Professional Documents
Culture Documents
andManagement
in Risk
strategy
Professional Standards performance
Professional
Standards
in Risk Management
• Setting standards
• Building capability
• Championing learning and development
• Raising the profile of the risk profession
• Supporting organisational performance
About IRM
IRM is the leading professional body for risk management.
We are an independent, not-for-profit organisation
that champions excellence in managing risk to improve
organisational performance.
IRM does not accept any liability to any party for any loss,
damage or costs howsoever arising, whether directly or
indirectly, whether in contract, tort or otherwise from any
action or decision taken (or not taken) as a result of any
person relying on or otherwise using this document or arising
from any omission from it.
© Institute of Risk Management
A company limited by guarantee. Registered in England number 2009507
Registered Office: 2nd Floor, Sackville House, 143-149 Fenchurch Street,
London, EC3M 6BN
T +44 (0)20 7709 9808
E membership@theirm.org
W www.theirm.org
2
Professional Standards in Risk Management
Contents
Contents
About IRM 2
Building excellence in risk management 4
Professional Standards Framework 5
Who are the standards for? 6
Design principles 7
The structure of the standards 7
Career levels 8
How to use the standards 9
The standards: 10
Insight and context 10
Strategy and performance 12
Risk management process 16
Organisational capability 18
Behavioural Competency Framework 20
Structure 20
How to use behavioural competencies 20
Behavioural competencies: 21
Courage and confidence 21
Influence and impact 22
Integrity, ethics and values 23
Innovation and catalyst 24
Building capability 25
Collaboration and partnering 26
3
Building excellence in
risk management
As the professional body for risk management, IRM sits at
the heart of the risk profession. We lead on developing
standards, building skills, cultivating talent and championing
>
learning. We support individuals and organisations to
improve their performance through building their risk
management capability.
>
COMPLIANCE
MONITORING
RESEARCH
MEMBERSHIP IRM
BUILDING
>
>
PROFESSIONAL
EXCELLENCE IN RISK STANDARDS
MANAGEMENT
>
CONTINUING PROFESSIONAL
>
DEVELOPMENT
SYLLABUS &
QUALIFICATIONS
4
Professional Standards in Risk Management
An Enterprise Risk Professional Standards
Management (ERM) Framework
approach These professional standards reflect an ERM approach
to risk management. They have been developed by
researching over 30 risk management and associated
All organisations need to take risks at strategic, tactical and risk management competency frameworks. IRM has
operational levels to deliver their objectives. Anything that also consulted practitioners, academics and employers
makes achieving these objectives uncertain is a risk and extensively. The framework reflects professional
needs to be managed. expectations of the knowledge, skills and behaviours that
are required from those working in risk management.
Enterprise Risk Management (ERM) is an integrated
approach to managing risks across an organisation. The professional standards framework is made up of:
It provides clear frameworks, processes, context and a
structure for managing and communicating risk and reward Professional standards – these describe the ‘what’ –
to internal and external stakeholders. the knowledge and skills needed to do the job.
Risk management should be embedded in the general Behavioural competencies – these describe the ‘how’ –
management of an organisation. It should not be practised the personal qualities and behaviours needed to do the
in isolation, but integrated fully with other functions job well.
such as finance, strategy, internal control, procurement, The standards and competencies are interlinked, developing
continuity planning, HR and compliance. The degree of this relevant behaviours to equip the risk professional to better
integration will vary depending on an organisation’s size, meet the professional standards.
risk maturity, culture, implementation processes, operating
models and external environment. So, for example, if you have to Advocate risk
management as a central part of an organisation’s
Organisations have to cope with greater uncertainty in strategic management (a professional standard) then
an increasingly volatile and unpredictable world. How developing skills in Influence and impact (a behavioural
well developed an organisation’s approach to ERM is competency) would help you to achieve this.
can affect significantly its capability to take robust and
informed strategic risk decisions and the achievement of its Together, the standards and competencies provide
objectives. benchmarks for the skills, experience, qualifications,
continuous professional development and behaviours
Organisations may have risk specialist functions like that IRM believes those working in risk should achieve at
insurance, health and safety and business continuity. An different stages in their career.
ERM approach to risk management brings all these aspects
together to create an integrated approach that is clearly
aligned with an organisation’s governance and objectives.
5
Who are the
standards for?
The standards set out what good risk management looks like. Every individual and organisation using the standards will
They have been designed to be used by risk professionals, make their own judgment about the level at which staff
but also to be a valuable tool for employers, HR and training need to be operating. For example, in small or medium-sized
professionals, recruiters and regulators. They can be used organisations, staff responsible for risk management may
by individual risk management professionals as a career need to fulfil responsibilities at a higher (and/or lower) level in
planning tool and they can also be used by non-risk specialists addition to their main role. For example, a Director of a small
to improve both their personal and their organisation’s or medium-sized organisation will probably need to manage
capability in risk management. a risk register as well as define risk strategy and policy.
On the other hand, large organisations with a dedicated
Risk management professionals may or may not have
risk management function will have a more structured
responsibility for managing teams. Where they do not directly
hierarchy with specified accountabilities at different levels.
manage staff, their positions will focus more on influence,
Organisations will need to decide for themselves how to make
rather than management. The professional standards take
best use of the professional standards framework.
this variety of roles into account and so can be used by
different organisations for different purposes. The table below summarises how the professional standards
can be used.
The professional standards do not relate to grades or
authority levels, but to the achievement of competence.
6
Professional Standards in Risk Management
Design principles The structure of
the standards
The professional standards have been The standards are structured into four functional areas.
developed to reflect: Each of these is broken down into risk functional area
components:
• An enterprise risk management approach,
recognising the principles of the global risk • Insights and context
management standard, ISO 31000 and
• Risk management principles and practice
other influential and relevant standards.
• Organisational environment
• The need for risk professionals to have
both technical risk management and • External operating environment
general business knowledge and skills. • Strategy and performance
• Different levels of risk maturity within • Risk management strategy and architecture
organisations, depending on size, sector
and geographical region. • Risk management policy and procedures
• Aspirations of organisations that wish to • Risk culture and appetite
raise their risk management standards • Risk performance and reporting
and capabilities and, where appropriate,
develop a risk management function. • Risk management process
• The wide range of variations in job roles • Risk assessment
between sectors and organisations. • Risk treatment
• The need for individuals and employers • Organisational capability
to adapt standards to roles and
responsibilities as organisational strategy • Communication and consultation
and priorities evolve. • Change management
• People management
We then define the required professional standards for each
component. See page 10.
strategy and performance
7
Career levels
The framework is based around four career levels, rather than Different organisations give different seniority to risk roles
specific job roles or titles. depending on their size, reach and levels of risk maturity.
For example, the person who is responsible for the overall
• Leadership level
direction of risk management in an organisation may be
• Senior level operating at the Senior level in an SME or local authority,
but, in a multinational, they are more likely to be working at
• Management level
Leadership level.
• Support level
Each level encompasses a number of different roles. The table
below provides a summary of job roles and expectations at
each career level. Knowledge in the standards is accumulated as
individuals progress from the Support to the Leadership level.
Management level Manages and advises on the implementation • Risk Management Executive
Full knowledge of the concepts of risk management processes and • Risk Management Officer
and application procedures and champions its importance. • Risk Management Adviser
• Risk Analyst
• Risk Consultant
*The list of job titles are just examples and not exhaustive.
8
Professional Standards in Risk Management
How to use the • Present proposals to senior management / budget holders
• Define the project team and the implementation / roll out
9
Functional area:
I NSIGHTS AND
CONTEXT
Uses knowledge of internal and external influences to ensure
robust risk management in responsive and agile organisations.
Relevance of risk Advocates risk Educates an organisation Advises on the selection Explains different types
management management as a on the probability, nature and implementation of of risks and possible
central part of an and scope of risks and appropriate concepts responses to their
organisation’s strategic opportunities and their and processes. treatment.
management. likely impact on an
organisation.
Tools and Ensures resilience Builds resilience across an Analyses the suitability Explains risk
techniques is incorporated into organisation to manage of the use of risk management
organisational strategy. current and future management tools and standards, concepts,
risks, opportunities and techniques and makes theories, processes
uncertainties. recommendations. and approaches to risk
management.
Principles of risk Anticipates and Advises on the Champions the benefits Explains the value of risk
management influences risk appropriateness of of risk management to management.
management thinking different approaches to stakeholders.
at a national and/or managing risks.
international level.
10
strategy and
in Risk Management
Professional StandardsInsights and context
Organisational environment
Definition: Understanding the internal environment of an organisation and its implications for risk
management practices.
Internal ethos Advises on the Assesses the influence Promotes the Explains the link between
interface between of an organisation’s link between an an organisation’s
an organisation’s strategic intent, internal organisation’s vision, vision, mission and its
overall vision, mission, context and governance mission, objectives, operational objectives
objectives, culture and practice on risk culture, strategy and and risk practices.
strategy and the risk organisational risk
management.
management strategy. practices.
External relevance Influences the impact of Assesses the potential Identifies the factors in Describes the kind of
risk management across impact of the external the external environment factors in the external
an industry sector and environment. that may affect an environment that may
beyond. organisation. affect an organisation.
External operating Evaluates the strategic Aligns an organisation’s Identifies opportunities Explains the likely impact
context alignment of an risk management with within the external that external factors may
organisation’s risk its external operating environment to have on an organisation.
management and its environment. maximise reward and
external operating minimise risk.
environment.
Regulatory impact Evaluates the Analyses the impact of Implements risk Describes the regulatory
implications and developments management activities framework within
limitations of the within the regulatory to meet regulatory which an organisation
regulatory environment framework. requirements. operates.
on an organisation.
11
Functional area:
TRATEGY AND
S
PERFORMANCE
Develops a risk management strategy to meet organisational needs.
Mandate Achieves commitment Evaluates the extent Explains the purpose Explains the components
and ownership from to which individual risk and role of a risk of a risk management
decision makers strategies are consistent management framework, framework, strategy and
to a proportionate with the overall risk strategy and architecture. architecture.
risk strategy and strategy.
architecture.
Strategy Develops the risk Assigns ownership Makes recommendations Provides management
management strategy and levels of authority for improvements to information to
and approach that that comply with the the risk management support risk strategy
optimises risk appetite. requirements of the strategy. development.
strategy.
Structure Establishes a coherent, Ensures consistency Communicates the Describes the features
transparent and between an requirements of the risk of an effective risk
rigorous risk governance organisation’s risk governance structure. governance structure.
structure that supports management strategy,
an organisation’s risk organisational strategies
strategy. and its governance
structure.
12
andManagement
in Risk performance
Risk management policy and procedures
Strategy
Definition: The development and implementation of proportionate risk management policy, guidelines,
Professional Standards
procedures and action plans.
Policy Develops a risk Implements plans and Explains the purpose, role Explains the purpose
management policy priorities to deliver risk and benefits of embedding of risk management
that is consistent with management policy risk management policy policy and procedures,
the risk management within agreed timescales and procedures into and its components.
strategy. and budgets. organisational policies and
procedures.
Roles and Defines risk Implements risk Advises on the appropriate Explains the features of
responsibilities management management policy use of methodologies, methodologies, tools
accountabilities ensuring that ownership tools and techniques and techniques and
and methodologies and responsibilities are within the context of the their uses.
that meet strategic fulfilled within authority risk policy.
requirements. limits.
Resources Secures commitment Reviews the effectiveness Uses a range of resources Provides management
and resources that of risk management to analyse management information to support
will enable the policy and processes and information to support improvements to risk
implementation of the the use of resources, and recommendations for management policies
risk strategy. makes recommendations. improvements to risk and procedures.
management policies and
procedures.
Risk culture design Influences an Fosters an organisation’s Acts as a role model of Explains an
organisation’s culture through the design the culture expected organisation’s risk
leadership in of organisational systems, through personal culture and acts
determining the processes and behaviours. behaviours and actions. accordingly.
desired risk culture.
Risk appetite Influences decision Nurtures the balance Explains how an Explains the factors
makers’ understanding between risk taking, organisation establishes that influence people’s
of risk appetite and its risk management and its risk appetite and perceptions of risk and
implications. rewards in line with tolerance. opportunities and their
an organisation’s risk impact on risk appetite.
appetite.
Behaviours and Ensures an Embeds risk management Carries out reviews Identifies the level of
values organisation’s approaches into of the extent to risk maturity and its
approach to risk organisational values. which risk culture is implications for risk
management is aligned demonstrated through culture and appetite.
with its risk maturity individual behaviour and
and values. operational activities.
13
Risk performance and reporting
Definition: The development and implementation of a risk measurement performance and reporting framework.
Risk reporting Establishes a Reports on the strategic Ensures that risk Explains the purpose of
systems comprehensive risk and financial impact of reporting systems measuring and reporting
reporting system risks. operate efficiently. risk performance and
that is aligned with the use of technology
other organisational to support effective risk
performance management.
management structures
and processes.
Risk performance Defines organisational Specifies the design Uses analytical tools Complies with legal,
indicators Key Risk / Performance requirements of risk and techniques to ethical and regulatory
Indicators (KRIs/ performance reporting monitor changes to an requirements in the
KPIs) for evaluating systems. organisation’s risks and gathering and recording
risk management opportunities; updates of risk information.
performance, strategy, risk information.
processes and controls.
Risk reporting Ensures that risk Reports recommendations Produces risk Explains the uses of risk
protocols reporting systems for improvements based management reports, information; reports the
enable effective on systematic analyses highlighting areas potential consequences
decision making of information at agreed of concern, change, of poor risk reporting.
and are capable of intervals. emerging threats and
identifying actual and opportunities.
emerging risks.
14
15
Professional Standards
Strategy
in Risk
andManagement
performance
Functional area:
ISK MANAGEMENT
R
PROCESS
Manages the risk management process.
Risk assessment
Definition: The identification, analysis and evaluation of the nature and impact of risks and opportunities.
Risk assessment Defines the approaches Interprets facts, patterns Uses a range of Contributes to the risk
process to risk identification, and trends to reach information sources and assessment process.
analysis and evaluation; evidence-based decisions assessment tools and
establishes the level on the nature of risks and techniques to identify,
of investment to be opportunities. analyse and evaluate
deployed. risks and opportunities.
Analysis of risk Scopes the potential Prioritises risks and Explains the range of Explains how and why
impact impact of aggregated opportunities in terms factors that can influence to use different risk
risks and worst case of probability, scale, the perception of risk. assessment tools and
scenarios quantitatively significance, impact and techniques.
and qualitatively. distribution.
Evaluation of risk Evaluates the impact Evaluates Advises on the use of risk Explains how to display
consequences and value of potential interdependencies assessment tools and the results of risk
strategic risks and between risks, techniques. assessments.
opportunities. uncertainties and
opportunities, critical
failure points and
resource implications.
16
in Risk Management
Risk management process
Risk treatment
Definition: The development, selection and implementation of risk treatment strategies and controls.
Professional Standards
LEADERSHIP SENIOR MANAGEMENT SUPPORT
LEVEL LEVEL LEVEL LEVEL
Risk treatment Ensures an Monitors the Implements controls to Explains the suitability
and risk appetite organisation’s effectiveness of manage identified risks of different risk
approach to the an organisation’s in accordance with risk response options and
treatment of risk is approaches to risk treatment strategies and control types.
aligned with its risk treatment and makes budgets.
appetite and strategy. recommendations.
Cost-effective risk Determines risk Develops, prioritises Supervises the quality Explains the costs
treatment treatment strategies and resources suitable of risk monitoring and and benefits of risk
and investment controls to treat mitigation actions taken, treatment activities.
that align with identified risks and challenging and making
an organisation’s manage opportunities. interventions when issues
approach to risk arise.
management.
Business Integrates Ensures the continuing Collates and analyses Explains the principles
continuity business continuity coordination of business management and features of crisis
and crisis strategies and crisis continuity and crisis information to support management and
management management within management strategies crisis management and business continuity.
an organisation’s and plans with risk business continuity plans
risk management management. and activities.
strategies and plans.
17
strategy and
Functional area:
RGANISATIONAL
O
CAPABILITY
Develops and manages a skilled, agile and responsive risk organisation.
Risk communication Establishes an Identifies media Uses agreed media Communicates risk
procedures organisation’s approach and methods for and methods to matters to agreed
and infrastructure for communicating the risk communicate risk stakeholders, adhering
communication about strategy that align with matters. to organisational values
risk management. target groups. and standards.
Risk communication Promotes the view that Develops risk Provides stakeholders’ Ensures that information
contents risk management is a communication feedback on the communicated is
universal responsibility interventions effectiveness of the accurate and complete,
and acts as a risk that further relationships risk communication and complies with
champion across an with stakeholders and infrastructure and relevant regulations.
organisation. are consistent with strategy.
organisational values and
standards.
18
in Risk Management
Organisational capability
Change management
Definition: The management of risk within strategic and operational change.
Professional Standards
LEADERSHIP SENIOR MANAGEMENT SUPPORT
LEVEL LEVEL LEVEL LEVEL
Embedding risk Ensures that risk Advises on how to Supports the embedding Explains the
responsiveness management is embed risk management of risk management relationship of change
embedded throughout throughout an throughout an management and risk
change programmes. organisation’s change organisation’s change management.
activities. activities.
Developing Achieves strategic and Develops change plans Implements change plans Supports others in
change plans cultural change that that support agreed in a way that minimises managing risks in
optimises opportunities changes to strategies and disruption to operations. accordance with their
and mitigates risk policies. role.
through change
programmes.
Implementing Promotes the vision for Ensures change-related Assesses the impact of the Contributes positively
change strategic change in line risks and opportunities delivery of change plans, to tasks relating to
with the risk culture and are managed reporting any adverse implementing change.
strategy. proportionately. effect or unexpected
opportunities.
People management
Definition: Systematic performance management and skills development to meet strategic needs.
Fulfilling personal Provides inspirational Provides support that Influences the behaviour Explains the
objectives leadership that incentivises people to of others to ensure requirements of their
motivates and take responsibility for that risk management own role.
empowers people to managing risks and objectives and standards
fulfil their objectives. opportunities within the are met.
limits of their role.
Risk management Establishes an Deploys the right mix of Supports operational Takes active
capability appropriately resourced competence and expertise teams and individuals responsibility for
structure that is to meet strategic and on the practice of risk their own personal
capable of delivering operational imperatives. management. and professional
the risk strategy. development.
Risk management Plans the development Develops the knowledge Provides risk Contributes
competence of the knowledge and competence of management support to constructively to the
and competence the workforce for the individuals that enables achievement of agreed
of the workforce to management of risks and them to achieve their goals and objectives.
meet anticipated opportunities. objectives.
risk management
requirements.
19
Behavioural Competency
Framework
The behavioural competency framework represents the How to use the behavioural competencies
behaviours that the profession considers essential to risk
management. The framework sets out those personal The behavioural competencies apply to all risk management
behaviours (sometimes also known as personal qualities) that professionals. However, in choosing which competencies
are specific to risk management professionals. It excludes to work with, users need to take into account the following
reference to other generic frameworks, such as management, considerations:
which are described elsewhere. This framework can therefore • The different roles within risk management
be used in conjunction with other national frameworks and • The level at which an individual is operating
organisation-specific frameworks. • The size and structure of an organisation
The behavioural competency framework supports the • Current demands of the user’s role
achievement of the professional standards. For example, • Known future changes in an organisation’s business,
developing Collaboration and partnering (a behavioural structure and priorities, and those of the role
competency), will contribute to the achievement of Builds • The user’s personal priorities and preferences (e.g. sectoral
productive relationships with stakeholders through or risk discipline)
effective communication and consultation (a professional Depending on the level at which a user is operating, each
standard). competence may relate in whole or in part to that individual.
For example, in Influence and impact, Leaders would be
Structure expected to exhibit all the positive descriptors. However, at
There are six behavioural competencies: the Support level, it may be that only some descriptors are
relevant. As a minimum, all Support level users would be
1. Courage and confidence
expected to exhibit the following behaviours:
2. Influence and impact
3. Integrity, ethics and values • Adapts communication and behaviour according to the
4. Innovation and catalyst audience/readership
5. Building capability • Uses knowledge and experience to influence others
6. Collaboration and partnering • Structures the message and expresses him or herself
clearly, concisely and assertively so that others can
Each behavioural competence comprises three components:
understand the implications of an issue
• A brief definition
Conversely, while Support level users would not be expected
• Positive descriptors
to exhibit the other behaviours in this competence (listed
• Negative descriptors
below), it will be helpful for them to know that, as they
Users of the competencies will therefore be able to see at progress their careers, proficiency against the following
a glance the desired behaviours and, at the same time, behaviours would be expected of them at the higher level:
understand what constitutes unacceptable behaviour.
• Builds “behind the scenes” support for ideas
The behavioural competencies are described in terms of • Captures the attention of the audience/reader by
observable behaviours. Users should seek evidence to support fluent and convincing communication, appealing to
their decisions as to whether the competencies have been stakeholders’ needs, perspectives and key wins
achieved or not achieved. This includes both individuals who • Identifies linkages, relationships and power structures, and
are appraising themselves against the framework and others plays to decision makers
such as recruiters and managers.
In considering how well someone has exhibited the desired
behaviours you may wish to rate them as:
• Exceeding requirements
• Meeting requirements
• Not meeting requirements
20
in Risk Management
competency framework
Behavioural competencies
Standards
Behavioural
1 COURAGE AND
Professional
CONFIDENCE
Standing by your convictions despite adversity.
21
2 INFLUENCE AND
IMPACT
Inspiring others to understand the value of risk management.
22
in Risk Management
competency
Standards
Behavioural framework
3 INTEGRITY, ETHICS
Professional
AND VALUES
Upholding and living the values of an organisation and industry.
23
4 INNOVATION AND
CATALYST
Striving constantly to lead the development of creative solutions.
24
Behavioural competency framework
5 BUILDING
CAPABILITY
Facilitating others to achieve positive outcomes.
25
6 COLLABORATION
AND PARTNERING
Engaging with stakeholders to deliver results.
26
www.theirm.org