There is only occasionally be established. This has to be calculated some flexibility where the cost of reducing companies adopt a methodical approach to • the control methods - particularly with some accuracy since it quickly a risk may be totally disproportionate to risk management which: management responsibilities for risk becomes the baseline against which cost that risk. • protects the interests of their stakeholders management effectiveness is measured. The loss to be One method of obtaining financial expected if no action is taken must also • ensures that the Board of Directors • the processes used to identify risks and protection against the impact of risks is be estimated and by comparing the how they are addressed by the risk discharges its duties to direct strategy, build through risk financing which includes results, management can decide whether management systems value and monitor performance of the insurance. However, it should be or not to implement the risk control • the primary control systems in place to recognised that some losses or elements of a organisation measures. manage significant risks loss will be uninsurable eg the uninsured • ensures that management controls are in Compliance with laws and regulations is costs associated with work-related health, • the monitoring and review system in place place and are performing adequately not an option. An organisation must safety or environmental incidents, which Any significant deficiencies uncovered by understand the applicable laws and must may include damage to employee morale The arrangements for the formal reporting the system, or in the system itself, should implement a system of controls to achieve and the organisation’s reputation. of risk management should be clearly stated be reported together with the steps taken and be available to the stakeholders. to deal with them. 7. Risk Treatment Risk treatment is the process of selecting The risk analysis process assists the effective 8. Monitoring and Review of the Risk and implementing measures to modify the and efficient operation of the organisation by identifying those risks which require risk. Risk treatment includes as its major Management Process attention by management. They will need element, risk control/mitigation, but to prioritise risk control actions in terms of extends further to, for example, risk Effective risk management requires a Changes in the organisation and the their potential to benefit the organisation. avoidance, risk transfer, risk financing, etc. reporting and review structure to ensure environment in which it operates must be that risks are effectively identified and identified and appropriate changes made to Effectiveness of internal control is the NOTE: In this standard, risk financing assessed and that appropriate controls and systems. degree to which the risk will either be refers to the mechanisms (eg insurance responses are in place. Regular audits of eliminated or reduced by the proposed Any monitoring and review process should programmes) for funding the financial policy and standards compliance should be control measures. also determine whether: consequences of risk. Risk financing is not carried out and standards performance generally considered to be the provision of Cost effectiveness of internal control relates reviewed to identify opportunities for • the measures adopted resulted in what was funds to meet the cost of implementing risk improvement. It should be remembered to the cost of implementing the control intended treatment (as defined by ISO/IEC Guide compared to the risk reduction benefits that organisations are dynamic and operate • the procedures adopted and information 73; see page 17). expected. in dynamic environments. Changes in the gathered for undertaking the assessment organisation and the environment in which Any system of risk treatment should The proposed controls need to be were appropriate it operates must be identified and provide as a minimum: measured in terms of potential economic appropriate modifications made to systems. • improved knowledge would have helped effect if no action is taken versus the cost • effective and efficient operation of the to reach better decisions and identify The monitoring process should provide of the proposed action(s) and invariably organisation what lessons could be learned for assurance that there are appropriate controls in require more detailed information and • effective internal controls future assessments and management of place for the organisation’s activities and that assumptions than are immediately the procedures are understood and followed. risks • compliance with laws and regulations. available. 10 A Risk Management Standard © IRM: 2002 11Good corporate governance requires that The formal reporting should address: Firstly, the cost of implementation has to compliance. There is only occasionally be established. This has to be calculated some flexibility where the cost of reducing companies adopt a methodical approach to • the control methods - particularly with some accuracy since it quickly a risk may be totally disproportionate to risk management which: management responsibilities for risk becomes the baseline against which cost that risk. • protects the interests of their stakeholders management effectiveness is measured. The loss to be One method of obtaining financial expected if no action is taken must also • ensures that the Board of Directors • the processes used to identify risks and protection against the impact of risks is be estimated and by comparing the how they are addressed by the risk discharges its duties to direct strategy, build through risk financing which includes results, management can decide whether management systems value and monitor performance of the insurance. However, it should be or not to implement the risk control • the primary control systems in place to recognised that some losses or elements of a organisation measures. manage significant risks loss will be uninsurable eg the uninsured • ensures that management controls are in Compliance with laws and regulations is costs associated with work-related health, • the monitoring and review system in place place and are performing adequately not an option. An organisation must safety or environmental incidents, which Any significant deficiencies uncovered by understand the applicable laws and must may include damage to employee morale The arrangements for the formal reporting the system, or in the system itself, should implement a system of controls to achieve and the organisation’s reputation. of risk management should be clearly stated be reported together with the steps taken and be available to the stakeholders. to deal with them. 7. Risk Treatment Risk treatment is the process of selecting The risk analysis process assists the effective 8. Monitoring and Review of the Risk and implementing measures to modify the and efficient operation of the organisation by identifying those risks which require risk. Risk treatment includes as its major Management Process attention by management. They will need element, risk control/mitigation, but to prioritise risk control actions in terms of extends further to, for example, risk Effective risk management requires a Changes in the organisation and the their potential to benefit the organisation. avoidance, risk transfer, risk financing, etc. reporting and review structure to ensure environment in which it operates must be that risks are effectively identified and identified and appropriate changes made to Effectiveness of internal control is the NOTE: In this standard, risk financing assessed and that appropriate controls and systems. degree to which the risk will either be refers to the mechanisms (eg insurance responses are in place. Regular audits of eliminated or reduced by the proposed Any monitoring and review process should programmes) for funding the financial policy and standards compliance should be control measures. also determine whether: consequences of risk. Risk financing is not carried out and standards performance generally considered to be the provision of Cost effectiveness of internal control relates reviewed to identify opportunities for • the measures adopted resulted in what was funds to meet the cost of implementing risk improvement. It should be remembered to the cost of implementing the control intended treatment (as defined by ISO/IEC Guide compared to the risk reduction benefits that organisations are dynamic and operate • the procedures adopted and information 73; see page 17). expected. in dynamic environments. Changes in the gathered for undertaking the assessment organisation and the environment in which Any system of risk treatment should The proposed controls need to be were appropriate it operates must be identified and provide as a minimum: measured in terms of potential economic appropriate modifications made to systems. • improved knowledge would have helped effect if no action is taken versus the cost • effective and efficient operation of the to reach better decisions and identify The monitoring process should provide of the proposed action(s) and invariably organisation what lessons could be learned for assurance that there are appropriate controls in require more detailed information and • effective internal controls future assessments and management of place for the organisation’s activities and that assumptions than are immediately the procedures are understood and followed. risks • compliance with laws and regulations. available. 10 A Risk Management Standard © IRM: 2002 11management processes across an 2OLEOFTHE2ISK-ANAGEMENT 9. The Structure and Administration of organisation &UNCTION Risk Management • providing assurance on the management Depending on the size of the organisation of risk the risk management function may range The Board should, as a minimum, 2ISK-ANAGEMENT0OLICY • providing active support and involvement from a single risk champion, a part time consider, in evaluating its system of internal in the risk management process risk manager, to a full scale risk An organisation’s risk management policy control: management department. The role of the • facilitating risk identification/assessment should set out its approach to and appetite Risk Management function should include and educating line staff in risk for risk and its approach to risk • the nature and extent of downside risks the following: management and internal control management. The policy should also set acceptable for the company to bear within out responsibilities for risk management its particular business • setting policy and strategy for risk • co-ordinating risk reporting to the board, throughout the organisation. audit committee, etc management • the likelihood of such risks becoming a In determining the most appropriate role • primary champion of risk management at Furthermore, it should refer to any legal reality for a particular organisation, Internal Audit strategic and operational level requirements for policy statements eg. for • how unacceptable risks should be managed should ensure that the professional • building a risk aware culture within the Health and Safety. • the company’s ability to minimise the requirements for independence and organisation including appropriate Attaching to the risk management process probability and impact on the business objectivity are not breached. education is an integrated set of tools and techniques • the costs and benefits of the risk and 2ESOURCESAND • establishing internal risk policy and for use in the various stages of the business control activity undertaken structures for business units )MPLEMENTATION process. To work effectively, the risk • the effectiveness of the risk management • designing and reviewing processes for risk The resources required to implement the management process requires: process management organisation’s risk management policy • commitment from the chief executive and should be clearly established at each level of • the risk implications of board decisions • co-ordinating the various functional executive management of the organisation management and within each business unit. activities which advise on risk management • assignment of responsibilities within the 2OLEOFTHE"USINESS5NITS issues within the organisation In addition to other operational functions organisation This includes the following: they may have, those involved in risk • developing risk response processes, • allocation of appropriate resources for • the business units have primary management should have their roles in co- including contingency and business training and the development of an responsibility for managing risk on a day- ordinating risk management policy/strategy continuity programmes enhanced risk awareness by all clearly defined. The same clear definition is to-day basis • preparing reports on risk for the board and stakeholders. also required for those involved in the audit • business unit management is responsible the stakeholders and review of internal controls and 2OLEOFTHE"OARD for promoting risk awareness within their facilitating the risk management process. 2OLEOF)NTERNALUDIT operations; they should introduce risk The Board has responsibility for The role of Internal Audit is likely to differ Risk management should be embedded determining the strategic direction of the management objectives into their business from one organisation to another. In within the organisation through the organisation and for creating the • risk management should be a regular practice, Internal Audit’s role may include strategy and budget processes. It should be environment and the structures for risk management-meeting item to allow some or all of the following: highlighted in induction and all other management to operate effectively. consideration of exposures and to • focusing the internal audit work on the training and development as well as within reprioritise work in the light of effective This may be through an executive group, a significant risks, as identified by operational processes e.g. product/service risk analysis non-executive committee, an audit management, and auditing the risk development projects. • business unit management should ensure committee or such other function that suits that risk management is incorporated at the organisation’s way of operating and is capable of acting as a ‘sponsor’ for risk the conceptual stage of projects as well as management. throughout a project 12 A Risk Management Standard © IRM: 2002 13management processes across an 2OLEOFTHE2ISK-ANAGEMENT 9. The Structure and Administration of organisation &UNCTION Risk Management • providing assurance on the management Depending on the size of the organisation of risk the risk management function may range The Board should, as a minimum, 2ISK-ANAGEMENT0OLICY • providing active support and involvement from a single risk champion, a part time consider, in evaluating its system of internal in the risk management process risk manager, to a full scale risk An organisation’s risk management policy control: management department. The role of the • facilitating risk identification/assessment should set out its approach to and appetite Risk Management function should include and educating line staff in risk for risk and its approach to risk • the nature and extent of downside risks the following: management and internal control management. The policy should also set acceptable for the company to bear within out responsibilities for risk management its particular business • setting policy and strategy for risk • co-ordinating risk reporting to the board, throughout the organisation. audit committee, etc management • the likelihood of such risks becoming a In determining the most appropriate role • primary champion of risk management at Furthermore, it should refer to any legal reality for a particular organisation, Internal Audit strategic and operational level requirements for policy statements eg. for • how unacceptable risks should be managed should ensure that the professional • building a risk aware culture within the Health and Safety. • the company’s ability to minimise the requirements for independence and organisation including appropriate Attaching to the risk management process probability and impact on the business objectivity are not breached. education is an integrated set of tools and techniques • the costs and benefits of the risk and 2ESOURCESAND • establishing internal risk policy and for use in the various stages of the business control activity undertaken structures for business units )MPLEMENTATION process. To work effectively, the risk • the effectiveness of the risk management • designing and reviewing processes for risk The resources required to implement the management process requires: process management organisation’s risk management policy • commitment from the chief executive and should be clearly established at each level of • the risk implications of board decisions • co-ordinating the various functional executive management of the organisation management and within each business unit. activities which advise on risk management • assignment of responsibilities within the 2OLEOFTHE"USINESS5NITS issues within the organisation In addition to other operational functions organisation This includes the following: they may have, those involved in risk • developing risk response processes, • allocation of appropriate resources for • the business units have primary management should have their roles in co- including contingency and business training and the development of an responsibility for managing risk on a day- ordinating risk management policy/strategy continuity programmes enhanced risk awareness by all clearly defined. The same clear definition is to-day basis • preparing reports on risk for the board and stakeholders. also required for those involved in the audit • business unit management is responsible the stakeholders and review of internal controls and 2OLEOFTHE"OARD for promoting risk awareness within their facilitating the risk management process. 2OLEOF)NTERNALUDIT operations; they should introduce risk The Board has responsibility for The role of Internal Audit is likely to differ Risk management should be embedded determining the strategic direction of the management objectives into their business from one organisation to another. In within the organisation through the organisation and for creating the • risk management should be a regular practice, Internal Audit’s role may include strategy and budget processes. It should be environment and the structures for risk management-meeting item to allow some or all of the following: highlighted in induction and all other management to operate effectively. consideration of exposures and to • focusing the internal audit work on the training and development as well as within reprioritise work in the light of effective This may be through an executive group, a significant risks, as identified by operational processes e.g. product/service risk analysis non-executive committee, an audit management, and auditing the risk development projects. • business unit management should ensure committee or such other function that suits that risk management is incorporated at the organisation’s way of operating and is capable of acting as a ‘sponsor’ for risk the conceptual stage of projects as well as management. throughout a project 12 A Risk Management Standard © IRM: 2002 1310. Appendix 2ISK)DENTIFICATION4ECHNIQUES 2ISKNALYSIS-ETHODSAND EXAMPLES4ECHNIQUES EXAMPLES • Brainstorming Upside risk • Questionnaires • Market survey • Business studies which look at each • Prospecting business process and describe both the • Test marketing internal processes and external factors • Research and Development which can influence those processes • Business impact analysis • Industry benchmarking • Scenario analysis Both • Risk assessment workshops • Dependency modelling • Incident investigation • SWOT analysis (Strengths, Weaknesses, Opportunities, Threats) • Auditing and inspection • Event tree analysis • HAZOP (Hazard & Operability Studies) • Business continuity planning • BPEST (Business, Political, Economic, Social, Technological) analysis • Real Option Modelling • Decision taking under conditions of risk and uncertainty • Statistical inference • Measures of central tendency and dispersion • PESTLE (Political Economic Social Technical Legal Environmental) Downside risk • Threat analysis • Fault tree analysis • FMEA (Failure Mode & Effect Analysis) 14 A Risk Management Standard6 Lloyd’s Avenue, The Institute of Risk Management London EC3N 3AX Telephone 020 7709 9808 Facsimile 020 7709 0716 Email enquiriestheirm.org www.theirm.org This document is available for download free of charge from the website of the Institute of Risk Management