A recommended approach to Risk Management
Risk Management is defined as “the identification, analysis and control of those risks which can threaten operations, assets and other responsibilities of an organisation”. The Institute of Risk Management
Here we look at a recommended approach called Enterprise Risk Management (ERM). Rather than simply considering those risks that most businesses face, for example, from extreme weather, ERM also looks at those risks that could prevent the business from getting to its vision of the future.
A good ERM approach will be designed specifically for the business but will usually start with an appropriate Context and design of a Framework to use.
As part of the Context the unique qualities of the business should be considered, such as for example, reliance on a patent or a premises. The Context should also consider how the risk management approach is embedded into the business culture and the business’s appetite for risk.
The risk management Framework flows from the Context and is likely to follow the identification, assessment, evaluation and management approach we recommend.
There is a need to maintain a robust monitor and review system of the approach. This will help support and improve the risk awareness culture and refine the Framework. Whilst using the Framework the organisation will continuously learn and the external competitive and legislative environment does not stand still. This means risks need to be reassessed.
The Context is driven by the business’s culture, strategy, corporate objectives and how it gets things done.
The Context, as it applies to the ERM approach, should set the mandate for how the business views and approaches risks. The Context should be highly tailored to the business in a manner that other elements of the process don’t need to be.
The mandate and commitment to the desired approach needs to come from a business’s executive group. This means the risk management approach can be aligned with core business processes and integrated in to operations, rather than risk management being perceived as an adjunct.
Board level input on priorities can then feed into the activity to be undertaken within the business with the Context fully understood. Clarity of purpose and approach allows for policies to be set and activity delegated.
The board could then sign-off policies on risk management to allow everyone to be clear on what the business considers to be its appetite for risk and guidelines to assist people to be compliant. This will help make clear why risk management is important to the organisation.
The Framework can consist of a fairly standardised approach of identifying, assessing, evaluating and managing risk. The identified issues and responses will be the components that are specific to the organisation.
The standard Framework approach follows these 4 steps:
- Identification. Finding the risks faced by a business can initially seem obvious. However, to undertake a thorough identification there are numerous techniques that can be employed. It is also helpful to understand the different types of risks faced.
- Assessment. Once risks are identified they need to be assessed; both the probability of an event, or scenario, and the likely severity of its impact. This provides a basis to prioritise what needs action.
- Evaluation. Establishing how much risk a business wishes to accept and apply parameters throughout the business is essential. It will also help define the organisation’s appetite for risk.
- Management of risk. Risk mitigation and treatment activity to reduce the likelihood of an event occurring and its impact should it occur.
The material uncovered through following the activity of the Framework then also becomes part of the corporate knowledge and understanding that feeds back in to the Context. To ensure effectiveness the Framework also involves monitoring, communicating and reviewing the intended and implemented activity.
Enterprise Risk Management (ERM)
ERM can be defined as “a process effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.
When an organisation sets out to improve risk management performance the expected results from engaging in the ERM approach should be established in advance. It should also set the scope for what is under review. Benefits from successful risk management should include compliance, assurance and enhanced decision making leading to more efficient operations and validation of business strategy and tactics.
Our approach uses the following steps:
So when you bring the Context and Framework together and include the input of changing external factors with learning and refining from experience of undertaking activity then a basis for a good ERM approach is established.