Professional Documents
Culture Documents
2. Risk Management
Risk management is a central part of any It must be integrated into the culture of
organisation’s strategic management. It is the organisation with an effective policy
the process whereby organisations and a programme led by the most senior
methodically address the risks attaching to management. It must translate the
their activities with the goal of achieving strategy into tactical and operational
sustained benefit within each activity and objectives, assigning responsibility
across the portfolio of all activities. throughout the organisation with each
The focus of good risk management is the manager and employee responsible for the
identification and treatment of these risks. management of risk as part of their job
Its objective is to add maximum description. It supports accountability,
sustainable value to all the activities of the performance measurement and reward,
organisation. It marshals the thus promoting operational efficiency at
understanding of the potential upside and all levels.
downside of all those factors which can
affect the organisation. It increases the 2.1 External and Internal Factors
probability of success, and reduces both
The risks facing an organisation and its
the probability of failure and the
operations can result from factors both
uncertainty of achieving the organisation’s
external and internal to the organisation.
overall objectives.
Risk management should be a continuous The diagram overleaf summarises examples
and developing process which runs of key risks in these areas and shows that
throughout the organisation’s strategy and some specific risks can have both external
the implementation of that strategy. It and internal drivers and therefore overlap
should address methodically all the risks the two areas.They can be categorised
sur rounding the organisation’s activities past, further into types of risk such as strategic,
present and in par ticular, future. financial, operational, hazard, etc.
The
Organisation’s
Strategic
Objectives
Risk
Assessment
Risk
Analysis
Risk
Identification
Risk
Description
Risk
Estimation
Risk Evaluation
Formal
Audit
Risk
Reporting
Threats and
Opportunities
Decisio
n
Risk
Treatment
Residual Risk
Reporting
Monitoring
Risk management protects and adds value to the organisation and its stakeholders through
supporting the organisation’s objectives by:
4. Risk Analysis
4.1 Risk Identification • Financial - These concern the effective
Risk identification sets out to identify an management and control of the finances of
organisation’s exposure to uncertainty.This the organisation and the effects of external
requires an intimate knowledge of the factors such as availability of credit, foreign
organisation, the market in which it operates, exchange rates, interest rate movement and
the legal, social, political and cultural other market exposures.
environment in which it exists, as well as the • Knowledge management - These concern
development of a sound understanding of its the effective management and control of the
strategic and operational objectives,
knowledge resources, the production,
including factors cr itical to its success and the
protection and communication thereof.
threats and opportunities related to the
External factors might include the
achievement of these objectives.
unauthorised use or abuse of intellectual
Risk identification should be approached property, area power failures, and
in a methodical way to ensure that all competitive technology. Internal factors might
significant activities within the organisation be system malfunction or loss of key staff.
have been identified and all the risks
• Compliance - These concern such issues as
flowing from these activities defined.
health & safety, environmental, trade
All associated volatility related to these
activities should be identified and descriptions, consumer protection, data
categorised. protection, employment practices and
regulatory issues.
Business activities and decisions can be
Whilst risk identification can be carried
classified in a range of ways, examples of
out by outside consultants, an in-house
which include:
approach with well communicated,
• Strategic - These concern the long-term consistent and co-ordinated processes and
strategic objectives of the organisation.They tools (see Appendix, page 14) is likely to be
can be affected by such areas as capital more effective. In-house ‘ownership’ of
the risk management process is essential.
availability, sovereign and political risks,
legal and regulatory changes, reputation
4.2 Risk Description
and changes in the physical environment.
The objective of risk description is to
• Operational - These concern the day-to- display the identified risks in a structured
day issues that the organisation is format, for example, by using a table.The
confronted with as it strives to deliver its risk description table overleaf can be used
strategic objectives. to facilitate the description and assessment
1. Name of Risk
2. Scope of Risk Qualitative description of the events, their size, type,
number and dependencies
3. Nature of Risk Eg. strategic, operational, financial, knowledge or compliance
4. Stakeholders Stakeholders and their expectations
5. Quantification of Risk Significance and Probability
6. Risk Tolerance/ Loss potential and financial impact of risk
Appetite Value at risk
Probability and size of potential losses/gains
Objective(s) for control of the risk and desired level of
performance
7. Risk Treatment & Primary means by which the risk is currently managed
Control Mechanisms Levels of confidence in existing control
Identification of protocols for monitoring and review
8. Potential Action for Recommendations to reduce risk
Improvement
9. Strategy and Policy Identification of function responsible for developing strategy
Developments and policy
Medium Likely to occur in a ten Could occur more than once within the
(Possible) year time period or less time period (for example - ten years).
than 25% chance of Could be difficult to control due to
occurrence. some external influences.
Is there a history of occurrence?
4.4 Risk Analysis methods and treatment efforts. This ranks each identified
technique risk so as to give a view of the relative
sA range of techniques can be used to importance.
analyse risks.These can be specific to This process allows the risk to be mapped
upside or downside risk or be capable of to the business area affected, describes the
dealing with both. (See Appendix, page 14, primary control procedures in place and
for examples). indicates areas where the level of risk
control investment might be increased,
4.5 Risk Profile decreased or reapportioned.
The result of the risk analysis process can Accountability helps to ensure that
be used to produce a risk profile which ‘ownership’ of the risk is recognised and
gives a significance rating to each risk and the appropriate management resource
provides a tool for prioritising risk allocated.
5. Risk Evaluation
When the risk analysis process has been economic and environmental factors,
completed, it is necessary to compare the concerns of stakeholders, etc. Risk
estimated risks against risk criteria which evaluation therefore, is used to make
the organisation has established.The risk decisions about the significance of risks to
criteria may include associated costs and the organisation and whether each specific
benefits, legal requirements, socio- risk should be accepted or treated.
• ensures that the Board of Directors • the processes used to identify risks and
discharges its duties to direct strategy, build how they are addressed by the risk
management systems
value and monitor performance of the
organisation • the primary control systems in place to
manage significant risks
• ensures that management controls are in
• the monitoring and review system in place
place and are performing adequately
Any significant deficiencies uncovered by
The arrangements for the formal reporting the system, or in the system itself, should
of risk management should be clearly stated be reported together with the steps taken
and be available to the stakeholders. to deal with them.
7. Risk Treatment
Risk treatment is the process of selecting The risk analysis process assists the effective
and implementing measures to modify the and efficient operation of the organisation
risk. Risk treatment includes as its major by identifying those risks which require
element, risk control/mitigation, but attention by management.They will need
extends further to, for example, risk to prioritise risk control actions in terms of
avoidance, risk transfer, risk financing, etc. their potential to benefit the organisation.
Downside risk
• Threat analysis
• Fault tree analysis
• FMEA (Failure Mode & Effect Analysis)
On the following pages are extracts from the document PD ISO/IEC Guide 73: 2002
reproduced with the permission of British Standards Institution under licence number
2002SK/0313. British Standards can be obtained from BSI Customer Services,
389 Chiswick High Road, London W4 4AL. (Tel + 44 (0) 20 8996 9001)
Th is pu bl i ca tio n i s ava il abl e f rom the ab ove o rga ni sa tio ns f or d own lo ad f ro m the ir res p ec ti ve webs i tes f ree of c
Pl eas e har
c onge.
tac t th e i n di vid ual as s oc ia tio ns if yo u wi sh to pu rc ha se m ore c o pi es o f t hi s R i s k M ana gem ent S tan dar d in pri nt ed
f orm