You are on page 1of 14

Risk management: Everyones business!

Home truths
Friday, 18 August 2017

Organisations and their employees takerisks and also managerisksevery day. Of

course, it is a part of the business and the service delivery operations. However,
often, the management of risks is confined to the treatment of risk symptoms.

The failure to manage risks at the sources and to control unavoidable risks
effectively,has led to the recurrence of same risks. Apparently, risk
managementunits in many organisations have become elite silos full of white
collar professionals who are eager to produce volumes of statistical reports to the
senior management irrespective of failure to arrest regeneration of same risks
over and over again.

Risk management refers to the architecture created within an organisation

incorporating principles, framework and processes on risks. Managing of risks
means the application of this architecture to particular risks.

The author has not worked in the Sri Lankan private business sector. However, as
a keen observer and as an engineerwho has a professional interest on
organisational management, the author is not so convinced that the private
sector risk management practices are as comprehensive as should be.No doubt,
there may be a few exceptions.Besides, the author has no hesitation to declare
that in the Sri Lankan central government, the semi-government and in the local
government organisations, the formal risk management is virtually of non-
existence. Otherwise, ubiquitous failures of public sector projects, programs and
initiatives could not have been witnessed.

Hence, the author has a professional obligation to comment on the proper

application of risk management principles and to express his opinions on good
faith, based on his practical experience on the risk management field.

Overseas front
The Australians led the risk management field internationally and they produced
the standards on Risk Management, AS/NZS 4360, in 1999 and revised it further in
2004. The International Organisation of Standards (ISO) established a working
group to develop an international standard on risk management and used the
innovative AS/NZS 4360-2004 as the base document. The aim was to expand
AS/ANZ 4360 for universal application, encompassing all industry environments.

In 2009, Australian/New Zealand Standard ISO 31000:2009 Riskmanagement

Principles and guidelines was released. The risk management process described in
ISO 31000 was identical to that of AS/NZS 4360. However, ISO 31000 addressed
the whole management system that supported the design, implementation,
maintenance and improvement of risk management processes.
The scope of this article is to explain the basic features of ISO 31000 and how it
can be applied in Sri Lankan private and government organisations to manage

Understanding the terminology

Historically, the word Risk had a negative connotation. It was commonly known
asthe probability of losses. This definition was changed later.

In ISO 31000, the risk is defined as the effect of uncertainty on objectives. This
means that the Risk is no longer a negative only concept. The effect can either
be a positive or a negative. The change of definition has created confusion among
the professionals who apply ISO 31000 and the confusion still remains as the risk
is and will always be a negative concept for the majority of the public.

This new definition shifts the emphasis from the event itself to the effect of the

As an example, if an organisation runs out the annual budget allocation within

nine months, the risk is not the event of running out the budget, but how that
event impacts on achieving annual and long term objectives of the organisation.
This event may create a positive risk, if found, that all annual organisational
objectives have already been achieved. Then, this risk would create an
opportunity to achieve additional organisational objectives by reallocating funds
from lesser important programs. Hence, until a proper analysis is done, risk must
not be categorised as a negative only effect.

Risk is implicit in all decisions. While risks are the facts of life, the aim of managing
risks should be, to modify risk levels to manageable and acceptable levels,
thereafter to get on with the life or the business.

Risk management basis

Many organisations have risk management business units. However, as a process,
Risk Management should not be a process assigned to a single business unit. It is a
process that must be embedded into all organisational activities, conducted by all
units. Executive management should actively support holistic approach on risk
management. It embodies the organisation culture and it complements the
organisations vision and objectives.

Everyone in an organisation has a role to play to make organisations risk

management process, a success.

ISO 31000 helps administrators to understand the risk management principles,

framework and processes. However, each organisation must develop an own risk
management model to suit their business processes, in compliance with ISO
31000. ISO 31000 describes the relationship of the principles of risk management,
the risk management framework, and the risk management process.


The risk management architecture is developed to ensure that

the organisations achieve their corporate objectives effectively by managing
identified risks. This is not about preparing a procedural document by the Risk
Management Unit to claim mere compliance. To make this really work within
the organisation, all management units should behave certain way, showing the
responsibility and the accountability of the success and failures of all their
activities and the units should make informed decisions on each and every activity
they perform, focusing on risk management principles. Risk management is
everyones business and it must be the culture of the organisation.

Every private and public sector business entities have organisational values. They
can be tangible or intangible. Organisations thrive hard to protect and possibly
enhance their values while performing the business. Risk management process
supports this by successful implementation of projects and programs, preserving
health and safety of workers, complying legal and regulatory requirements,
ensuring environmental sustainability, encouraging responsible governance
practices, enhancing reputation and promoting operational effectiveness and
efficiency. Also, employees would have secure employment, if and only if the
organisation is survived in the business world. On each day, the employees must
walk out of the organisation safe to meet loved ones. Hence, safety is paramount
for an organisation.

The quality of strategic and operational planning makes an organisation what it is,
in the competitive business environment. Each and every strategic and
operational planning activity contains risks and thereby risk management
activities must be performed. If an organisation claims that it embodies efficient
and effective strategic and operational management techniques, the risk
management architecture described in ISO 31000 must be an integral part of the
management system. This is done by subjecting all management decisions to the
risk management compliance test. Thereby, this would eliminate hazards or
reduce risk levels to acceptable levels.

Uncertainty is a real life situation. The challenge is to actively seek information

from different sources on the recognised uncertainties and follow a systematic,
structured and timely process to identify risks and then devise solutions to
address negative risks and also be prepared to grab the advantages come along
due to positive risks.

Different organisations makevaried responses to the same risks because each

organisations risk appetite, approach and corporate objectives are different to
others. This is why that one organisation cannot copy and paste a risk
management plan developed by another organisation even ifthe selected
company is from the same industry.

Risk management is a live activity and the organisations must be flexible to

change the course of actions to suit dynamic situations. It says that all employees
have to be on their toes always. Risk management is not just the generation of
procedural and process documentation and claim that the organisation has a risk
management system. It contains collective decision makings and practical
applications involving people, behaviours and cultural factors. As the
implementation of management practices are through people, the success
depends on their understanding, genuine willingness to respond to the risk
management needs and follow the agreed solutions and practices.

Risk management should always be in all employees minds as soon as they set
foot to the business premises. Even the wrong body language in front of a
customer could be a risk to the image of the organisation.

Many organisations thrive for obtaining and maintaining Quality Standards such
as ISO 9001 accreditation. The ISO 9001 accreditation is a symbol of a quality
organisation. Proper risk management is also a part of a quality
organisation. Hence, the best practice risk management compliments the
achieving and maintaining this quality accreditation status.

This is the setting up of an administrative management frame work to ensure
success of risk management. This is creating an organisational-wide matrix
structure, encompassing all strategic and operational management levels of
business units with the holistic focus onmanaging risks. However, it can include
establishment of a risk management leadership unit to monitor risk management
activities, periodic reviewing of process documents and procedures and for
reporting on organisations success on risk management targets.

Design of framework: Understanding organisation and its operating environment

The design of framework for managing risks starts by understanding the business
processes of the organisation and its context. Understanding the business
processes is easy. However, understanding organisations context is not a straight
forward activity. The understanding of the context means here is that the
understanding of the nature and objectives of all the stakeholders.

It is usually divided into external and internal context.

External context includes outside business environment (social, cultural, legal,

political, financial, technological, economic etc.), key external drivers which
influence the way of doing the business and the relationships and expectations of
external stakeholders such as public, customers, promoters, distractors and

Risk management policy

A policy is a guiding principle that helps an organisation to take binding decisions.
Risk management policy explains organisations rationale on managing risks. This
policy should be in line with organisations other policies. Otherwise
implementing risk management policy would disrupt implementation of other
policies and the consequence would be the partial achievement of overall
organisational objectives. In general, organisations draw attention to six risk
areas; financial, people, reputation, business, environmental and compliance. This
can be expanded depending on the nature of organisational activities.

The policy must give details on accountabilities and responsibilities of senior

management to ensure implementation of the risk management policy through
appropriate resources allocation. Also it must outline how risk management
performance is measured and reported.

This policy, as of with any other policy, should have a sunset clause. The
compulsory review and re-enactment of the policy is done on the sunset date.

Accountability, authority and reporting

Risk management framework must clearly identify who are within the
organisation have the accountability, authority and responsibility to risk
management and management of risks. This is done at two levels.

Higher level staff members are identified with accountability, authority and
responsibility to develop, implement and maintenance of risk management

The next level staff are identified for managing risks by developing solutions. They
are usually the process and procedure owners within the organisation. The rest of
the employees would implement the solutions.

Accountability on reporting on the degree of success of the implementation of

risk management measures started from the operational levels and move
upwards along the organisational structure reporting lines.

Integration into the core business processes

Senior management of the organisations often say this is the way we do things
around here.

That is the culture of a particular organisation. Technically, the culture promotes

achieving of strategic and operational objectives of the organisation. Risk
management must be embedded into this culture. This is the alignment and
integration of risk management with organisations governance process.

This is done by the organisations leadership group by settingcontinuous focus on

at risk management issues, clear directions & strategies, decision making
structures and resource allocations to build capability and capacity.

This integration must happen vertically through each hierarchical level of

management layers and also horizontally in each division and groups at each
management level, encompassing policies and operations.

Ultimately it would be a matrix of integration. One or more weak link of the

matrix should not lead to the total collapse of risk management process, but the
process checks should automatically detect these weak links, prompting
discussion within the group involved in risk management process to strengthen
the weak links.

Establishing internal and external communication and reporting

Decision on risk management issues are to be taken informed and timely
manner. Hence, internal and external communication and reporting plans must
be prepared and implemented. The internal plans come with details on clear roles
and responsibilities of staff involved.

External communication and reporting is generally done by the senior

management of the organisation to comply with legal, governance and regulatory
requirements. Hence, external communication plans should include how feedback
from external stakeholders are routed back into the internal communication
system for necessary consideration.

Implementing risk management

Usually, risk management framework is implemented by appointing a risk
management champion. This champion must have the competence, expertise and
authority to implement it by driving risk management awareness, integration,
communication and policy.

The risk management champion must directly report to the senior management,
preferably to the chief executive officer during implementation stage. Gradually
this role must be converted to on-going management and maintenance of risk
management framework, but still reporting to the CEO, at least, quarterly basis.
Upon the system set-up is completed with CEOs approval, the next stage would
be to transfer the champions management and maintenance roles to key staff
members of the risk management integration matrix. Hence, staff would not no
longer wait for the champion to make decisions on risk management.

Monitoring and reviewing

This is about the effectiveness of the set framework. However, the appearance of
unmanaged risks and consequent undesirable impacts would be an indication of a
flawed risk management framework. Hence, an independent committee who are
not involved with managing risks must be appointed for the monitoring and
reviewing and providing recommendations on necessary changes to the

Continuous improvement
This is the response to the outcomes of monitoring and reviewing action plan.
Executive management has the responsibility to provide resources to implement
continuous improvement recommendations.

Risk management process

ISO 31000 provides well-structured process on managing risks which consists of
seven steps. Originally, Australia and New Zealand jointly developed this process
and the rest of the world adopted it. The steps are, establishment of the context,
risk identification, risk analysis, risk evaluation, risk treatment, communication
and consultation and monitoring and review.

Establishment of the context

This is the most innovative step of the risk management process. This is all about
setting the boundaries on the scope and objectives. To do this, internal and
external influences must be clearly identified and understood. Objectives of
internal and external stakeholders can be different to each other. Risk
management process must deal with risks relevant to all stakeholder objectives.
Also, this process outlines what outcomes are acceptable and unacceptable for
all. That means the risk appetite and risk tolerances are to be set at justifiable
levels. Risk tolerances are acceptable variances from the risk appetite boundaries.

Key stakeholders must be involved when risk appetites and tolerances are
determined to avoid conflicts among external and internal stakeholders on
interpreting acceptable risks and risk levels.
As a part of the step of establishing the context, a risk matrix must be
developed. This is done in two stages. The Simple Risk Matrix can be used at
senior management level for initial risk screening purposes.

This must be followed by the using of a Detailed Risk Matrixdeveloped for each
business unit. As depicted, it is always helpful to assign numerical values to
descriptions to determine risk ratings. The contents in each cell of this table are to
be debated and agreed by the senior and middle management of the organisation
for the relevance, correctness and practicality.

Risk assessment
The next three steps of the process; identification, analysis and evaluation can be
combined as the risk assessment.It is reiterated that the definition of risk includes
both positive and negative effects. The positive risks would be opportunities for
organisations. If an organisation identifies those in time, the forward planning
initiatives can make use those opportunities to enhance the capability and
capacity of the organisation.

Risk identification is to answer the questions what, how and when might
happen? This must be done in a systematic manner to ensure all possible risks
are identified.

Risk analysis is to answer the question what will happen to the organisation, in
particular, to its objectives, due to these risks? This is where the Risk Matrix
would be useful. However, application of the matrix must be done by competent
staff members because the level of risk is determined by the selection of the
likelihood and the consequence. If wrong categories are selected, it leads to a
wrong level of the risk. Hence, the selection of the likelihood and the
consequence must be logical, based on proven evidences and historical data. The
selection must be reviewed by an independent person before locked in.

Likelihood: The risk analyst must ask questions such as Last few years, has any
one encountered this kind of risk? Have any of our competitors experienced this,
previously? How often the present ground/business conditions would allow this
to happen? This kind of questioning would lead to an informed decision on
likelihood. Still the best guess can go wrong but as long as a structured
questioning and answering process is followed, the decision making is acceptable.

Consequence: Determination of the consequence is easier when the

characteristics of the identified risk is adequately described and if the
organisational objectives are clearly understood. However the dilemma would be
the tendency of underestimation of consequence by the direct staff responsible
for risk treatment and the over estimation of same by the rest of the staff
involved in risk management process. This is why the independent verification of
risk category selection would be a balanced approach.

The risk evaluation is the final step of risk assessment. The acceptable risk levels,
tolerances, etc. described in Step I of the risk management process will be used
for evaluation of identified risks. As far as possible, the risk evaluation is done
quantitatively and the values are compared with the risk thresholds for the
organisation. If the risk values are above the accepted risk thresholds, the
corresponding risks must undergorisk treatment. Usually, risks are listed in a
priority order for treatment purposes.

Risk treatment
Risk treatment is about either modification of existing risk control mechanisms or
introducing new controls. For negative risks, another term, hazard need to be
introduced. Negative risks are identified from the harm caused to a person,
property or a business objective from hazardous or undesirable situations. Hence,
when treating negative risks, relevant hazards must be treated to control the
risks. Treatment of hazards is hierarchical.

Treatment of hazards is done in the order; elimination, engineering controls and

administrative controls. If practically possible, hazard elimination is the best
action. Engineering control may lead to hazard isolation or substitution. This will
only lower risks to acceptable levels.Administrative controls are applied only if all
other treatments are not possible. When this action is taken, the hazard still
remains there and only the human behaviour around the hazard is controlled.
Hence, control and supervision measures should be at the best.Within the above
hazard treatment hierarchy, risk treatments can be categorised broadly into
seven options; preventative controls, corrective controls, directive controls, risk
transfer, risk termination andresidual risk acceptance.

Monitoring and review

Anything planned and implemented can go wrong. The same philosophy is
applied to risk management activities. Hence, the monitoring of the applied
treatments is essential. Continually, corrective actions must be taken if the
treatments actions do not deliver the intended outcomes.Sometimes,the
complete review of risk management process in place may be required. That may
lead to significant adjustments to the risk management framework.

Strategic and operational risk management documentation

Organisations should primarily develop two documents; enterprise risk
management policy and procedure to guide risk management process and
enterprise risk management form to record and analyse enterprise risks.When
implementing enterprise risk management process, a number of operational
documents are also produced.

A typical list of such documents include, WHS Policy, WHS Consultation

Statement, WHS Management Plan, WHS Committee Constitution, Incident
Management Procedure and Reporting Forms, Risk Assessment Form, Safe Work
Method Statements, Standard Operating Procedures, Work Place Audit Forms,
Hazardous Material Management Plans. It is noted here that in developed
countries, the terms the Occupational Health and Safety and the Work Health and
Safety (WHS) are used interchangeably.

Thoughts for the future

Risk management is a compulsory activity for any organisation. If this activity is
not performed at the highest degree, the organisations would move forward with
a false sense of security until they reach a gap between the actual performance
parameters and the level of outcome delivery. This promptsthem either to turn
back or to jump across the gap, only armed with emergency tactical plans,
without any certainty of success. Onlystrategically unprofessional organisational
leaderswould allow their organisations to drift into this kind of uncertainty.

(Eng. Janaka Seneviratne is a Chartered Engineer, a Fellow and an International

Professional Engineer of the Institution of Engineers, Sri Lanka with 30 years of
experience as a professional engineer. The author is contactable via

Posted by Thavam