Risk management erm


Published on

Risk management is an increasingly important
business driver and stakeholders have become
much more concerned about risk. Risk may be a
driver of strategic decisions, it may be a cause of
uncertainty in the organisation or it may simply be
embedded in the activities of the organisation. An
enterprise-wide approach to risk management
enables an organisation to consider the potential
impact of all types of risks on all processes,
activities, stakeholders, products and services.
Implementing a comprehensive approach will
result in an organisation benefiting from what is
often referred to as the ‘upside of risk’.

Published in: Economy & Finance, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Risk management erm

  1. 1. A structured approach toEnterprise Risk Management (ERM)and the requirements of ISO 31000
  2. 2. Executive summaryIntroductionAcknowledgementsPart 1: Risk, risk management and ISO 310001 Nature and impact of risk2 Principles of risk management3 Review of ISO 310004 Achieving the benefits of ERMPart 2: Enterprise risk management5 Planning and designing6 Implementing and benchmarking7 Measuring and monitoring8 Learning and reportingAppendicesA Risk management checklistB Implementation summaryList of figures1 Risk architecture, strategy and protocols2 Framework for managing risk (based on ISO 31000)3 Risk management process (based on ISO 31000)4 Risk architecture of a large PLC5 Drivers of risk managementList of tables1 Detailed risk description2 Contents of risk management policy3 Risk management responsibilities4 Risk assessment techniques1 © AIRMIC, Alarm, IRM: 2010Contents
  3. 3. Risk management is an increasingly importantbusiness driver and stakeholders have becomemuch more concerned about risk. Risk may be adriver of strategic decisions, it may be a cause ofuncertainty in the organisation or it may simply beembedded in the activities of the organisation. Anenterprise-wide approach to risk managementenables an organisation to consider the potentialimpact of all types of risks on all processes,activities, stakeholders, products and services.Implementing a comprehensive approach willresult in an organisation benefiting from what isoften referred to as the ‘upside of risk’.The global financial crisis in 2008 demonstratedthe importance of adequate risk management.Since that time, new risk management standardshave been published, including the internationalstandard, ISO 31000 ‘Risk management –Principles and guidelines’. This guide drawstogether these developments to provide astructured approach to implementing enterpriserisk management (ERM).Intended benefits of risk managementFor all types of organisations, there is a need tounderstand the risks being taken when seeking toachieve objectives and attain the desired level ofreward. Organisations need to understand theoverall level of risk embedded within theirprocesses and activities. It is important fororganisations to recognise and prioritise significantrisks and identify the weakest critical controls.When setting out to improve risk managementperformance, the expected benefits of the riskmanagement initiative should be established inadvance. The outputs from successful riskmanagement include compliance, assurance andenhanced decision-making. These outputs willprovide benefits by way of improvements in theefficiency of operations, effectiveness of tactics(change projects) and the efficacy of the strategyof the organisation.Purpose of this guideA successful enterprise risk management (ERM)initiative can affect the likelihood andconsequences of risks materialising, as well asdeliver benefits related to better informed strategicdecisions, successful delivery of change andincreased operational efficiency. Other benefitsinclude reduced cost of capital, more accuratefinancial reporting, competitive advantage,improved perception of the organisation, bettermarketplace presence and, in the case of publicservice organisations, enhanced political andcommunity support.This guide provides a brief commentary on ISO31000 as well as setting out advice on theimplementation of an ERM initiative. The purposeof the guide is to:G describe the principles and processes ofrisk managementG provide a brief overview of therequirements of ISO 31000G give practical guidance on designing asuitable frameworkG give practical advice on implementingenterprise risk management2 A structured approach to Enterprise Risk ManagementExecutive summary
  4. 4. This guide is the result of work by a team drawnfrom the main risk management organisations inthe UK – the Association of Insurance and RiskManagers (AIRMIC), the public sector riskmanagement association (Alarm) and the Instituteof Risk Management (IRM). The guide is intendedto be applicable to all types of organisations.Throughout the guide, the word Board is used tosignify the decision-making body within anorganisation. In the public sector, this body maybe referred to as the Council, Executive orAuthority.There are many opinions regarding what riskmanagement involves, how it should beimplemented and what it can achieve.International Organisation for Standardisation (ISO)standard 31000 was published in 2009 and seeksto answer these questions. This guide includes abrief commentary on ISO 31000, as well asproviding further information on the successfulimplementation of risk management. Importantly,this guide recognises that risk has both an upsideand downside.Risk management principlesRisk management is a process that is under-pinned by a set of principles. Also, it needs to besupported by a structure that is appropriate to theorganisation and its external environment orcontext. A successful risk management initiativeshould be proportionate to the level of risk in theorganisation (as related to the size, nature andcomplexity of the organisation), aligned with othercorporate activities, comprehensive in its scope,embedded into routine activities and dynamic bybeing responsive to changing circumstances.This approach will enable a risk managementinitiative to deliver outputs, including compliancewith applicable governance requirements,assurance to stakeholders regarding themanagement of risk and improved decision-making. The impact or benefits associated withthese outputs include more efficient operations,effective tactics and efficacious strategy. Thesebenefits need to be measurable and sustainable.Appendix A provides a checklist of actions thatshould be completed in order to fully satisfy riskmanagement requirements.COSO ERM framework and ISO 31000The Committee of Sponsoring Organizations ofthe Treadway Commission (COSO) published anEnterprise Risk Management (ERM) standard in2004. The COSO ERM cube is well known to riskmanagement practitioners and it provides aframework for undertaking ERM. It has gainedconsiderable influence because it is linked to theSarbanes-Oxley requirements for companies listedin the United States. ISO 31000 was published in2009 as an internationally agreed standard for theimplementation of risk management principles.This guide provides a structured approach toimplementing risk management on an enterprise-wide basis that is compatible with both COSOERM and ISO 31000. However, the guide placesmore emphasis on ISO 31000 because it is aninternational standard and many organisationshave international operations. At the same time aspublishing ISO 31000, ISO also produced Guide73 ‘Risk management – Vocabulary – Guidelinesfor use in standards’.AcknowledgementsPermission to reproduce extracts from ISO 31000‘Risk management – Code of practice’ is grantedby the BSI. British Standards can be obtained inPDF or hard copy formats from the BSI onlineshop: www.bsigroup.com/shop or by contactingBSI Customer Services for hardcopies only: Tel:+44 (0)20 8996 9001, e-mail:cservices@bsigroup.comFigure 1, Figure 4, Table 2, Table 3 and Table 4 arereproduced with kind permission of Kogan PageLimited from “Fundamentals of Risk Management”(2010) ISBN 978 0 7494 5942 0www.koganpage.com3 A structured approach to Enterprise Risk ManagementIntroduction
  5. 5. Part 1 provides an overview of risk and riskmanagement with particular reference to ISO31000. The terminology used to describe thesteps in the risk management process is notconsistent and this part reflects on thesedifficulties. A summary of the risk managementrequirements that should be in place in order toensure good standards of risk governance arepresented by way of a checklist in Appendix A.1. Nature and impact of riskRisks can impact an organisation in the short,medium and long term. These risks are related tooperations, tactics and strategy, respectively.Strategy sets out the long-term aims of theorganisation, and the strategic planning horizonfor an organisation will typically be 3, 5 or moreyears. Tactics define how an organisation intendsto achieve change. Therefore, tactical risks aretypically associated with projects, mergers,acquisitions and product developments.Operations are the routine activities of theorganisation.Definition of riskThere are many definitions of risk and riskmanagement. The definition set out in ISO Guide73 is that risk is the “effect of uncertainty onobjectives”. In order to assist with the applicationof this definition, Guide 73 also states that aneffect may be positive, negative or a deviationfrom the expected, and that risk is often describedby an event, a change in circumstances or aconsequence.This definition links risks to objectives. Therefore,this definition of risk can most easily be appliedwhen the objectives of the organisation arecomprehensive and fully stated. Even when fullystated, the objectives themselves need to bechallenged and the assumptions on which theyare based should be tested, as part of the riskmanagement process.4 A structured approach to Enterprise Risk ManagementPart 1: Risk, risk management and ISO 31000For example, consider the infrastructure of an organisation and the implementation of a new ITsystem. The choice of hardware and software are strategic decisions. If these choices areincorrect, the consequences will not be obvious for some time. The associated risks are strategicrisks and these risks will be taken with the intention of achieving benefits. Correct strategicdecisions deliver benefits that result in achievement of the upside of risk.The project to install the new hardware and software will be a change initiative that represents thetactics by which strategy will be implemented. Risks within the project need to be managed, sothat the project is delivered on time, within budget and to specification. Again, it is possible toachieve an upside in the execution of the project, whereby the project is delivered early and belowbudget. It is also possible that the IT hardware and software will deliver greater benefits thananticipated.Once the new hardware and software has been installed, the system will be vulnerable tooperational risks, including computer breakdown, loss of data, virus attacks and operator errors.These operational risks may be very significant, and correct procedures will need to be designedand implemented to minimise potential disruption.
  6. 6. 5 A structured approach to Enterprise Risk Management1 Name or title of risk G Unique identifier or risk index2 Scope of risk G Scope of risk and details of possible events, including description ofthe events, their size, type and number3 Nature of risk G Classification of risk, timescale of potential impact and descriptionas hazard, opportunity or uncertainty4 Stakeholders G Stakeholders, both internal and external, and their expectations5 Risk evaluation G Likelihood and magnitude of event and possible impact orconsequences should the risk materialise at current level6 Loss experience G Previous incidents and prior loss experience of events related to therisk7 Risk tolerance, appetite G Loss potential and anticipated financial impact of the riskor attitude G Target for control of risk and desired level of performanceG Risk attitude, appetite, tolerance or limits for the risk8 Risk response, treatment G Existing control mechanisms and activitiesand controls G Level of confidence in existing controlsG Procedures for monitoring and review of risk performance9 Potential for risk improvement G Potential for cost-effective risk improvement or modificationG Recommendations and deadlines for implementationG Responsibility for implementing any improvements10 Strategy and policy G Responsibility for developing strategy related to the riskdevelopments G Responsibility for auditing compliance with controlsTable 1: Detailed risk descriptionRecording risk assessmentsRisk assessment involves the identification of risksfollowed by their evaluation or ranking. It isimportant to have a template for recordingappropriate information about each risk. Table 1shows the range of information that may need tobe recorded. The objective of a template is toenable the information to be recorded in a table,risk register, spreadsheet or a computer-basedsystem. Although a simple description of a risk issometimes sufficient, there are circumstanceswhere a detailed risk description may be requiredin order to facilitate a comprehensive riskassessment process.The consequences of a risk materialising may benegative (hazard risks), positive (opportunity risks)or may result in greater uncertainty. Organisationsneed to establish appropriate definitions for thedifferent levels of likelihood and consequencesassociated with these different risks. Risk rankingcan be quantitative, semi-quantitative or qualitativein terms of the likelihood of occurrence and thepossible consequences or impact.Organisations will need to define their ownmeasures of likelihood of occurrence andconsequences.For example, many organisations find thatassessing likelihood and consequences as high,medium or low, with the results presented on a 3 x3 risk matrix is adequate. Other organisations findthat more options are necessary and a 4 x 4 or 5 x5 risk matrix is required. By considering thelikelihood and consequences of each risk, it will bepossible to prioritise or rank the key risks forfurther analysis.Risk classification systemsAn important part of analysing a risk is todetermine the nature, source or type of impact ofthe risk. Evaluation of risks in this way may beenhanced by the use of a risk classificationsystem. Risk classification systems are importantbecause they enable an organisation to identifyaccumulations of similar risks. A risk classificationsystem will also enable an organisation to identifywhich strategies, tactics and operations are mostvulnerable.Risk classification systems are usually based onthe division of risks into those related to financialcontrol, operational efficiency, reputationalexposure and commercial activities. However,there is no risk classification system that isuniversally applicable to all types of organisations.
  7. 7. 6 A structured approach to Enterprise Risk ManagementThis may be especially true for organisationsoperating in the public sector and those involved inthe delivery of services to the public.There are many risk classification systemsavailable and the one selected will depend on thesize, nature and complexity of the organisation.ISO 31000 does not recommend a specific riskclassification system and each organisation willneed to develop the system most appropriate tothe range of risks that it faces.2: Principles of risk managementRisk management is a central part of the strategicmanagement of any organisation. It is the processwhereby organisations methodically address therisks attached to their activities. A successful riskmanagement initiative should be proportionate tothe level of risk in the organisation, aligned withother corporate activities, comprehensive in itsscope, embedded into routine activities anddynamic by being responsive to changingcircumstances.The focus of risk management is the assessmentof significant risks and the implementation ofsuitable risk responses. The objective is to achievemaximum sustainable value from all the activitiesof the organisation. Risk management enhancesthe understanding of the potential upside anddownside of the factors that can affect anorganisation. It increases the probability ofsuccess and reduces both the probability of failureand the level of uncertainty associated withachieving the objectives of the organisation.Context for risk managementRisk management should be a continuousprocess that supports the development andimplementation of the strategy of an organisation.It should methodically address all the risksassociated with all of the activities of theorganisation. In all types of undertaking, there isthe potential for events that constituteopportunities for benefit (upside), threats tosuccess (downside) or an increased degree ofuncertainty.It is often argued that, for health and safety risks,the consequences can only be negative and themanagement of safety risk should focus onprevention and mitigation of harm. However, foroutsourced service providers, setting goodstandards of health and safety may be part ofwinning contracts and this demonstrates thatthere is an upside to safety risk management.Risk aware cultureRisk management must be integrated into theculture of the organisation and this will includemandate, leadership and commitment from theBoard. It must translate risk strategy into tacticaland operational objectives, and assign riskmanagement responsibilities throughout theorganisation. It should support accountability,performance measurement and reward, thuspromoting operational efficiency at all levels.Achieving a good risk aware culture is ensured byestablishing an appropriate risk architecture,strategy and protocols.In order to successfully implement, support andsustain the risk management process, a structureis required. ISO 31000 refers to this structure asthe risk management context.Figure 1 illustrates a suitable structure in terms ofthe risk architecture, strategy and protocols, andbriefly describes the key features of each element.This structure is designed to give context to riskmanagement activities and support the riskmanagement process.Risk management processThe risk management process can be presentedas a list of co-ordinated activities. There arealternative descriptions of this process, but thecomponents listed below are usually present. Thislist represents the 7Rs and 4Ts of (hazard) riskmanagement:G recognition or identification of risksG ranking or evaluation of risksG responding to significant risksN tolerateN treatN transferN terminateG resourcing controlsG reaction planningG reporting and monitoring risk performanceG reviewing the risk managementframework
  8. 8. Figure 1: Risk architecture, strategy and protocols7 A structured approach to Enterprise Risk ManagementRecognition and ranking of risks together form therisk assessment activity. ISO 31000 uses thephrase ‘risk treatment’ to include all of the 4Tsincluded under the heading ‘risk response’. Thescope of risk responses available for hazard risksincludes the options of tolerate, treat, transferor terminate the risk or the activity that gives rise tothe risk. For many risks, these responses maybe applied in combination. For opportunity risks,the range of available options includes exploitingthe risk. Reaction planning includes businesscontinuity planning and disaster recovery planning.3: Review of ISO 31000ISO 31000 describes the components of a riskmanagement implementation framework. Figure 2provides a simplified version of this implementationframework. It includes the essential steps in theimplementation and ongoing support of the riskmanagement process. The initial component ofthe ISO 31000 framework is ‘mandate andcommitment’ by the Board and this is followed by:G design of frameworkG implement risk managementG monitor and review frameworkG improve frameworkFramework for managing riskISO 31000 describes a framework forimplementing risk management, rather than aframework for supporting the risk managementprocess. Information on designing the frameworkthat supports the risk management process is notset out in detail in ISO 31000. An organisation willdescribe its framework for supporting riskmanagement by way of the risk architecture,strategy and protocols for the organisation.The risk architecture, strategy and protocolsshown in Figure 1 represent the internalarrangements for communicating on risk issues.It also sets out the roles and responsibilities of theindividuals and committees that support the riskmanagement process. The risk strategy should setout the objectives that risk management activitiesin the organisation are seeking to achieve. Finally,the risk protocols describe the procedures bywhich the strategy will be implemented and risksmanaged.4: Achieving the benefits of ERMFigure 3 provides a simplified version of the riskmanagement process from ISO 31000 using theterminology of Guide 73. The key stages in theprocess are represented as risk assessment andrisk treatment. Figure 3 also indicates that the riskmanagement process takes place within the riskmanagement context of the organisation.Risk architectureG Risk architecture specifies theroles, responsibilities,communication and risk reportingstructureRisk strategyG Risk strategy, appetite, attitudesand philosophy are defined in theRisk Management PolicyRisk protocolsG Risk protocols are presented in the form of the risk guidelines for theorganisation and include the rules and procedures, as well as specifying therisk management methodologies, tools and techniques that should be usedRisk management process
  9. 9. Figure 2: Framework for managing risk (based on ISO 31000)8 A structured approach to Enterprise Risk ManagementMandate and commitmentDesign of frameworkG Organisation and its contextG Risk management policyG Embedding risk managementImplement riskmanagementGImplement frameworkGImplement RM processImprove frameworkMonitor and review frameworkRisk assessmentRisk identification establishes the exposure of theorganisation to risk and uncertainty. This requiresan intimate knowledge of the organisation, themarket in which it operates, the legal, social,political and cultural environment in which it exists,as well as an understanding of strategic andoperational objectives. This will include knowledgeof the factors critical to success and the threatsand opportunities related to the achievement ofobjectives. It should be approached in amethodical way to ensure that all value-addingactivities within the organisation have beenevaluated and all the risks flowing from theseactivities defined.The result of the risk analysis can be used toproduce a risk profile that gives a rating ofsignificance to each risk and provides a tool forprioritising risk treatment efforts. This ranks therelative importance of each identified risk. Thisprocess allows the risks to be mapped to thebusiness area affected, describes the primarycontrol mechanisms in place and indicates wherethe level of investment in controls might beincreased, decreased or reapportioned.The risk analysis activity assists the effective andefficient operation of the organisation by identifyingthose risks that require attention by management.This will facilitate the ability to prioritise risk controlactions in terms of their potential to benefit theorganisation. The range of available risk responsetreatments include tolerate, treat, transfer andterminate. An organisation may decide that thereis also a need to improve the control environment.Risk treatmentRisk treatment is presented in ISO 31000 as theactivity of selecting and implementing appropriatecontrol measures to modify the risk. Risktreatment includes as its major element, riskcontrol (or mitigation), but extends further to, forexample, risk avoidance, risk transfer and riskfinancing. Any system of risk treatment shouldprovide efficient and effective internal controls.Effectiveness of internal control is the degree towhich the risk will either be eliminated or reducedby the proposed control measures. The cost-effectiveness of internal control relates to the costof implementing the control compared to the riskreduction benefits achieved.Compliance with laws and regulations is not anoption. An organisation must understand theapplicable laws and must implement a system ofcontrols that achieves compliance. One method ofobtaining financial protection against the impact ofrisks is through risk financing, including insurance.However, it should be recognised that somelosses or elements of a loss may be uninsurable,such as uninsured costs and damage to employeemorale and the reputation of the organisation.
  10. 10. 9 A structured approach to Enterprise Risk ManagementFigure 3: Risk management process (based on ISO 31000)Risk identificationRisk treatmentRisk evaluationRisk analysisEstablish contextCommunicationandconsultationMonitoringandreviewRisk assessmentFeedback mechanismsISO 31000 recognises the importance of feedbackby way of two mechanisms. These are monitoringand review of performance and communicationand consultation. Monitoring and review ensuresthat the organisation monitors risk performanceand learns from experience. Communication andconsultation is presented in ISO 31000 as part ofthe risk management process, but it may also beconsidered to be part of the supportingframework.Reporting and disclosure are only very brieflymentioned in ISO 31000 and they are not includedin the process shown in Figure 3. Also, themonitoring and review feedback activities set outin ISO 31000 do not explicitly mention the tasks ofmonitoring risk performance and reviewing the riskmanagement framework.
  11. 11. Part 2 provides an overview of the steps involved inthe implementation of an enterprise riskmanagement (ERM) initiative. The terminology usedin this part is based on the 7Rs and 4Ts of (hazard)risk management. A brief description of the stepsinvolved in the implementation of an ERM initiativeis provided in Appendix B.5: Planning and designingThere are a number of factors that should beconsidered when designing and planning an ERMinitiative. Details of the risk architecture, strategyand protocols should be recorded in a riskmanagement policy for the organisation. Table 2provides information on the contents of a typicalrisk management policy.Board mandate and commitmentMany organisations issue an updated version oftheir risk management policy each year. Thisensures that the overall risk management approachis in line with current best practice.It also gives the organisation the opportunity tofocus on the intended benefits for the coming year,identify the risk priorities and ensure thatappropriate attention is paid to emerging risks. Thepolicy should also describe the risk architecture ofthe organisation. Figure 4 illustrates a typical riskarchitecture of a large listed company.Mandate and commitment from the Board iscritically important and it needs to be continuousand high-profile. Unless this mandate andcommitment are forthcoming, the risk managementinitiative will be unsuccessful. Keeping the riskmanagement policy up to date demonstrates thatrisk management is a dynamic activity fullysupported by the Board.10 A structured approach to Enterprise Risk ManagementTable 2: Contents of risk management policyA risk management policy should include the following sections:G Risk management and internal control objectives (governance)G Statement of the attitude of the organisation to risk (risk strategy)G Description of the risk aware culture or control environmentG Level and nature of risk that is acceptable (risk appetite)G Risk management organisation and arrangements (risk architecture)G Details of procedures for risk recognition and ranking (risk assessment)G List of documentation for analysing and reporting risk (risk protocols)G Risk mitigation requirements and control mechanisms (risk response)G Allocation of risk management roles and responsibilitiesG Risk management training topics and prioritiesG Criteria for monitoring and benchmarking of risksG Allocation of appropriate resources to risk managementG Risk activities and risk priorities for the coming yearPart 2: Enterprise risk management
  12. 12. Scope of the initiativeIn order to be successful, the ERM initiative needs tobe comprehensive. However, introducing enhancedstandards of risk management is a progressiveprocess that cannot be achieved instantaneously.Therefore, it is necessary for an organisation to decidethe scope of the ERM initiative, as it develops. Thescope of the initiative will be defined by the range ofbenefits the organisation is seeking to achieve and thiswill be influenced by the expectations of the variousstakeholders in the organisation.11 A structured approach to Enterprise Risk ManagementDirect and monitorReports for evaluationFigure 4: Risk architecture of a large PLCThe BoardG Overall responsibility for riskmanagementG Ensure risk management isembedded into all processes andactivitiesG Review group risk profileAudit CommitteeG Receive routine reports from GRMCG Set annual audit programme and prioritiesG Monitor progress with audit recommendationsG Provide risk assurance to the BoardG Oversee RM structures and processesDisclosures CommitteeG Review and evaluate disclosurecontrols and proceduresG Consider materiality of informationdisclosed to external partiesGroup Risk Management Committee (GRMC)G Formulate strategy and policy based on risk appetite,risk attitudes and risk exposuresG Receive reports from business units, review riskmanagement activities and compile the group riskregisterG Receive reports from business units and make reportsand recommendations to the BoardG Track RM activity in the business units and keep the riskmanagement context under reviewBusiness unitsG Produce specific policy statements, as necessaryG Prepare and update the business unit risk registerG Set risk priorities for business unitG Monitor projects and risk improvementsG Prepare reports for GRMCG Manage control risk self-certification activities
  13. 13. 12 A structured approach to Enterprise Risk ManagementTable 3: Risk management responsibilities1. RM responsibilities for the CEO / Board:G Determine strategic approach to risk and set risk appetiteG Establish the structure for risk managementG Understand the most significant risksG Manage the organisation in a crisis2. RM responsibilities for the business unit manager:G Build risk aware culture within the unitG Agree risk management performance targetsG Ensure implementation of risk improvement recommendationsG Identify and report changed circumstances / risks3. RM responsibilities for individual employees:G Understand, accept and implement RM processesG Report inefficient, unnecessary or unworkable controlsG Report loss events and near miss incidentsG Co-operate with management on incident investigations4. RM responsibilities for the risk manager:G Develop the risk management policy and keep it up to dateG Document the internal risk policies and structuresG Co-ordinate the risk management (and internal control) activitiesG Compile risk information and prepare reports for the Board5. RM responsibilities for specialist risk management functions:G Assist the company in establishing specialist risk policiesG Develop specialist contingency and recovery plansG Keep up to date with developments in the specialist areaG Support investigations of incidents and near misses6. RM responsibilities for internal audit manager:G Develop a risk-based internal audit programmeG Audit the risk processes across the organisationG Receive and provide assurance on the management of riskG Report on the efficiency and effectiveness of internal controlsRisk management frameworkDepending on the nature of the organisation, the riskmanagement function may range from a part-time riskmanager, to a single risk champion, to a full-scale riskmanagement department. The role of the internal auditfunction will also differ from one organisation toanother. In determining the most appropriate role forinternal audit, the organisation needs to ensure that theindependence and objectivity of internal audit are notcompromised.The range of risk management responsibilities thatneed to be allocated in the policy will be broad andextensive. Table 3 sets out examples of the riskmanagement responsibilities that may be allocated in atypical large organisation. The Board has responsibilityfor determining the strategic direction of theorganisation and creating the context for riskmanagement. There need to be arrangements in placeto achieve continuous improvement in performanceand this responsibility is likely to be allocated to the riskmanager.
  14. 14. 6: Implementing and benchmarkingRisk assessment is a fundamentally important partof the risk management process. In order toachieve a comprehensive risk managementapproach, an organisation needs to undertakesuitable and sufficient risk assessments. A rangeof the most common risk assessment techniquesis set out in Table 4.Establish risk assessment proceduresRisk assessment will be required as part of thedecision-making processes intended to exploitbusiness opportunities. One way of ensuring thatrisk is part of business decision-making is toensure that a risk assessment is attached to allstrategy papers presented to the Board. Likewise,risk assessment of all proposed projects shouldbe undertaken and further risk assessmentsshould be undertaken throughout the project.Finally, risk assessments are also required inrelation to routine operations.Other considerations relevant to undertaking riskassessments include decisions on how the riskassessments will be recorded. It is at this stagethat an organisation will decide the level of detailthat will be recorded about each risk in the riskdescription. Another important part of the riskassessment procedures will be the identification ofthe risk classification system to be used by theorganisation.Undertake risk assessmentsAn organisation should develop benchmarks todetermine the significance (or materiality) of theidentified risks. The nature of these benchmarktests will depend on the type of risk. For financialrisks, a sum of money can be used as thebenchmark test of significance. For risks that cancause disruption to operations, the length ofdisruption may be a suitable test. Reputationalrisks can be benchmarked in terms of the profilethat the report of the event would receive, thelikely impact of the event on share price, or theimpact on the political and financial supportreceived from key stakeholders.13 A structured approach to Enterprise Risk ManagementTable 4: Risk assessment techniquesTechnique Brief descriptionG Questionnaires and checklists Use of structured questionnaires and checklists to collectinformation to assist with the recognition of the significant risksG Workshops and brainstorming Collection and sharing of ideas and discussion of the events thatcould impact the objectives, stakeholder expectations or keydependenciesG Inspections and audits Physical inspections of premises and activities and audits ofcompliance with established systems and proceduresG Flowcharts and dependency Analysis of processes and operations within theanalysis organisation to identify critical components that are key tosuccessG HAZOP and FMEA approaches Hazard and Operability studies and Failure Modes EffectsAnalysis are quantitative technical failure analysis techniquesG SWOT and PESTLE analyses Strengths Weaknesses Opportunities Threats (SWOT) andPolitical Economic Social Technological Legal Environmental(PESTLE) analyses offer structured approaches to risk recognition
  15. 15. 14 A structured approach to Enterprise Risk ManagementFigure 5: Drivers of risk managementFINANCIAL RISKSACCOUNTING STANDARDSINTEREST RATESFOREIGN EXCHANGEFUNDS AND CREDITINTERNAL CONTROLFRAUDHISTORICAL LIABILITIESINVESTMENTSCAPEX DECISIONSLIQUIDITY AND CASHFLOWRECRUITMENTPEOPLE SKILLSHEALTH AND SAFETYPREMISESIT SYSTEMSM&A ACTIVITYR&D ACTIVITIESINTELLECTUAL PROPERTYCONTRACTSECONOMIC ENVIRONMENTTECHNOLOGY DEVELOPMENTSCOMPETITIONCUSTOMER DEMANDREGULATORY REQUIREMENTSMARKETPLACE RISKSPRODUCT RECALLCSRPUBLIC PERCEPTIONREGULATOR ENFORCEMENTCOMPETITOR BEHAVIOURREPUTATIONAL RISKSBRAND EXTENSIONSBOARD COMPOSITIONCONTROL ENVIRONMENTHaving identified suitable risk assessmentprocedures and decided the benchmark test ofsignificance for different classes of risks, it will thenbe possible to identify the appetite or attitude tothat type of risk, together with the capacity of theorganisation to withstand that risk. Finally, theorganisation can determine the overall exposure tothe particular type of risk under consideration.Internal and external factors can give rise to risks.Figure 5 is based on the FIRM Risk Scorecard riskclassification system and it provides examples ofinternal and external key risk drivers. Some riskclassification systems have strategic risk as aseparate category. However, the FIRM RiskScorecard approach suggests that strategic (aswell as tactical and operational) risks should beidentified under all four headings.INFRASTRUCTURE RISKSCOMMUNICATIONSTRANSPORT LINKSSUPPLY CHAINTERRORISMNATURAL DISASTERSPANDEMIC
  16. 16. Risk appetite and tolerancesIt is important that the Board sets rules for risk-taking in respect of all types of risk, and someorganisations have produced a risk appetitestatement that is applicable to all classes of risk. Itis fairly easy for an organisation to confirm that ithas no appetite for causing injury and ill health. Inpractice, however, this may need to be developedinto a set of targets for health and safetyperformance. There is a danger that risk appetitestatements fail to be dynamic, and they canconstrain behaviour and rapid response.At Board level, risk appetite is a driver of strategicrisk decisions. At executive level, risk appetitetranslates into a set of procedures to ensure thatrisk receives adequate attention when makingtactical decisions. At operational level, risk appetitedictates operational constraints for routineactivities. Despite its importance, it is surprisingthat the concept of risk appetite is not mentionedin ISO 31000, although it is included in most otherrisk management standards and stock exchangelisting requirements.7. Measuring and monitoringIt is frequently the case that risk assessments arerecorded in a risk register. There is no standardformat for a risk register and the organisationshould establish a suitable format for this importantdocument. The risk register should not become astatic record of the significant risks faced by theorganisation. It should be viewed as a risk actionplan that includes details of the current controlsand details of any further actions that are planned.These further actions should be written asauditable actions that must be completed within adefined timescale by identified individuals. This willenable the internal audit function to monitor theexisting controls and monitor the implementation ofany necessary additional controls. The resourcesrequired to implement the risk management policyshould be clearly established at each level ofmanagement and within each business unit. Riskmanagement should be embedded within thestrategic planning and budget processes.As well as monitoring the effectiveness of theexisting controls and the implementation ofadditional controls, the cost-effectiveness of theexisting controls should also be monitored.Additionally, monitoring and measuring includesevaluation of the risk aware culture and the riskmanagement framework, and assessment of theextent to which risk management tasks are alignedwith other corporate activities.Evaluate existing controlsMonitoring and measuring extends to theevaluation of culture, performance andpreparedness of the organisation. The scope ofactivities covered by monitoring and measuringalso includes monitoring of risk improvementrecommendations and evaluation of theembedding of risk management activities in theorganisation, as well as routine monitoring of riskperformance indicators.Monitoring the preparedness of the organisation tocope with major disruption is an important part ofrisk management. This activity normally extends tothe development and testing of business continuityplans and disaster recovery plans. There is anoverriding need to keep these plans up to date sothat the preparedness of the organisation to copewith the identified risk events is assured.Evaluation of the existing controls will lead to theidentification of risk improvementrecommendations. These recommendationsshould be recorded in the risk register by way of arisk action plan. An important part of evaluating theeffectiveness of existing controls is to ensure thatthere is adequate evaluation of the businesscontinuity planning and disaster recovery planningarrangements in place.Embed risk aware cultureChanges in the organisation and the environmentin which it operates must be identified andappropriate modifications made to protocols.Monitoring activities should provide assurance thatthere are appropriate controls in place and that theprocedures are understood and followed. Changeswithin the organisation and the external businessenvironment must be identified, so that existingprocedures can be modified.15 A structured approach to Enterprise Risk Management
  17. 17. Any monitoring and measuring process should alsodetermine whether:G the measures adopted achieved theintended resultG the procedures adopted were efficientG sufficient information was available for therisk assessmentsG improved knowledge would have helpedto reach better decisionsG lessons can be learned for futureassessments and controlsEmbedding risk management involves anenvironment that can demonstrate leadership fromsenior management, involvement of staff at alllevels, a culture of learning from experience,appropriate accountability for actions (withoutdeveloping an automatic blame culture) and goodcommunication on risk issues.8. Learning and reportingCompleting the feedback loop on the riskmanagement process involves the important stepsof learning from experience and reporting onperformance. In order to learn from experience, anorganisation needs to review risk performanceindicators and measure the contribution thatenterprise risk management has made to thesuccess of the organisation.The reasons for undertaking the risk managementinitiative should have been clearly established. Ifthis has not been done, the organisation will beunable to evaluate whether the contribution was inline with expectations. Monitoring of riskperformance indicators should include anevaluation of the contribution being made by riskmanagement, as well as an evaluation of theappropriateness of the control mechanisms thathave been selected.Monitor risk performanceLearning the lessons from risk management alsorequires investigation of the opinions of keystakeholders both internally and externally. Inparticular, the opinion of internal audit andevaluation of risk management activities at auditcommittee will be vitally important. Learning fromexperience requires more than evaluation of therisk performance indicators.An annual review of the risk managementframework will be necessary, including evaluationof the risk architecture, strategy and protocols. It isimportant that the organisation has a risk-basedaudit plan and undertakes appropriate risk reviews.Other features of learning from experience includeevaluation of audit reports and an assessment ofthe sources of risk assurance available to theBoard and the audit committee. An evaluation ofthe level of assurance that has been obtained isalso necessary. Often, a major source of riskassurance for the Board will be self-certification,such as a Control Risk Self Assessment processthat provides assurance regarding riskmanagement, risk reporting and disclosure, as wellas information about learning from incidents.Report risk performanceIn addition to internal communication andreporting, there will be an obligation onorganisations to report externally. Increasingly,these external reports are produced in response tomandatory requirements related to riskmanagement and internal control, such as Turnbulland Sarbanes-Oxley. External risk reporting isdesigned to provide external stakeholders withassurance that risks have been adequatelymanaged.External reporting should provide useful informationto stakeholders on the status of risk managementand the actions that are being taken to ensurecontinuous improvement in performance. Acompany needs to report to its stakeholders on aregular basis, setting out its risk managementpolicies and the effectiveness in achieving itsobjectives. Increasingly, stakeholders look toorganisations to provide evidence of appropriatecorporate behaviour in such areas as communityaffairs, human rights, employment practices, healthand safety, and the environment.Risk reporting provides information on historicallosses and trends. However, risk disclosure is a moreforward-looking activity that anticipates emergingrisks. There is a clear difference between measuringand monitoring risk performance and undertakingsteps to learn from experience to improve the riskmanagement process and framework. Importantlessons can be learned that will assist with improvingthe design of the support framework and theimplementation framework.16 A structured approach to Enterprise Risk Management
  18. 18. Risk architectureG Statement produced that sets out risk responsibilities and lists the risk-based matters reserved for theBoardG Risk management responsibilities allocated to an appropriate management committeeG Arrangements are in place to ensure the availability of appropriate competent advice on risks andcontrolsG Risk aware culture exists within the organisation and actions are in hand to enhance the level of riskmaturityG Sources of risk assurance for the Board have been identified and validatedRisk strategyG Risk management policy produced that describes risk appetite, risk culture and philosophyG Key dependencies for success identified, together with the matters that should be avoidedG Business objectives validated and the assumptions underpinning those objectives testedG Significant risks faced by the organisation identified, together with the critical controls requiredG Risk management action plan established that includes the use of key risk indicators, as appropriateG Necessary resources identified and provided to support the risk management activitiesRisk protocolsG Appropriate risk management framework identified and adopted, with modifications as appropriateG Suitable and sufficient risk assessments completed and the results recorded in an appropriate mannerG Procedures to include risk as part of business decision-making established and implementedG Details of required risk responses recorded, together with arrangements to track risk improvementrecommendationsG Incident reporting procedures established to facilitate identification of risk trends, together with riskescalation proceduresG Business continuity plans and disaster recovery plans established and regularly testedG Arrangements in place to audit the efficiency and effectiveness of the controls in place for significantrisksG Arrangements in place for mandatory reporting on risk, including reports on at least the following:N Risk appetite, tolerance and constraintsN Risk architecture and risk escalation proceduresN Risk aware culture currently in placeN Risk assessment arrangements and protocolsN Significant risks and key risk indicatorsN Critical controls and control weaknessesN Sources of assurance available to the Board17 A structured approach to Enterprise Risk ManagementAppendix A: Risk management checklist
  19. 19. Activity Concepts / Tools and techniquesPlanning and designing (see Section 5)1. Identify intended benefits of the enterprise risk management G Benefits of ERMinitiative and gain Board mandate G Embedding risk management2. Plan the scope of the ERM initiative and develop common G Upside of risklanguage of risk G Stakeholder expectations3. Establish the risk management strategy, framework, and G Risk management policythe roles and responsibilities G Risk architectureImplementing and benchmarking (see Section 6)4. Adopt suitable risk assessment procedures and an agreed G Risk descriptionrisk classification system G Risk classification systems5. Establish risk significance benchmarks and undertake G Risk assessment techniquesrisk assessments G Benchmark tests of significance6. Determine risk appetite and risk tolerance levels, and G Risk registerevaluate the existing controls G Risk appetiteMeasuring and monitoring (see Section 7)7. Ensure cost-effectiveness of existing controls and introduce G Risk improvement plansimprovements G BCP and DRP8. Embed risk aware culture and align risk management with G Control environmentother management tasks G Risk communicationsLearning and reporting (see Section 8)9. Monitor and review risk performance indicators to measure G Audit plan and risk reviewsERM contribution G Sources of risk assurance10. Report risk performance in line with legal and other G Risk reportingobligations, and monitor improvement G Legal requirements18 A structured approach to Enterprise Risk ManagementThe table below provides an overview of the stepsinvolved in the implementation of an enterprise riskmanagement (ERM) initiative. Successfulimplementation of an ERM initiative is an ongoingprocess that involves working through the 10 stepsset out below on a continuous basis. The 10 stepsare divided between:G Planning and designingG Implementing and benchmarkingG Measuring and monitoringG Learning and reportingAppendix B: Implementation summary
  20. 20. The Association ofInsurance and Risk ManagersTelephone 020 7480 76106 Lloyd’s Avenue,London EC3N 3AXFacsimile 020 7702 3752Email enquiries@airmic.co.ukwww.airmic.comThis document is available for download free of charge from the websites of the above organisations.The Institute of Risk ManagementTelephone 020 7709 98086 Lloyd’s Avenue,London EC3N 3AXFacsimile 020 7709 0716Email enquiries@theirm.orgwww.theirm.orgAshton HouseWestonSidmouthDevon EX10 0PFFacsimile 0333 4560007Email admin@Alarm-uk.orgwww.Alarm-uk.orgThe Public Risk Management AssociationTelephone 0333 1230007