Professional Documents
Culture Documents
Home truths
Friday, 18 August 2017
The failure to manage risks at the sources and to control unavoidable risks
effectively,has led to the recurrence of same risks. Apparently, risk
managementunits in many organisations have become elite silos full of white
collar professionals who are eager to produce volumes of statistical reports to the
senior management irrespective of failure to arrest regeneration of same risks
over and over again.
The author has not worked in the Sri Lankan private business sector. However, as
a keen observer and as an engineerwho has a professional interest on
organisational management, the author is not so convinced that the private
sector risk management practices are as comprehensive as should be.No doubt,
there may be a few exceptions.Besides, the author has no hesitation to declare
that in the Sri Lankan central government, the semi-government and in the local
government organisations, the formal risk management is virtually of non-
existence. Otherwise, ubiquitous failures of public sector projects, programs and
initiatives could not have been witnessed.
Overseas front
The Australians led the risk management field internationally and they produced
the standards on Risk Management, AS/NZS 4360, in 1999 and revised it further in
2004. The International Organisation of Standards (ISO) established a working
group to develop an international standard on risk management and used the
innovative AS/NZS 4360-2004 as the base document. The aim was to expand
AS/ANZ 4360 for universal application, encompassing all industry environments.
In ISO 31000, the risk is defined as the effect of uncertainty on objectives. This
means that the Risk is no longer a negative only concept. The effect can either
be a positive or a negative. The change of definition has created confusion among
the professionals who apply ISO 31000 and the confusion still remains as the risk
is and will always be a negative concept for the majority of the public.
This new definition shifts the emphasis from the event itself to the effect of the
event.
Risk is implicit in all decisions. While risks are the facts of life, the aim of managing
risks should be, to modify risk levels to manageable and acceptable levels,
thereafter to get on with the life or the business.
Principles
Every private and public sector business entities have organisational values. They
can be tangible or intangible. Organisations thrive hard to protect and possibly
enhance their values while performing the business. Risk management process
supports this by successful implementation of projects and programs, preserving
health and safety of workers, complying legal and regulatory requirements,
ensuring environmental sustainability, encouraging responsible governance
practices, enhancing reputation and promoting operational effectiveness and
efficiency. Also, employees would have secure employment, if and only if the
organisation is survived in the business world. On each day, the employees must
walk out of the organisation safe to meet loved ones. Hence, safety is paramount
for an organisation.
The quality of strategic and operational planning makes an organisation what it is,
in the competitive business environment. Each and every strategic and
operational planning activity contains risks and thereby risk management
activities must be performed. If an organisation claims that it embodies efficient
and effective strategic and operational management techniques, the risk
management architecture described in ISO 31000 must be an integral part of the
management system. This is done by subjecting all management decisions to the
risk management compliance test. Thereby, this would eliminate hazards or
reduce risk levels to acceptable levels.
Risk management should always be in all employees minds as soon as they set
foot to the business premises. Even the wrong body language in front of a
customer could be a risk to the image of the organisation.
Many organisations thrive for obtaining and maintaining Quality Standards such
as ISO 9001 accreditation. The ISO 9001 accreditation is a symbol of a quality
organisation. Proper risk management is also a part of a quality
organisation. Hence, the best practice risk management compliments the
achieving and maintaining this quality accreditation status.
Framework
This is the setting up of an administrative management frame work to ensure
success of risk management. This is creating an organisational-wide matrix
structure, encompassing all strategic and operational management levels of
business units with the holistic focus onmanaging risks. However, it can include
establishment of a risk management leadership unit to monitor risk management
activities, periodic reviewing of process documents and procedures and for
reporting on organisations success on risk management targets.
This policy, as of with any other policy, should have a sunset clause. The
compulsory review and re-enactment of the policy is done on the sunset date.
Higher level staff members are identified with accountability, authority and
responsibility to develop, implement and maintenance of risk management
framework.
The next level staff are identified for managing risks by developing solutions. They
are usually the process and procedure owners within the organisation. The rest of
the employees would implement the solutions.
The risk management champion must directly report to the senior management,
preferably to the chief executive officer during implementation stage. Gradually
this role must be converted to on-going management and maintenance of risk
management framework, but still reporting to the CEO, at least, quarterly basis.
Upon the system set-up is completed with CEOs approval, the next stage would
be to transfer the champions management and maintenance roles to key staff
members of the risk management integration matrix. Hence, staff would not no
longer wait for the champion to make decisions on risk management.
Continuous improvement
This is the response to the outcomes of monitoring and reviewing action plan.
Executive management has the responsibility to provide resources to implement
continuous improvement recommendations.
Key stakeholders must be involved when risk appetites and tolerances are
determined to avoid conflicts among external and internal stakeholders on
interpreting acceptable risks and risk levels.
As a part of the step of establishing the context, a risk matrix must be
developed. This is done in two stages. The Simple Risk Matrix can be used at
senior management level for initial risk screening purposes.
This must be followed by the using of a Detailed Risk Matrixdeveloped for each
business unit. As depicted, it is always helpful to assign numerical values to
descriptions to determine risk ratings. The contents in each cell of this table are to
be debated and agreed by the senior and middle management of the organisation
for the relevance, correctness and practicality.
Risk assessment
The next three steps of the process; identification, analysis and evaluation can be
combined as the risk assessment.It is reiterated that the definition of risk includes
both positive and negative effects. The positive risks would be opportunities for
organisations. If an organisation identifies those in time, the forward planning
initiatives can make use those opportunities to enhance the capability and
capacity of the organisation.
Risk identification is to answer the questions what, how and when might
happen? This must be done in a systematic manner to ensure all possible risks
are identified.
Risk analysis is to answer the question what will happen to the organisation, in
particular, to its objectives, due to these risks? This is where the Risk Matrix
would be useful. However, application of the matrix must be done by competent
staff members because the level of risk is determined by the selection of the
likelihood and the consequence. If wrong categories are selected, it leads to a
wrong level of the risk. Hence, the selection of the likelihood and the
consequence must be logical, based on proven evidences and historical data. The
selection must be reviewed by an independent person before locked in.
Likelihood: The risk analyst must ask questions such as Last few years, has any
one encountered this kind of risk? Have any of our competitors experienced this,
previously? How often the present ground/business conditions would allow this
to happen? This kind of questioning would lead to an informed decision on
likelihood. Still the best guess can go wrong but as long as a structured
questioning and answering process is followed, the decision making is acceptable.
The risk evaluation is the final step of risk assessment. The acceptable risk levels,
tolerances, etc. described in Step I of the risk management process will be used
for evaluation of identified risks. As far as possible, the risk evaluation is done
quantitatively and the values are compared with the risk thresholds for the
organisation. If the risk values are above the accepted risk thresholds, the
corresponding risks must undergorisk treatment. Usually, risks are listed in a
priority order for treatment purposes.
Risk treatment
Risk treatment is about either modification of existing risk control mechanisms or
introducing new controls. For negative risks, another term, hazard need to be
introduced. Negative risks are identified from the harm caused to a person,
property or a business objective from hazardous or undesirable situations. Hence,
when treating negative risks, relevant hazards must be treated to control the
risks. Treatment of hazards is hierarchical.
Posted by Thavam