You are on page 1of 18

A Risk Management Standard

Published by AIRMIC, ALARM, IRM: 2002


Introduction
This Risk Management Standard is the should be viewed not just in the context of
result of work by a team drawn from the the activity itself but in relation to the
major risk management organisations in many and varied stakeholders who can be
the UK - The Institute of Risk affected.
Management (IRM),The Association of
There are many ways of achieving the
Insurance and Risk Managers (AIRMIC)
and ALARM The National Forum for objectives of risk management and it
Risk Management in the Public Sector. would be impossible to try to set them all
out in a single document.Therefore it was
In addition, the team sought the views and never intended to produce a prescriptive
opinions of a wide range of other standard which would have led to a box
professional bodies with interests in risk ticking approach nor to establish a
management, during an extensive period certifiable process. By meeting the various
of consultation. component parts of this standard, albeit in
Risk management is a rapidly developing different ways, organisations will be in a
discipline and there are many and varied position to report that they are in
views and descriptions of what risk compliance.The standard represents best
management involves, how it should be practice against which organisations can
conducted and what it is for. Some form measure themselves.
of standard is needed to ensure that there is The standard has wherever possible used
an agreed: the terminology for risk set out by the
• terminology related to the words used International Organization for
• process by which risk management can be Standardization (ISO) in its recent
document ISO/IEC Guide 73 Risk
carried out
Management - Vocabulary - Guidelines for
• organisation structure for risk management use in standards.
• objective for risk management
In view of the rapid developments in this
Importantly, the standard recognises that
area the authors would appreciate feedback
risk has both an upside and a downside.
from organisations as they put the standard
Risk management is not just something for into use (addresses to be found on the
corporations or public organisations, but back cover of this Guide). It is intended
for any activity whether short or long that regular modifications will be made to
term.The benefits and opportunities the standard in the light of best practice.

A Risk Management Standard © AIRMIC, ALARM, IRM: 2002 1


1. Risk
Risk can be defined as the combination of negative aspects of risk.Therefore this
the probability of an event and its standard considers risk from both
consequences (ISO/IEC Guide 73). perspectives.
In all types of undertaking, there is the In the safety field, it is generally recognised
potential for events and consequences that that consequences are only negative and
constitute opportunities for benefit (upside) therefore the management of safety risk is
or threats to success (downside). focused on prevention and mitigation of
harm.
Risk Management is increasingly recognised
as being concerned with both positive and

2. Risk Management
Risk management is a central part of any It must be integrated into the culture of
organisation’s strategic management. It is the organisation with an effective policy
the process whereby organisations and a programme led by the most senior
methodically address the risks attaching to management. It must translate the
their activities with the goal of achieving strategy into tactical and operational
sustained benefit within each activity and objectives, assigning responsibility
across the portfolio of all activities. throughout the organisation with each
The focus of good risk management is the manager and employee responsible for the
identification and treatment of these risks. management of risk as part of their job
Its objective is to add maximum description. It supports accountability,
sustainable value to all the activities of the performance measurement and reward,
organisation. It marshals the thus promoting operational efficiency at
understanding of the potential upside and all levels.
downside of all those factors which can
affect the organisation. It increases the 2.1 External and Internal Factors
probability of success, and reduces both
The risks facing an organisation and its
the probability of failure and the
operations can result from factors both
uncertainty of achieving the organisation’s
external and internal to the organisation.
overall objectives.
Risk management should be a continuous The diagram overleaf summarises examples
and developing process which runs of key risks in these areas and shows that
throughout the organisation’s strategy and some specific risks can have both external
the implementation of that strategy. It and internal drivers and therefore overlap
should address methodically all the risks the two areas.They can be categorised
sur rounding the organisation’s activities past, further into types of risk such as strategic,
present and in par ticular, future. financial, operational, hazard, etc.

2 A Risk Management Standard


2.1 Examples of the Drivers of Key Risks

© AIRMIC, ALARM, IRM: 2002 3


2.2 The Risk Management Process

The
Organisation’s
Strategic
Objectives
Risk
Assessment
Risk
Analysis
Risk
Identification
Risk
Description
Risk
Estimation
Risk Evaluation
Formal
Audit
Risk
Reporting
Threats and
Opportunities
Decisio
n
Risk
Treatment
Residual Risk
Reporting
Monitoring

Risk management protects and adds value to the organisation and its stakeholders through
supporting the organisation’s objectives by:

• providing a framework for an use/allocation of capital and resources


organisation that enables future activity within the organisation
to take place in a consistent and • reducing volatility in the non essential
controlled manner
areas of the business
• improving decision making, planning
• protecting and enhancing assets and
and prior itisation by comprehensive and
company image
structured understanding of business
activity, volatility and project • developing and supporting people and
opportunity/threat the organisation’s knowledge base
• contributing to more efficient • optimising operational efficiency

4 A Risk Management Standard


3. Risk Assessment
Risk Assessment is defined by the ISO/ analysis and risk evaluation .
IEC Guide 73 as the overall process of risk (See appendix)

4. Risk Analysis
4.1 Risk Identification • Financial - These concern the effective
Risk identification sets out to identify an management and control of the finances of
organisation’s exposure to uncertainty.This the organisation and the effects of external
requires an intimate knowledge of the factors such as availability of credit, foreign
organisation, the market in which it operates, exchange rates, interest rate movement and
the legal, social, political and cultural other market exposures.
environment in which it exists, as well as the • Knowledge management - These concern
development of a sound understanding of its the effective management and control of the
strategic and operational objectives,
knowledge resources, the production,
including factors cr itical to its success and the
protection and communication thereof.
threats and opportunities related to the
External factors might include the
achievement of these objectives.
unauthorised use or abuse of intellectual
Risk identification should be approached property, area power failures, and
in a methodical way to ensure that all competitive technology. Internal factors might
significant activities within the organisation be system malfunction or loss of key staff.
have been identified and all the risks
• Compliance - These concern such issues as
flowing from these activities defined.
health & safety, environmental, trade
All associated volatility related to these
activities should be identified and descriptions, consumer protection, data
categorised. protection, employment practices and
regulatory issues.
Business activities and decisions can be
Whilst risk identification can be carried
classified in a range of ways, examples of
out by outside consultants, an in-house
which include:
approach with well communicated,
• Strategic - These concern the long-term consistent and co-ordinated processes and
strategic objectives of the organisation.They tools (see Appendix, page 14) is likely to be
can be affected by such areas as capital more effective. In-house ‘ownership’ of
the risk management process is essential.
availability, sovereign and political risks,
legal and regulatory changes, reputation
4.2 Risk Description
and changes in the physical environment.
The objective of risk description is to
• Operational - These concern the day-to- display the identified risks in a structured
day issues that the organisation is format, for example, by using a table.The
confronted with as it strives to deliver its risk description table overleaf can be used
strategic objectives. to facilitate the description and assessment

© AIRMIC, ALARM, IRM: 2002 5


of risks.The use of a well designed structure detail. Identification of the risks associated
is necessary to ensure a comprehensive r isk with business activities and decision making
identification, description and assessment may be categorised as strategic, project/
process. By considering the consequence and tactical, operational. It is important to
probability of each of the r isks set out in the incor porate risk management at the
table, it should be possible to prioritise the conceptual stage of projects as well as
key risks that need to be analysed in more throughout the life of a specific project.

4.2.1 Table - Risk Description

1. Name of Risk
2. Scope of Risk Qualitative description of the events, their size, type,
number and dependencies
3. Nature of Risk Eg. strategic, operational, financial, knowledge or compliance
4. Stakeholders Stakeholders and their expectations
5. Quantification of Risk Significance and Probability
6. Risk Tolerance/ Loss potential and financial impact of risk
Appetite Value at risk
Probability and size of potential losses/gains
Objective(s) for control of the risk and desired level of
performance
7. Risk Treatment & Primary means by which the risk is currently managed
Control Mechanisms Levels of confidence in existing control
Identification of protocols for monitoring and review
8. Potential Action for Recommendations to reduce risk
Improvement
9. Strategy and Policy Identification of function responsible for developing strategy
Developments and policy

4.3 Risk Estimation Examples are given in the tables overleaf.


Risk estimation can be quantitative, semi- Different organisations will find that
quantitative or qualitative in terms of the different measures of consequence and
probability of occurrence and the possible probability will suit their needs best.
consequence.
For example many organisations find that
For example, consequences both in ter ms assessing consequence and probability as high,
of threats (downside risks) and medium or low is quite adequate for their
oppor tunities (upside r isks) may be high, needs and can be presented as a 3 x 3 matr ix.
medium or low (see table 4.3.1). Probability
may be high, medium or low but requires Other organisations find that assessing
different definitions in respect of threats and consequence and probability using a 5 x 5
oppor tunities (see tables 4.3.2 and 4.3.3). matrix gives them a better evaluation.

6 A Risk Management Standard


Table 4.3.1 Consequences - Both Threats and Opportunities

High Financial impact on the organisation is likely to exceed £x


Significant impact on the organisation’s strategy or operational activities
Significant stakeholder concern

Medium Financial impact on the organisation likely to be between £x and £y


Moderate impact on the organisation’s strategy or operational activities
Moderate stakeholder concern

Low Financial impact on the organisation likely to be less that £y


Low impact on the organisation’s strategy or operational activities
Low stakeholder concern

Table 4.3.2 Probability of Occurrence - Threats

Estimation Description Indicators

High Likely to occur each year Potential of it occurring several times


(Probable) or more than 25% chance within the time period (for example -
of occurrence. ten years).
Has occurred recently.

Medium Likely to occur in a ten Could occur more than once within the
(Possible) year time period or less time period (for example - ten years).
than 25% chance of Could be difficult to control due to
occurrence. some external influences.
Is there a history of occurrence?

Low Not likely to occur in a Has not occurred.


(Remote) ten year period or less than Unlikely to occur.
2% chance of occurrence.

© AIRMIC, ALARM, IRM: 2002 7


Table 4.3.3 Probability of Occurrence - Opportunities

Estimation Description Indicators

High Favourable outcome is Clear opportunity which can be relied


(Probable) likely to be achieved in on with reasonable certainty, to be
one year or better than achieved in the short term based on
75% chance of occurrence. current management processes.

Medium Reasonable prospects of Opportunities which may be achievable


(Possible) favourable results in one but which require careful management.
year of 25% to 75% chance Opportunities which may arise over and
of occurrence. above the plan.

Low Some chance of favourable Possible opportunity which has yet to be


(Remote) outcome in the medium fully investigated by management.
term or less than 25% Oppor tunity for which the likelihood of
chance of occurrence. success is low on the basis of management
resources currently being applied.

4.4 Risk Analysis methods and treatment efforts. This ranks each identified
technique risk so as to give a view of the relative
sA range of techniques can be used to importance.
analyse risks.These can be specific to This process allows the risk to be mapped
upside or downside risk or be capable of to the business area affected, describes the
dealing with both. (See Appendix, page 14, primary control procedures in place and
for examples). indicates areas where the level of risk
control investment might be increased,
4.5 Risk Profile decreased or reapportioned.
The result of the risk analysis process can Accountability helps to ensure that
be used to produce a risk profile which ‘ownership’ of the risk is recognised and
gives a significance rating to each risk and the appropriate management resource
provides a tool for prioritising risk allocated.

5. Risk Evaluation
When the risk analysis process has been economic and environmental factors,
completed, it is necessary to compare the concerns of stakeholders, etc. Risk
estimated risks against risk criteria which evaluation therefore, is used to make
the organisation has established.The risk decisions about the significance of risks to
criteria may include associated costs and the organisation and whether each specific
benefits, legal requirements, socio- risk should be accepted or treated.

8 A Risk Management Standard


6. Risk Reporting and Communication
6.1 Internal Reporting • have systems which communicate
Different levels within an organisation need variances in budgets and forecasts at
different information from the risk appropriate frequency to allow action to be
management process. taken
The Board of Directors should: • report systematically and promptly to
• know about the most significant risks senior management any perceived new
facing the organisation risks or failures of existing control
• know the possible effects on shareholder measures
value of deviations to expected
performance ranges Individuals
should:
• ensure appropriate levels of awareness • understand their accountability for
throughout the organisation individual risks
• know how the organisation will manage a • understand how they can enable
crisi continuous improvement of risk
s the importance of stakeholder
• know management response
confidence in the organisation
• understand that risk management and
• know how to manage communications
risk awareness are a key part of the
with the investment community where
organisation’s culture
applicable
• report systematically and promptly to
• be assured that the risk management
process is working effectively senior management any perceived new
• publish a clear risk management policy risks or failures of existing control
covering risk management philosophy and measures
responsibilities
6.2 External Reporting
Business Units A company needs to report to its
should:
• be aware of risks which fall into their area stakeholders on a regular basis setting out
of responsibility, the possible impacts these its risk management policies and the
may have on other areas and the effectiveness in achieving its objectives.
consequences other areas may have on
them Increasingly stakeholders look to
• have performance indicators which allow organisations to provide evidence of
them to monitor the key business and effective management of the organisation’s
financial activities, progress towards non-financial performance in such areas as
objectives and identify developments community affairs, human rights,
which require intervention (e.g. forecasts employment practices, health and safety
and budgets) and the environment.

© AIRMIC, ALARM, IRM: 2002 9


Good corporate governance requires that The formal reporting should address:
companies adopt a methodical approach to • the control methods - particularly
risk management which: management responsibilities for risk
• protects the interests of their stakeholders management

• ensures that the Board of Directors • the processes used to identify risks and
discharges its duties to direct strategy, build how they are addressed by the risk
management systems
value and monitor performance of the
organisation • the primary control systems in place to
manage significant risks
• ensures that management controls are in
• the monitoring and review system in place
place and are performing adequately
Any significant deficiencies uncovered by
The arrangements for the formal reporting the system, or in the system itself, should
of risk management should be clearly stated be reported together with the steps taken
and be available to the stakeholders. to deal with them.

7. Risk Treatment
Risk treatment is the process of selecting The risk analysis process assists the effective
and implementing measures to modify the and efficient operation of the organisation
risk. Risk treatment includes as its major by identifying those risks which require
element, risk control/mitigation, but attention by management.They will need
extends further to, for example, risk to prioritise risk control actions in terms of
avoidance, risk transfer, risk financing, etc. their potential to benefit the organisation.

NOTE: In this standard, risk Effectiveness of internal control is the


financing
refers to the mechanisms (eg insurance degree to which the risk will either be
programmes) for funding the financial eliminated or reduced by the proposed
consequences of risk. Risk financing is not control measures.
generally considered to be the provision of Cost effectiveness of internal control relates
funds to meet the cost of implementing risk to the cost of implementing the control
treatment (as defined by ISO/IEC Guide compared to the risk reduction benefits
73; see page 17). expected.
Any system of risk treatment should The proposed controls need to be
provide as a minimum: measured in terms of potential economic
• effective and efficient operation of the effect if no action is taken versus the cost
organisation of the proposed action(s) and invariably
require more detailed information and
• effective internal controls assumptions than are immediately
• compliance with laws and regulations. available.

10 A Risk Management Standard


Firstly, the cost of implementation has to compliance.There is only occasionally
be established.This has to be calculated some flexibility where the cost of reducing
with some accuracy since it quickly a risk may be totally disproportionate to
becomes the baseline against which cost that risk.
effectiveness is measured.The loss to be
One method of obtaining financial
expected if no action is taken must also
protection against the impact of risks is
be estimated and by comparing the
through risk financing which includes
results, management can decide whether
insurance. However, it should be
or not to implement the risk control
recognised that some losses or elements of a
measures.
loss will be uninsurable eg the uninsured
Compliance with laws and regulations is costs associated with work-related health,
not an option.An organisation must safety or environmental incidents, which
understand the applicable laws and must may include damage to employee morale
implement a system of controls to achieve and the organisation’s reputation.

8. Monitoring and Review of the Risk


Management Process
Effective risk management requires a Changes in the organisation and the
reporting and review structure to ensure environment in which it operates must be
that risks are effectively identified and identified and appropriate changes made to
assessed and that appropriate controls and systems.
responses are in place. Regular audits of
Any monitoring and review process should
policy and standards compliance should be
carried out and standards performance also determine whether:
reviewed to identify opportunities for • the measures adopted resulted in what was
improvement. It should be remembered intended
that organisations are dynamic and operate
in dynamic environments. Changes in the • the procedures adopted and information
organisation and the environment in which gathered for undertaking the assessment
it operates must be identified and were appropriate
appropriate modifications made to systems. • improved knowledge would have helped
The monitoring process should provide to reach better decisions and identify
assurance that there are appropr iate controls in what lessons could be learned for
place for the organisation’s activities and that future assessments and management of
the procedures are understood and followed. risks

© AIRMIC, ALARM, IRM: 2002 11


9. The Structure and Administration of
Risk Management
9.1 Risk Management Policy The Board should, as a minimum,
An organisation’s risk management policy consider, in evaluating its system of internal
should set out its approach to and appetite control:
for risk and its approach to risk • the nature and extent of downside risks
management.The policy should also set acceptable for the company to bear within
out responsibilities for risk management its particular business
throughout the organisation.
• the likelihood of such risks becoming a
Furthermore, it should refer to any legal reality
requirements for policy statements eg. for • how unacceptable risks should be managed
Health and Safety.
• the company’s ability to minimise the
Attaching to the risk management process probability and impact on the business
is an integrated set of tools and techniques • the costs and benefits of the risk and
for use in the various stages of the business control activity undertaken
process.To work effectively, the risk • the effectiveness of the risk management
management process requires: process
• commitment from the chief executive and
• the risk implications of board decisions
executive management of the organisation
• assignment of responsibilities within the 9.3 Role of the Business Units
organisation This includes the following:
• allocation of appropriate resources for • the business units have primary
training and the development of an responsibility for managing risk on a day-
enhanced risk awareness by all to-day basis
stakeholders. • business unit management is responsible
9.2 Role of the Board for promoting risk awareness within their
The Board has responsibility for operations; they should introduce risk
determining the strategic direction of the management objectives into their business
organisation and for creating the • risk management should be a regular
environment and the structures for risk management-meeting item to allow
management to operate effectively. consideration of exposures and to
This may be through an executive group, a reprioritise work in the light of effective
non-executive committee, an audit risk analysis
committee or such other function that suits • business unit management should ensure
the organisation’s way of operating and is that risk management is incorporated at
capable of acting as a ‘sponsor’ for risk the conceptual stage of projects as well as
management. throughout a project

12 A Risk Management Standard


9.4 Role of the Risk Management management processes across an
Functio organisation
n
Depending on the size of the organisation • providing assurance on the management
the risk management function may range of risk
from a single risk champion, a part time • providing active support and involvement
risk manager, to a full scale risk in the risk management process
management department.The role of the
• facilitating risk identification/assessment
Risk Management function should include
and educating line staff in risk
the following:
management and internal control
• setting policy and strategy for risk • co-ordinating risk reporting to the board,
management audit committee, etc
• primary champion of risk management at In determining the most appropriate role
strategic and operational level for a particular organisation, Internal Audit
• building a risk aware culture within the should ensure that the professional
organisation including appropriate requirements for independence and
education objectivity are not breached.
• establishing internal risk policy and 9.6 Resources and
structures for business units Implementation
• designing and reviewing processes for risk The resources required to implement the
management organisation’s risk management policy
• co-ordinating the various functional should be clearly established at each level of
management and within each business unit.
activities which advise on risk management
issues within the organisation In addition to other operational functions
• developing risk response processes, they may have, those involved in risk
including contingency and business management should have their roles in co-
continuity programmes ordinating risk management policy/strategy
clearly defined.The same clear definition is
• preparing reports on risk for the board
also required for those involved in the audit
and the stakeholders
and review of internal controls and
9.5 Role of Internal Audit facilitating the risk management process.
The role of Internal Audit is likely to differ Risk management should be embedded
from one organisation to another. In within the organisation through the
practice, Internal Audit’s role may include strategy and budget processes. It should be
some or all of the following: highlighted in induction and all other
• focusing the internal audit work on the training and development as well as within
significant risks, as identified by operational processes e.g. product/service
management, and auditing the risk development projects.

© AIRMIC, ALARM, IRM: 2002 13


10. Appendix
Risk Identification Techniques Risk Analysis Methods
-examples and
Techniques - examples

• Brainstorming Upside risk


• Questionnaires • Market survey
• Business studies which look at each • Prospecting
business process and describe both the • Test marketing
internal processes and external factors • Research and Development
which can influence those processes
• Business impact analysis
• Industry benchmarking
• Scenario analysis Both
• Risk assessment workshops • Dependency modelling
• Incident investigation • SWOT analysis (Strengths, Weaknesses,
Opportunities, Threats)
• Auditing and inspection
• Event tree analysis
• HAZOP (Hazard & Operability
Studies) • Business continuity planning
• BPEST (Business, Political, Economic,
Social,Technological) analysis
• Real Option Modelling
• Decision taking under conditions of risk
and uncertainty
• Statistical inference
• Measures of central tendency and
dispersion
• PESTLE (Political Economic
Social
Technical Legal Environmental)

Downside risk
• Threat analysis
• Fault tree analysis
• FMEA (Failure Mode & Effect Analysis)

On the following pages are extracts from the document PD ISO/IEC Guide 73: 2002
reproduced with the permission of British Standards Institution under licence number
2002SK/0313. British Standards can be obtained from BSI Customer Services,
389 Chiswick High Road, London W4 4AL. (Tel + 44 (0) 20 8996 9001)

14 A Risk Management Standard


T he I n st it ute o f R is k M ana gem 6 L loy d’s A v
ent Tel ephon e 020 77 09 980 enue ,
L ondon E C 3N 3A
8 X
F a c s imi le 02 0 77 09 07
16
E m ai l enqu ir ies @ t heI RM. or
gw w w.t h eir m . or
g

AL AR M Th e Na tio n al Fo ru m f Q ueen s D ri v e, E x mout


or h
R i s k Ma nag eme nt i n t he P ub li c S ec De v on, E X 8 2AY
tor Tele phone 0 1395 2 F a c s imi le 01 395 223
23399 304
E m ai l a dm in@ a la r m .u k. c
om
w w w.a l a rm - uk . c om

T he As s o c iat io n o 6 L loy d’s A v


f d R is k M an age
I n su ran c e an enue
L ,
ondon E C 3N 3A
rs Tel ephon e 020 74 80 X
F a c s imi le 02 0 77 02 37
7610 52
E m ai l enqu ir ies @ ai r m ic . co
.uk
w w w.a i r m ic .c
om

Th is pu bl i ca tio n i s ava il abl e f rom the ab ove o rga ni sa tio ns f or d own lo ad f ro m the ir res p ec ti ve webs i tes f ree of c
Pl eas e har
c onge.
tac t th e i n di vid ual as s oc ia tio ns if yo u wi sh to pu rc ha se m ore c o pi es o f t hi s R i s k M ana gem ent S tan dar d in pri nt ed
f orm