Risk management standard 030820

3,049 views

Published on

This Risk Management Standard is the
result of work by a team drawn from the
major risk management organisations in
the UK - The Institute of Risk
Management (IRM),The Association of
Insurance and Risk Managers (AIRMIC)
and ALARM The National Forum for
Risk Management in the Public Sector.
In addition, the team sought the views and
opinions of a wide range of other
professional bodies with interests in risk
management, during an extensive period
of consultation.

Published in: Economy & Finance, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,049
On SlideShare
0
From Embeds
0
Number of Embeds
1,290
Actions
Shares
0
Downloads
29
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Risk management standard 030820

  1. 1. A Risk Management Standard
  2. 2. Published by AIRMIC, ALARM, IRM: 2002
  3. 3. This Risk Management Standard is theresult of work by a team drawn from themajor risk management organisations inthe UK - The Institute of RiskManagement (IRM),The Association ofInsurance and Risk Managers (AIRMIC)and ALARM The National Forum forRisk Management in the Public Sector.In addition, the team sought the views andopinions of a wide range of otherprofessional bodies with interests in riskmanagement, during an extensive periodof consultation.Risk management is a rapidly developingdiscipline and there are many and variedviews and descriptions of what riskmanagement involves, how it should beconducted and what it is for. Some formof standard is needed to ensure that there isan agreed:• terminology related to the words used• process by which risk management can becarried out• organisation structure for risk management• objective for risk managementImportantly, the standard recognises thatrisk has both an upside and a downside.Risk management is not just something forcorporations or public organisations, butfor any activity whether short or longterm.The benefits and opportunitiesshould be viewed not just in the context ofthe activity itself but in relation to themany and varied stakeholders who can beaffected.There are many ways of achieving theobjectives of risk management and itwould be impossible to try to set them allout in a single document.Therefore it wasnever intended to produce a prescriptivestandard which would have led to a boxticking approach nor to establish acertifiable process. By meeting the variouscomponent parts of this standard, albeit indifferent ways, organisations will be in aposition to report that they are incompliance.The standard represents bestpractice against which organisations canmeasure themselves.The standard has wherever possible usedthe terminology for risk set out by theInternational Organization forStandardization (ISO) in its recentdocument ISO/IEC Guide 73 RiskManagement -Vocabulary - Guidelines foruse in standards.In view of the rapid developments in thisarea the authors would appreciate feedbackfrom organisations as they put the standardinto use (addresses to be found on theback cover of this Guide). It is intendedthat regular modifications will be made tothe standard in the light of best practice.A Risk Management Standard © AIRMIC, ALARM, IRM: 2002 1Introduction
  4. 4. Risk management is a central part of anyorganisation’s strategic management. It isthe process whereby organisationsmethodically address the risks attaching totheir activities with the goal of achievingsustained benefit within each activity andacross the portfolio of all activities.The focus of good risk management is theidentification and treatment of these risks.Its objective is to add maximumsustainable value to all the activities of theorganisation. It marshals theunderstanding of the potential upside anddownside of all those factors which canaffect the organisation. It increases theprobability of success, and reduces boththe probability of failure and theuncertainty of achieving the organisation’soverall objectives.Risk management should be a continuousand developing process which runsthroughout the organisation’s strategy andthe implementation of that strategy. Itshould address methodically all the riskssurrounding the organisation’s activities past,present and in particular, future.It must be integrated into the culture ofthe organisation with an effective policyand a programme led by the most seniormanagement. It must translate thestrategy into tactical and operationalobjectives, assigning responsibilitythroughout the organisation with eachmanager and employee responsible for themanagement of risk as part of their jobdescription. It supports accountability,performance measurement and reward,thus promoting operational efficiency atall levels.2.1 External and Internal FactorsThe risks facing an organisation and itsoperations can result from factors bothexternal and internal to the organisation.The diagram overleaf summarises examplesof key risks in these areas and shows thatsome specific risks can have both externaland internal drivers and therefore overlapthe two areas.They can be categorisedfurther into types of risk such as strategic,financial, operational, hazard, etc.A Risk Management StandardRisk can be defined as the combination ofthe probability of an event and itsconsequences (ISO/IEC Guide 73).In all types of undertaking, there is thepotential for events and consequences thatconstitute opportunities for benefit (upside)or threats to success (downside).Risk Management is increasingly recognisedas being concerned with both positive andnegative aspects of risk.Therefore thisstandard considers risk from bothperspectives.In the safety field, it is generally recognisedthat consequences are only negative andtherefore the management of safety risk isfocused on prevention and mitigation ofharm.21. Risk2. Risk Management
  5. 5. © AIRMIC, ALARM, IRM: 2002 32.1 Examples of the Drivers of Key Risks
  6. 6. • providing a framework for anorganisation that enables future activityto take place in a consistent andcontrolled manner• improving decision making, planningand prioritisation by comprehensive andstructured understanding of businessactivity, volatility and projectopportunity/threat• contributing to more efficientuse/allocation of capital and resourceswithin the organisation• reducing volatility in the non essentialareas of the business• protecting and enhancing assets andcompany image• developing and supporting people andthe organisation’s knowledge base• optimising operational efficiency2.2 The Risk Management ProcessRisk management protects and adds value to the organisation and its stakeholders throughsupporting the organisation’s objectives by:ModificationFormalAuditThe Organisation’sStrategic ObjectivesRisk AssessmentRisk AnalysisRisk IdentificationRisk DescriptionRisk EstimationRisk EvaluationRisk ReportingThreats and OpportunitiesDecisionRisk TreatmentResidual Risk ReportingMonitoringA Risk Management Standard4
  7. 7. 4.1 Risk IdentificationRisk identification sets out to identify anorganisation’s exposure to uncertainty.Thisrequires an intimate knowledge of theorganisation, the market in which it operates,the legal, social, political and culturalenvironment in which it exists, as well as thedevelopment of a sound understanding of itsstrategic and operational objectives,including factors critical to its success and thethreats and opportunities related to theachievement of these objectives.Risk identification should be approachedin a methodical way to ensure that allsignificant activities within the organisationhave been identified and all the risksflowing from these activities defined.All associated volatility related to theseactivities should be identified andcategorised.Business activities and decisions can beclassified in a range of ways, examples ofwhich include:• Strategic -These concern the long-termstrategic objectives of the organisation.Theycan be affected by such areas as capitalavailability, sovereign and political risks,legal and regulatory changes, reputationand changes in the physical environment.• Operational - These concern the day-to-day issues that the organisation isconfronted with as it strives to deliver itsstrategic objectives.• Financial - These concern the effectivemanagement and control of the finances ofthe organisation and the effects of externalfactors such as availability of credit, foreignexchange rates, interest rate movement andother market exposures.• Knowledge management -These concernthe effective management and control of theknowledge resources, the production,protection and communication thereof.External factors might include theunauthorised use or abuse of intellectualproperty, area power failures, andcompetitive technology. Internal factors mightbe system malfunction or loss of key staff.• Compliance - These concern such issues ashealth & safety, environmental, tradedescriptions, consumer protection, dataprotection, employment practices andregulatory issues.Whilst risk identification can be carriedout by outside consultants, an in-houseapproach with well communicated,consistent and co-ordinated processes andtools (see Appendix, page 14) is likely to bemore effective. In-house ‘ownership’ ofthe risk management process is essential.4.2 Risk DescriptionThe objective of risk description is todisplay the identified risks in a structuredformat, for example, by using a table.Therisk description table overleaf can be usedto facilitate the description and assessmentRisk Assessment is defined by the ISO/IEC Guide 73 as the overall process of riskanalysis and risk evaluation.(See appendix)© AIRMIC, ALARM, IRM: 2002 54. Risk Analysis3. Risk Assessment
  8. 8. 4.3 Risk EstimationRisk estimation can be quantitative, semi-quantitative or qualitative in terms of theprobability of occurrence and the possibleconsequence.For example, consequences both in termsof threats (downside risks) andopportunities (upside risks) may be high,medium or low (see table 4.3.1). Probabilitymay be high, medium or low but requiresdifferent definitions in respect of threats andopportunities (see tables 4.3.2 and 4.3.3).of risks.The use of a well designed structureis necessary to ensure a comprehensive riskidentification, description and assessmentprocess. By considering the consequence andprobability of each of the risks set out in thetable, it should be possible to prioritise thekey risks that need to be analysed in moredetail. Identification of the risks associatedwith business activities and decision makingmay be categorised as strategic, project/tactical, operational. It is important toincorporate risk management at theconceptual stage of projects as well asthroughout the life of a specific project.Examples are given in the tables overleaf.Different organisations will find thatdifferent measures of consequence andprobability will suit their needs best.For example many organisations find thatassessing consequence and probability as high,medium or low is quite adequate for theirneeds and can be presented as a 3 x 3 matrix.Other organisations find that assessingconsequence and probability using a 5 x 5matrix gives them a better evaluation.4.2.1 Table - Risk Description1. Name of Risk2. Scope of Risk3. Nature of Risk4. Stakeholders5. Quantification of Risk6. Risk Tolerance/Appetite7. Risk Treatment &Control Mechanisms8. Potential Action forImprovement9. Strategy and PolicyDevelopmentsQualitative description of the events, their size, type,number and dependenciesEg. strategic, operational, financial, knowledge or complianceStakeholders and their expectationsSignificance and ProbabilityLoss potential and financial impact of riskValue at riskProbability and size of potential losses/gainsObjective(s) for control of the risk and desired level ofperformancePrimary means by which the risk is currently managedLevels of confidence in existing controlIdentification of protocols for monitoring and reviewRecommendations to reduce riskIdentification of function responsible for developing strategyand policyA Risk Management Standard6
  9. 9. EstimationHigh(Probable)Medium(Possible)Low(Remote)Table 4.3.1 Consequences - Both Threats and OpportunitiesTable 4.3.2 Probability of Occurrence - ThreatsDescriptionLikely to occur each yearor more than 25% chanceof occurrence.Likely to occur in a tenyear time period or lessthan 25% chance ofoccurrence.Not likely to occur in aten year period or less than2% chance of occurrence.IndicatorsPotential of it occurring several timeswithin the time period (for example -ten years).Has occurred recently.Could occur more than once within thetime period (for example - ten years).Could be difficult to control due tosome external influences.Is there a history of occurrence?Has not occurred.Unlikely to occur.© AIRMIC, ALARM, IRM: 2002 7High Financial impact on the organisation is likely to exceed £xSignificant impact on the organisation’s strategy or operational activitiesSignificant stakeholder concernMedium Financial impact on the organisation likely to be between £x and £yModerate impact on the organisation’s strategy or operational activitiesModerate stakeholder concernLow Financial impact on the organisation likely to be less that £yLow impact on the organisation’s strategy or operational activitiesLow stakeholder concern
  10. 10. 4.4 Risk Analysis methods andtechniquesA range of techniques can be used toanalyse risks.These can be specific toupside or downside risk or be capable ofdealing with both. (See Appendix, page 14,for examples).4.5 Risk ProfileThe result of the risk analysis process canbe used to produce a risk profile whichgives a significance rating to each risk andprovides a tool for prioritising risktreatment efforts.This ranks each identifiedrisk so as to give a view of the relativeimportance.This process allows the risk to be mappedto the business area affected, describes theprimary control procedures in place andindicates areas where the level of riskcontrol investment might be increased,decreased or reapportioned.Accountability helps to ensure that‘ownership’ of the risk is recognised andthe appropriate management resourceallocated.EstimationHigh(Probable)Medium(Possible)Low(Remote)Table 4.3.3 Probability of Occurrence - OpportunitiesDescriptionFavourable outcome islikely to be achieved inone year or better than75% chance of occurrence.Reasonable prospects offavourable results in oneyear of 25% to 75% chanceof occurrence.Some chance of favourableoutcome in the mediumterm or less than 25%chance of occurrence.IndicatorsClear opportunity which can be reliedon with reasonable certainty, to beachieved in the short term based oncurrent management processes.Opportunities which may be achievablebut which require careful management.Opportunities which may arise over andabove the plan.Possible opportunity which has yet to befully investigated by management.Opportunity for which the likelihood ofsuccess is low on the basis of managementresources currently being applied.When the risk analysis process has beencompleted, it is necessary to compare theestimated risks against risk criteria whichthe organisation has established.The riskcriteria may include associated costs andbenefits, legal requirements, socio-economic and environmental factors,concerns of stakeholders, etc. Riskevaluation therefore, is used to makedecisions about the significance of risks tothe organisation and whether each specificrisk should be accepted or treated.A Risk Management Standard85. Risk Evaluation
  11. 11. 6.1 Internal ReportingDifferent levels within an organisation needdifferent information from the riskmanagement process.The Board of Directors should:• know about the most significant risksfacing the organisation• know the possible effects on shareholdervalue of deviations to expectedperformance ranges• ensure appropriate levels of awarenessthroughout the organisation• know how the organisation will manage acrisis• know the importance of stakeholderconfidence in the organisation• know how to manage communicationswith the investment community whereapplicable• be assured that the risk managementprocess is working effectively• publish a clear risk management policycovering risk management philosophy andresponsibilitiesBusiness Units should:• be aware of risks which fall into their areaof responsibility, the possible impacts thesemay have on other areas and theconsequences other areas may have onthem• have performance indicators which allowthem to monitor the key business andfinancial activities, progress towardsobjectives and identify developmentswhich require intervention (e.g. forecastsand budgets)• have systems which communicatevariances in budgets and forecasts atappropriate frequency to allow action to betaken• report systematically and promptly tosenior management any perceived newrisks or failures of existing controlmeasuresIndividuals should:• understand their accountability forindividual risks• understand how they can enablecontinuous improvement of riskmanagement response• understand that risk management andrisk awareness are a key part of theorganisation’s culture• report systematically and promptly tosenior management any perceived newrisks or failures of existing controlmeasures6.2 External ReportingA company needs to report to itsstakeholders on a regular basis setting outits risk management policies and theeffectiveness in achieving its objectives.Increasingly stakeholders look toorganisations to provide evidence ofeffective management of the organisation’snon-financial performance in such areas ascommunity affairs, human rights,employment practices, health and safetyand the environment.© AIRMIC, ALARM, IRM: 2002 96. Risk Reporting and Communication
  12. 12. Good corporate governance requires thatcompanies adopt a methodical approach torisk management which:• protects the interests of their stakeholders• ensures that the Board of Directorsdischarges its duties to direct strategy, buildvalue and monitor performance of theorganisation• ensures that management controls are inplace and are performing adequatelyThe arrangements for the formal reportingof risk management should be clearly statedand be available to the stakeholders.The formal reporting should address:• the control methods - particularlymanagement responsibilities for riskmanagement• the processes used to identify risks andhow they are addressed by the riskmanagement systems• the primary control systems in place tomanage significant risks• the monitoring and review system in placeAny significant deficiencies uncovered bythe system, or in the system itself, shouldbe reported together with the steps takento deal with them.A Risk Management Standard10Risk treatment is the process of selectingand implementing measures to modify therisk. Risk treatment includes as its majorelement, risk control/mitigation, butextends further to, for example, riskavoidance, risk transfer, risk financing, etc.NOTE: In this standard, risk financingrefers to the mechanisms (eg insuranceprogrammes) for funding the financialconsequences of risk. Risk financing is notgenerally considered to be the provision offunds to meet the cost of implementing risktreatment (as defined by ISO/IEC Guide73; see page 17).Any system of risk treatment shouldprovide as a minimum:• effective and efficient operation of theorganisation• effective internal controls• compliance with laws and regulations.The risk analysis process assists the effectiveand efficient operation of the organisationby identifying those risks which requireattention by management.They will needto prioritise risk control actions in terms oftheir potential to benefit the organisation.Effectiveness of internal control is thedegree to which the risk will either beeliminated or reduced by the proposedcontrol measures.Cost effectiveness of internal control relatesto the cost of implementing the controlcompared to the risk reduction benefitsexpected.The proposed controls need to bemeasured in terms of potential economiceffect if no action is taken versus the costof the proposed action(s) and invariablyrequire more detailed information andassumptions than are immediatelyavailable.7. Risk Treatment
  13. 13. Effective risk management requires areporting and review structure to ensurethat risks are effectively identified andassessed and that appropriate controls andresponses are in place. Regular audits ofpolicy and standards compliance should becarried out and standards performancereviewed to identify opportunities forimprovement. It should be rememberedthat organisations are dynamic and operatein dynamic environments. Changes in theorganisation and the environment in whichit operates must be identified andappropriate modifications made to systems.The monitoring process should provideassurance that there are appropriate controls inplace for the organisation’s activities and thatthe procedures are understood and followed.Changes in the organisation and theenvironment in which it operates must beidentified and appropriate changes made tosystems.Any monitoring and review process shouldalso determine whether:• the measures adopted resulted in what wasintended• the procedures adopted and informationgathered for undertaking the assessmentwere appropriate• improved knowledge would have helpedto reach better decisions and identifywhat lessons could be learned forfuture assessments and management ofrisksFirstly, the cost of implementation has tobe established.This has to be calculatedwith some accuracy since it quicklybecomes the baseline against which costeffectiveness is measured.The loss to beexpected if no action is taken must alsobe estimated and by comparing theresults, management can decide whetheror not to implement the risk controlmeasures.Compliance with laws and regulations isnot an option.An organisation mustunderstand the applicable laws and mustimplement a system of controls to achievecompliance.There is only occasionallysome flexibility where the cost of reducinga risk may be totally disproportionate tothat risk.One method of obtaining financialprotection against the impact of risks isthrough risk financing which includesinsurance. However, it should berecognised that some losses or elements of aloss will be uninsurable eg the uninsuredcosts associated with work-related health,safety or environmental incidents, whichmay include damage to employee moraleand the organisation’s reputation.© AIRMIC, ALARM, IRM: 2002 118. Monitoring and Review of the RiskManagement Process
  14. 14. 9.1 Risk Management PolicyAn organisation’s risk management policyshould set out its approach to and appetitefor risk and its approach to riskmanagement.The policy should also setout responsibilities for risk managementthroughout the organisation.Furthermore, it should refer to any legalrequirements for policy statements eg. forHealth and Safety.Attaching to the risk management processis an integrated set of tools and techniquesfor use in the various stages of the businessprocess.To work effectively, the riskmanagement process requires:• commitment from the chief executive andexecutive management of the organisation• assignment of responsibilities within theorganisation• allocation of appropriate resources fortraining and the development of anenhanced risk awareness by allstakeholders.9.2 Role of the BoardThe Board has responsibility fordetermining the strategic direction of theorganisation and for creating theenvironment and the structures for riskmanagement to operate effectively.This may be through an executive group, anon-executive committee, an auditcommittee or such other function that suitsthe organisation’s way of operating and iscapable of acting as a ‘sponsor’ for riskmanagement.The Board should, as a minimum,consider, in evaluating its system of internalcontrol:• the nature and extent of downside risksacceptable for the company to bear withinits particular business• the likelihood of such risks becoming areality• how unacceptable risks should be managed• the company’s ability to minimise theprobability and impact on the business• the costs and benefits of the risk andcontrol activity undertaken• the effectiveness of the risk managementprocess• the risk implications of board decisions9.3 Role of the Business UnitsThis includes the following:• the business units have primaryresponsibility for managing risk on a day-to-day basis• business unit management is responsiblefor promoting risk awareness within theiroperations; they should introduce riskmanagement objectives into their business• risk management should be a regularmanagement-meeting item to allowconsideration of exposures and toreprioritise work in the light of effectiverisk analysis• business unit management should ensurethat risk management is incorporated atthe conceptual stage of projects as well asthroughout a projectA Risk Management Standard129. The Structure and Administration ofRisk Management
  15. 15. 9.4 Role of the Risk ManagementFunctionDepending on the size of the organisationthe risk management function may rangefrom a single risk champion, a part timerisk manager, to a full scale riskmanagement department.The role of theRisk Management function should includethe following:• setting policy and strategy for riskmanagement• primary champion of risk management atstrategic and operational level• building a risk aware culture within theorganisation including appropriateeducation• establishing internal risk policy andstructures for business units• designing and reviewing processes for riskmanagement• co-ordinating the various functionalactivities which advise on risk managementissues within the organisation• developing risk response processes,including contingency and businesscontinuity programmes• preparing reports on risk for the boardand the stakeholders9.5 Role of Internal AuditThe role of Internal Audit is likely to differfrom one organisation to another. Inpractice, Internal Audit’s role may includesome or all of the following:• focusing the internal audit work on thesignificant risks, as identified bymanagement, and auditing the riskmanagement processes across anorganisation• providing assurance on the managementof risk• providing active support and involvementin the risk management process• facilitating risk identification/assessmentand educating line staff in riskmanagement and internal control• co-ordinating risk reporting to the board,audit committee, etcIn determining the most appropriate rolefor a particular organisation, Internal Auditshould ensure that the professionalrequirements for independence andobjectivity are not breached.9.6 Resources andImplementationThe resources required to implement theorganisation’s risk management policyshould be clearly established at each level ofmanagement and within each business unit.In addition to other operational functionsthey may have, those involved in riskmanagement should have their roles in co-ordinating risk management policy/strategyclearly defined.The same clear definition isalso required for those involved in the auditand review of internal controls andfacilitating the risk management process.Risk management should be embeddedwithin the organisation through thestrategy and budget processes. It should behighlighted in induction and all othertraining and development as well as withinoperational processes e.g. product/servicedevelopment projects.© AIRMIC, ALARM, IRM: 2002 13
  16. 16. • Brainstorming• Questionnaires• Business studies which look at eachbusiness process and describe both theinternal processes and external factorswhich can influence those processes• Industry benchmarking• Scenario analysis• Risk assessment workshops• Incident investigation• Auditing and inspection• HAZOP (Hazard & OperabilityStudies)Upside risk• Market survey• Prospecting• Test marketing• Research and Development• Business impact analysisBoth• Dependency modelling• SWOT analysis (Strengths,Weaknesses,Opportunities,Threats)• Event tree analysis• Business continuity planning• BPEST (Business, Political, Economic,Social,Technological) analysis• Real Option Modelling• Decision taking under conditions of riskand uncertainty• Statistical inference• Measures of central tendency anddispersion• PESTLE (Political Economic SocialTechnical Legal Environmental)Downside risk• Threat analysis• Fault tree analysis• FMEA (Failure Mode & Effect Analysis)Risk Identification Techniques -examplesRisk Analysis Methods andTechniques - examplesA Risk Management Standard1410. AppendixOn the following pages are extracts from the document PD ISO/IEC Guide 73: 2002reproduced with the permission of British Standards Institution under licence number2002SK/0313. British Standards can be obtained from BSI Customer Services,389 Chiswick High Road, London W4 4AL. (Tel + 44 (0) 20 8996 9001)
  17. 17. The Association ofInsurance and Risk ManagersTelephone 020 7480 76106 Lloyd’s Avenue,London EC3N 3AXFacsimile 020 7702 3752Email enquiries@airmic.co.ukwww.airmic.comThis publication is available from the above organisations for download from their respective websites free of charge.Please contact the individual associations if you wish to purchase more copies of this Risk Management Standard in printed formALARM The National Forum forRisk Management in the Public SectorTelephone 01395 223399Queens Drive, ExmouthDevon, EX8 2AYFacsimile 01395 223304Email admin@alarm.uk.comwww.alarm-uk.comThe Institute of Risk ManagementTelephone 020 7709 98086 Lloyd’s Avenue,London EC3N 3AXFacsimile 020 7709 0716Email enquiries@theIRM.orgwww.theirm.org

×