Professional Documents
Culture Documents
Risk Management Standard 030820
Risk Management Standard 030820
2. Risk Management
Risk management is a central part of any It must be integrated into the culture of
organisation’s strategic management. It is the organisation with an effective policy
the process whereby organisations and a programme led by the most senior
methodically address the risks attaching to management. It must translate the
their activities with the goal of achieving strategy into tactical and operational
sustained benefit within each activity and objectives, assigning responsibility
across the portfolio of all activities. throughout the organisation with each
The focus of good risk management is the manager and employee responsible for the
identification and treatment of these risks. management of risk as part of their job
Its objective is to add maximum description. It supports accountability,
sustainable value to all the activities of the performance measurement and reward,
organisation. It marshals the thus promoting operational efficiency at
understanding of the potential upside and all levels.
downside of all those factors which can
affect the organisation. It increases the 2.1 External and Internal Factors
probability of success, and reduces both
The risks facing an organisation and its
the probability of failure and the
operations can result from factors both
uncertainty of achieving the organisation’s
external and internal to the organisation.
overall objectives.
Risk management should be a continuous The diagram overleaf summarises examples
and developing process which runs of key risks in these areas and shows that
throughout the organisation’s strategy and some specific risks can have both external
the implementation of that strategy. It and internal drivers and therefore overlap
should address methodically all the risks the two areas.They can be categorised
surrounding the organisation’s activities past, further into types of risk such as strategic,
present and in particular, future. financial, operational, hazard, etc.
2 A Risk Management Standard
2.1 Examples of the Drivers of Key Risks
The Organisation’s
Strategic Objectives
Risk Assessment
Risk Analysis
Risk Identification
Risk Description
Risk Estimation
Modification
Risk Evaluation
Formal
Audit
Risk Reporting
Threats and Opportunities
Decision
Risk Treatment
Monitoring
Risk management protects and adds value to the organisation and its stakeholders through
supporting the organisation’s objectives by:
4. Risk Analysis
4.1 Risk Identification • Financial - These concern the effective
Risk identification sets out to identify an management and control of the finances of
organisation’s exposure to uncertainty.This the organisation and the effects of external
requires an intimate knowledge of the factors such as availability of credit, foreign
organisation, the market in which it operates, exchange rates, interest rate movement and
the legal, social, political and cultural other market exposures.
environment in which it exists, as well as the • Knowledge management - These concern
development of a sound understanding of its the effective management and control of the
strategic and operational objectives,
knowledge resources, the production,
including factors critical to its success and the
protection and communication thereof.
threats and opportunities related to the
achievement of these objectives.
External factors might include the
unauthorised use or abuse of intellectual
Risk identification should be approached property, area power failures, and
in a methodical way to ensure that all competitive technology. Internal factors might
significant activities within the organisation be system malfunction or loss of key staff.
have been identified and all the risks
• Compliance - These concern such issues as
flowing from these activities defined.
All associated volatility related to these health & safety, environmental, trade
activities should be identified and descriptions, consumer protection, data
categorised. protection, employment practices and
regulatory issues.
Business activities and decisions can be
Whilst risk identification can be carried
classified in a range of ways, examples of
out by outside consultants, an in-house
which include:
approach with well communicated,
• Strategic - These concern the long-term consistent and co-ordinated processes and
strategic objectives of the organisation.They tools (see Appendix, page 14) is likely to be
can be affected by such areas as capital more effective. In-house ‘ownership’ of
the risk management process is essential.
availability, sovereign and political risks,
legal and regulatory changes, reputation
4.2 Risk Description
and changes in the physical environment.
The objective of risk description is to
• Operational - These concern the day-to- display the identified risks in a structured
day issues that the organisation is format, for example, by using a table.The
confronted with as it strives to deliver its risk description table overleaf can be used
strategic objectives. to facilitate the description and assessment
Medium Likely to occur in a ten Could occur more than once within the
(Possible) year time period or less time period (for example - ten years).
than 25% chance of Could be difficult to control due to
occurrence. some external influences.
Is there a history of occurrence?
4.4 Risk Analysis methods and treatment efforts.This ranks each identified
techniques risk so as to give a view of the relative
importance.
A range of techniques can be used to
analyse risks.These can be specific to This process allows the risk to be mapped
upside or downside risk or be capable of to the business area affected, describes the
dealing with both. (See Appendix, page 14, primary control procedures in place and
for examples). indicates areas where the level of risk
control investment might be increased,
4.5 Risk Profile decreased or reapportioned.
The result of the risk analysis process can Accountability helps to ensure that
be used to produce a risk profile which ‘ownership’ of the risk is recognised and
gives a significance rating to each risk and the appropriate management resource
provides a tool for prioritising risk allocated.
5. Risk Evaluation
When the risk analysis process has been economic and environmental factors,
completed, it is necessary to compare the concerns of stakeholders, etc. Risk
estimated risks against risk criteria which evaluation therefore, is used to make
the organisation has established.The risk decisions about the significance of risks to
criteria may include associated costs and the organisation and whether each specific
benefits, legal requirements, socio- risk should be accepted or treated.
7. Risk Treatment
Risk treatment is the process of selecting The risk analysis process assists the effective
and implementing measures to modify the and efficient operation of the organisation
risk. Risk treatment includes as its major by identifying those risks which require
element, risk control/mitigation, but attention by management.They will need
extends further to, for example, risk to prioritise risk control actions in terms of
avoidance, risk transfer, risk financing, etc. their potential to benefit the organisation.
On the following pages are extracts from the document PD ISO/IEC Guide 73: 2002
reproduced with the permission of British Standards Institution under licence number
2002SK/0313. British Standards can be obtained from BSI Customer Services,
389 Chiswick High Road, London W4 4AL. (Tel + 44 (0) 20 8996 9001)
This publication is available from the above organisations for download from their respective websites free of charge.
Please contact the individual associations if you wish to purchase more copies of this Risk Management Standard in printed form