Purpose Of This Guide
The guide is intended to help organisations put in place an effective framework for risk management. This will help them take informed decisions about the risks that affect their strategic, programme, project and operational objectives.
The guide provides a route map for risk management, bringing together principles, an approach, a process with a set of interrelated steps and pointers to more detailed sources of advice on risk management techniques and specialisms.
The M_o_R framework is based on four core concepts as follows:
• M_o_R principles Principles are essential for the development and maintenance of good risk management practice. They are informed by corporate governance principles and the international standard for risk management ISO31000:2009.
• M_o_R Approach Principles need to be adapted and adopted to suit each individual organisation. An organisation’s approach to the principles needs to be agreed and defined within a risk management policy, process guide and strategies.
• M_o_R Process The process is divided into four main steps: identify, assess, plan and implement. Each step describes the inputs, outputs, tasks and techniques involved to ensure that the overall process is effective.
• Embedding and reviewing M_o_R Having put in place an approach and process that satisfy the principles, an organisation should ensure that they are consistently applied across the organisation and that their application undergoes continual improvement in order for them to be effective.
What Is A Risk?
Risk is defined as ‘an uncertain event or set of events that, should it occur, will have an effect on the achievement of objectives. A risk is measured by the combination of the probability of a perceived threat or opportunity occurring and the magnitude of its impact on objectives.’
Within this definition, ‘threat’ is used to describe an uncertain event that would have a negative impact on objectives if it occurred and ‘opportunity’ is used to describe an uncertain event that would have a positive impact on objectives if it occurred. The combined effect of risks to a set of objectives is known as risk exposure, and is the extent of the risk borne by that part of the organisation at that time.
What Is Risk Management?
The task of risk management is to ensure that an organisation makes cost-effective use of a risk management process that includes a series of well-defined steps. The aim is to improve internal control and support better decision-making through a good understanding of individual risks and the overall risk exposure that exists at a particular time.
Accordingly, in this guide, the term ‘risk management’ refers to the systematic application of principles, an approach and a process to the tasks of identifying and assessing risks, and then planning and implementing risk responses.
For risk management to be effective, risks need to be:
• Identified This involves considering uncertainties that would affect the achievement of objectives within the context of a particular organisational activity and then describing them to ensure that there is a common understanding.
• Assessed This involves estimating the probability, impact and proximity of individual risks so they can be prioritised and understanding the overall level of risk (risk exposure) associated with the organisational activity.
• Controlled This involves planning appropriate responses to risks, assigning owners and actionees and then implementing, monitoring and controlling these responses
Why Is Risk Management Important?
Taking and managing risk is the very essence of business survival and growth.
Effective risk management is likely to improve performance against objectives by contributing to:
• Fewer sudden shocks and unwelcome surprises
• More efficient use of resources
• Reduced waste
• Reduced fraud
• Better service delivery
• Reduction in management time spent fire-fighting
• Better management of contingent and maintenance activities
• Lower cost of capital
• Improved innovation
• Increased likelihood of change initiatives being achieved
• More focus internally on doing the right things properly
• More focus externally to shape effective strategies
Many of these benefits are applicable to both the private and public sectors
How Has Risk Management Developed?
Risk has always been an inherent feature in any undertaking therefore risk management is not a new concept for organisations
Only in recent years have organisations begun to recognise that risk management, in its broadest sense, applies to both negative threats and positive opportunities. Whilst it may be tempting to consider these as separate activities, in practice, opportunities and threats are seldom independent.
Legislation that requires corporate governance and internal control has increased in many parts of the world and this has created an increased focus on formal risk management. In response to organisations devising optimal ways to respond to legislation, and to identify, assess and control risks, other trends have emerged, such as the recent emphasis on enterprise risk management (ERM).
Corporate Governance and Internal Control
A major factor influencing the drive towards more formalised approaches to risk management has been the increased focus given to corporate governance and internal control across the world following the high-profile collapses of a number of major organisations. Corporate governance and internal control regimes exist in all major economies and are designed to protect the assets, earning capacity and reputation of organisations.
Corporate governance is described in the most recent UK code as the system by which organisations are directed and controlled. The responsibilities of the board include setting the company’s strategic aims, providing the leadership to put them into effect, supervising management and reporting to shareholders on their stewardship.
Risk management is one way an organisation establishes internal control alongside financial, operational and compliance controls. The UK Corporate Governance Code (2010) defines this principle:
The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems and review the effectiveness of these at least annually.
The current UK Guidance for Directors (2005) states that the board’s deliberations should include the consideration of the following factors:
• The nature and extent of the risks facing the company
• The extent and categories of risk which it regards as acceptable for the company to bear
• The likelihood of the risks concerned materialising
• The company’s ability to reduce the incidence and impact on the business of the risks that do materialise
• The costs of operating particular controls relative to the benefit thereby obtained in managing the related risks
In the US a more radical approach has been taken resulting in new legislation in the form of the Public Company Accounting Reform and Investor Protection Act of 2002 (also known as Sarbanes-Oxley). Of particular note in the context of risk management are the following provisions:
• The chief executive officer (CEO) and the chief financial officer (CFO) of public companies are held personally accountable for establishing and maintaining internal controls and evaluating their effectiveness.
• Public companies are required to include in each annual report an internal control report that states the responsibility of management to establish and maintain an adequate internal control structure and procedures for financial reporting and an assessment of the effectiveness of these.
Where and When Should Risk Management Be Applied?
Risk management should be applied continuously with information made available when critical decisions are being made. Decisions about risk will vary depending on whether the risk relates to long-, medium- or short-term organisational objectives.
• Strategic decisions are primarily concerned with long-term goals; these set the context for decisions at other levels of the organisation.
• Medium-term goals are usually addressed through programmes and projects to bring about business change.
• At the operational level, the emphasis is on short-term goals to ensure ongoing continuity of business services.
Risk management should be the basis for effective management of an organisation at all times, including in support of decision-making when planning the introduction of change to any of the organisational perspectives described above.
In addition to application across the strategic, programme, project and operational perspectives, the guidance within M_o_R applies to the work carried out by risk specialists who focus on particular types of risk in an organisation. Such specialisms have developed as organisations have applied particular approaches to managing specific types of risk. In some cases, these have been built into legislation or other government or industry guidance giving them justification as a specialism.
The specialisms covered are:
• Business continuity management
• Incident and crisis management
• Health and safety management
• Security risk management
• Financial risk management
• Environmental risk management
• Reputational risk management
• Contract risk management
Within this guidance, the various contexts will be described from different organisational perspectives. The organisational perspectives considered can be briefly described as:
• Strategic Concerned with ensuring overall business success, vitality and viability
• Programme Concerned with transforming business strategy into new ways of working that deliver measurable benefits to the organisation.
• Project Concerned with delivering defined outputs to an appropriate level of quality within agreed scope, time and cost constraints.
• Operational Concerned with maintaining appropriate levels of business services to existing and new customers.
Roles and Responsibilities Relevant to Risk Management
• Writes, owns and assures adherence to the risk management policy
• Defines the overall risk appetite
• Reviews the risk management strategy
• Approves funding for risk management
• Monitors the risk profile
• Assures clarity of role and responsibility of other stakeholders
• Assists with assessing the risk context
• Monitors and acts on escalated risks
• Establishes governance
The senior manager appointed to represent the senior team:
• Ensures that appropriate governance and internal controls are in place
• Ensures risk management strategy exists
• Defines and monitors risk tolerances
• Ensures risk management policy is implemented
• Monitors and assesses the balance within the set of risks
• Owns and manages escalated risks as appropriate
• Ensures that adequate resources are available to implement the risk management strategy
• Agrees on the information that will be reported to more senior stakeholders
• Assists the team in embedding the necessary risk management practices
• Contributes to identification of key risk areas and assures that risk registers are in place for each
• Ensures that risk registers, a risk review process and an escalation process are in place
• Validates risk assessments
• Identifies the need for investment to fund risks
• Owns individual risks (including those delegated by the senior manager)
• Escalates or delegates risks to higher or lower levels in the organisation as required
• Ensures participation in the delivery of risk management
• Explicitly identifies risk management duties within the terms of engagement of other managers involved in achieving specific objectives
• Agrees with risk specialists on the timing, number and content of risk management interventions
• Agrees the timing and content of risk progress reports
• Agrees the involvement of the risk manager, audit committee and risk committee as appropriate
• Establishes how risk management will be integrated with change control and performance management
• Assures the senior team that risk accountabilities exist
• Assures compliance with guidance on internal control
• Reviews progress and plans in developing and applying the risk management policy
• Reviews the results of the assessments of management of risks
• Makes formal assessments and reports of management of risk implementation
• Ensures risk information is available to inform decision-making
• Ensures the risk management policy is implemented
• Carries out ongoing management of risk maturity assessments
• Develops plans to improve the management of risk
• Develops management of risk guidance and training
• Identifies lessons learned and disseminates learning
• Undertakes risk management training and holds seminars to embed risk management
• Prepares risk management strategies
• Prepares stakeholder analysis
• Prepares a risk breakdown structure or similar
• Participates in option analysis
• Carries out risk management interventions
• Prepares meeting/workshop aids
• Facilitates risk meetings/workshops
• Identifies risks
• Undertakes qualitative and quantitative assessment of risks
• Prepares risk management reports
• Participates (as appropriate) in the identification, assessment, planning and management of threats and opportunities
• Understands the risk management policy and how it affects them
• Implements the risk management policy within their areas of responsibility
• Escalates risks as necessary as defined by the risk management policy
Risk Management Policy
The risk management policy describes why risk management is important to the organisation, and the specific objectives served by implementing a formal risk management approach. The risk management policy is the responsibility of a member of the senior team within the organisation, or a subset of it if a local risk management policy is to be established.
Risk Management Process Guide
The risk management process guide describes how an organisation intends to carry out risk management and the role and responsibility of people who perform risk management related tasks. The risk management process guide is the responsibility of a relevant, named senior manager within the organisation. This person may delegate responsibility for defining the process guide to a relevant risk specialist.
Risk Management Strategy
A risk management strategy documents the way the risk management policy and process will be implemented for a specific organisational activity. The risk management strategy is the responsibility of the manager of the organisational activity, for example, the operations manager or the programme manager.
The risk register documents all of the risks that have been identified as having an impact on the objectives of the organisational activity. The risk register is the responsibility of the manager of the organisational activity, for example, the operations manager or the programme manager
The issue register documents all of the unplanned situations that are happening now and that require management attention. Issues could be problems, benefits, queries or change requests. The issue register is the responsibility of the manager of the organisational activity, for example, the operations manager or programme manager. Although the resolution of issues is not part of the risk management process, the issue register is included here as it is the document that links the risk management and issue resolution processes. Issues may arise from unmanaged risks. New risks will arise from the presence of new issues.
Risk Improvement Plan
A risk improvement plan brings together all the actions required to improve the way that risk management is performed by the organisation, or a subset of it. It includes, but is not limited to, improving the culture and context within which risk management process can add value. The risk improvement plan is the responsibility of the manager of the organisational activity, for example, the operations manager or programme manager.
Risk Communications Plan
A risk communications plan may be a separate document or part of a wider communications plan for the organisational activity in question. The risk communications plan is the responsibility of the manager of the organisational activity, for example, the operations manager or programme manager.
Risk Response Plan
The risk response plan is an extension of the risk register and configuration control between the risk register and risk response plan must always be maintained. Risk response plans should be created and maintained by risk owners.
Risk Progress Report
A risk progress report may be a separate document or form part of a wider progress report for the organisational activity in question. Providing progress about risk management activities is the responsibility of the manager of the organisational activity, for example, the operations manager or programme manager.