The IRM India- A Risk Management Standard

Risk Management Standard

This Risk Management Standard is the result of work by a team drawn from the major r isk management organisations in the UK, including the Institute of Risk management (IRM).

In addition, the team sought the views and opinions of a wide range of other professional bodies with interests in r isk management, dur ing an extensive per iod of consultation.

Risk management is a rapidly developing discipline and there are many and var ied views and descr iptions of what r isk management involves, how it should be conducted and what it is for. Some for m of standard is needed to ensure that there is an ag reed:

• ter minology related to the words used

• process by whic h r isk management can be carr ied out

• organisation structure for r isk management

• objective for r isk management

Impor tantly, the standard recognises that r isk has both an upside and a downside

Risk management is not just something for cor porations or public organisations, but for any activity whether shor t or long ter m. The benefits and oppor tunities

should be viewed not just in the context of the activity itself but in relation to the many and var ied stakeholder s who can be affected.

There are many ways of achieving the objectives of r isk management and it would be impossible to tr y to set them all out in a single document. Therefore it was never intended to produce a prescr iptive standard which would have led to a box ticking approach nor to establish a cer tifiable process. By meeting the var ious component par ts of this standard, albeit in different ways, organisations will be in a position to repor t that they are in compliance. The standard represents best practice against which organisations can measure themselves.

The standard has wherever possible used the ter minology for r isk set out by the Inter national Organization for Standardization (ISO) in its recent document ISO/IEC Guide 73 Risk Management - Vocabular y - Guidelines for use in standards.

In view of the rapid developments in this area the author s would appreciate feedback from organisations as they put the standard into use (addresses to be found on the back cover of this Guide). It is intended that regular modifications will be made to the standard in the light of best practice

1. Risk

Risk can be defined as the combination of the probability of an event and its consequences (ISO/IEC Guide 73).

In all types of under taking, there is the potential for events and consequences that constitute oppor tunities for benefit (upside) or threats to success (downside).

Risk Management is increasingly recognised as being concer ned with both positive and

negative aspects of r isk. Therefore this standard considers r isk from both perspectives.

In the safety field, it is generally recognised that consequences are only negative and therefore the management of safety r isk is focused on prevention and mitigation of har m.

2. Risk Management

Risk management is a central par t of any organisation’s strateg ic management. It is the process whereby organisations methodically address the r isks attaching to their activities with the goal of achieving sustained benefit within each activity and across the por tfolio of all activities.

The focus of good r isk management is the identification and treatment of these r isks. Its objective is to add maximum sustainable value to all the activities of the organisation. It mar shals the under standing of the potential upside and downside of all those f actor s which can affect the organisation. It increases the probability of success, and reduces both the probability of f ailure and the uncer tainty of achieving the organisation’s overall objectives.

Risk management should be a continuous and developing process which r uns throughout the organisation’s strategy and the implementation of that strategy. It should address methodically all the r isks sur rounding the organisation’s activities past, present and in par ticular, future.

It must be integ rated into the culture of the organisation with an effective policy and a prog ramme led by the most senior management. It must translate the strategy into tactical and operational objectives, assigning responsibility throughout the organisation with each manager and employee responsible for the management of r isk as par t of their job descr iption. It suppor ts accountability, perfor mance measurement and reward, thus promoting operational efficiency at all levels.

2.1 Exter nal and Inter nal Factors

The r isks f acing an organisation and its operations can result from f actor s both exter nal and inter nal to the organisation.

The diag ram overleaf summar ises examples of key r isks in these areas and shows that some specific r isks can have both exter nal and inter nal dr iver s and therefore overlap the two areas. They can be categor ised fur ther into types of r isk such as strateg ic, financial, operational, hazard, etc.

A Risk Management Standard

Examples of the Drivers of Key Risks

The Risk

a

capital and resources

non essential

decision making, planning

ior itisation

of business

volatility and project

tunity/threat

ibuting to more efficient

enhancing

3. Risk Assessment

Risk Assessment is defined by the ISO/ IEC Guide 73 as the overall process of r isk

4. Risk Analysis

4.1 Risk Identification

Risk identification sets out to identify an organisation’s exposure to uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as the development of a sound understanding of its strategic and operational objectives, including factors cr itical to its success and the threats and opportunities related to the achievement of these objectives.

Risk identification should be approached in a methodical way to ensure that all significant activities within the organisation have been identified and all the r isks flowing from these activities defined. All associated volatility related to these activities should be identified and categor ised.

Business activities and decisions can be classified in a range of ways, examples of which include:

• Strategic - These concer n the long-ter m strategic objectives of the organisation. They can be affected by such areas as capital availability, sovereign and political r isks, legal and regulatory changes, reputation and changes in the physical environment.

• Operational - These concer n the day-today issues that the organisation is confronted with as it str ives to deliver its strategic objectives

analysis and r isk evaluation. (See appendix)

• Financial - These concer n the effective management and control of the finances of the organisation and the effects of exter nal factors suc h as availability of credit, foreign exc hange rates, interest rate movement and other market exposures

• Knowledge management - These concer n the effective management and control of the knowledge resources, the production, protection and communication thereof Exter nal factors might inc lude the unauthor ised use or abuse of intellectual proper ty, area power failures, and competitive technology. Internal factors might be system malfunction or loss of key staff.

• Compliance - These concer n suc h issues as health & safety, environmental, trade descr iptions, consumer protection, data protection, employment practices and regulator y issues

Whilst r isk identification can be car r ied out by outside consultants, an in-house approach with well communicated, consistent and co-ordinated processes and tools (see Appendix, page 14) is likely to be more effective. In-house ‘owner ship’ of the r isk management process is essential.

4.2 Risk Description

The objective of r isk descr iption is to display the identified r isks in a str uctured for mat, for example, by using a table. The r isk descr iption table overleaf can be used to f acilitate the descr iption and assessment

of r isks. The use of a well designed structure is necessar y to ensure a comprehensive r isk identification, descr iption and assessment process. By consider ing the consequence and probability of each of the r isks set out in the table, it should be possible to pr ior itise the key r isks that need to be analysed in more

detail. Identification of the r isks associated with business activities and decision making may be categor ised as strateg ic, project/ tactical, operational. It is important to incor porate r isk management at the conceptual stage of projects as well as throughout the life of a specific project.

1 Name of Risk

2. Scope of Risk

3 Nature of Risk

4. Stakeholder s

5. Quantification of Risk

6 Risk Tolerance/ Appetite

Qualitative descr iption of the events, their size, type, number and dependencies

Eg. strateg ic, operational, financial, knowledge or compliance

Stakeholder s and their expectations

Significance and Probability

Loss potential and financial impact of r isk Value at r isk

Probability and size of potential losses/gains Objective(s) for control of the r isk and desired level of perfor mance

7 Risk Treatment & Control Mechanisms

8 Potential Action for Improvement

9. Strategy and Policy Developments

4.3 Risk Estimation

Pr imar y means by which the r isk is cur rently managed Levels of confidence in existing control

Identification of protocols for monitor ing and review Recommendations to reduce r isk

Identification of function responsible for developing strategy and policy

Examples are g iven in the tables overleaf .

Risk estimation can be quantitative, semiquantitative or qualitative in ter ms of the probability of occur rence and the possible consequence

For example, consequences both in ter ms of threats (downside r isks) and oppor tunities (upside r isks) may be high, medium or low (see table 4.3.1). Probability may be high, medium or low but requires different definitions in respect of threats and oppor tunities (see tables 4.3.2 and 4.3.3).

Different organisations will find that different measures of consequence and probability will suit their needs best.

For example many organisations find that assessing consequence and probability as high, medium or low is quite adequate for their needs and can be presented as a 3 x 3 matr ix.

Other organisations find that assessing consequence and probability using a 5 x 5 matr ix g ives them a better evaluation.

Table 4.3.1 Consequences - Both Threats and Opportunities

High Financial impact on the organisation is likely to exceed £x

Significant impact on the organisation’s strategy or operational activities

Significant stakeholder concer n

Medium Financial impact on the organisation likely to be between £x and £y

Moderate impact on the organisation’s strategy or operational activities

Moderate stakeholder concer n

Low Financial impact on the organisation likely to be less that £y

Low impact on the organisation’s strategy or operational activities

Low stakeholder concer n

Table 4.3.2 Probability of Occurrence - Threats

Estimation

High (Probable)

Descr iption

Likely to occur each year or more than 25% chance of occur rence.

Indicator s

Potential of it occur r ing several times within the time per iod (for exampleten year s).

Has occur red recently

Medium (Possible)

Likely to occur in a ten year time per iod or less than 25% chance of occur rence.

Could occur more than once within the time per iod (for example - ten year s). Could be difficult to control due to some exter nal influences.

Is there a histor y of occur rence?

Low (Remote)

Not likely to occur in a ten year per iod or less than 2% chance of occur rence

Has not occur red. Unlikely to occur.

Table

Estimation

High (Probable)

Probability of Occurrence - Opportunities

Descr iption

Favourable outcome is likely to be achieved in one year or better than 75% chance of occur rence

Indicator s

Clear oppor tunity which can be relied on with reasonable cer tainty, to be achieved in the shor t ter m based on cur rent management processes.

Medium (Possible)

Reasonable prospects of f avourable results in one year of 25% to 75% chance of occur rence.

Low (Remote)

Some chance of f avourable outcome in the medium ter m or less than 25% chance of occur rence.

4.4 Risk Analysis methods and techniques

A range of techniques can be used to analyse r isks. These can be specific to upside or downside r isk or be capable of dealing with both. (See Appendix, page 14, for examples).

4.5 Risk Profile

The result of the r isk analysis process can be used to produce a r isk profile which g ives a significance rating to each r isk and provides a tool for pr ior itising r isk

5. Risk Evaluation

When the r isk analysis process has been completed, it is necessar y to compare the estimated r isks against r isk cr iter ia which the organisation has established. The r isk cr iter ia may include associated costs and benefits, legal requirements, socio-

Oppor tunities which may be achievable but which require careful management. Oppor tunities which may ar ise over and above the plan.

Possible oppor tunity which has yet to be fully investigated by management. Oppor tunity for which the likelihood of success is low on the basis of management resources cur rently being applied.

treatment effor ts. This ranks each identified r isk so as to g ive a view of the relative impor tance.

This process allows the r isk to be mapped to the business area affected, descr ibes the pr imar y control procedures in place and indicates areas where the level of r isk control investment might be increased, decreased or reappor tioned.

Accountability helps to ensure that ‘ owner ship’ of the r isk is recognised and the appropr iate management resource allocated.

economic and environmental f actor s, concer ns of stakeholder s, etc. Risk evaluation therefore, is used to make decisions about the significance of r isks to the organisation and whether each specific r isk should be accepted or treated.

6. Risk Reporting and Communication

Different levels within an organisation need different infor mation from the r isk management process.

The Board of Director s should:

• know about the most significant r isks facing the organisation

• know the possible effects on shareholder value of deviations to expected perfor mance ranges

• ensure appropr iate levels of awareness throughout the organisation

• know how the organisation will manage a cr isis

• know the impor tance of stakeholder confidence in the organisation

• know how to manage communications with the investment community where applicable

• be assured that the r isk management process is working effectively

• publish a c lear r isk management policy cover ing r isk management philosophy and responsibilities

Business Units should:

• be aware of r isks whic h fall into their area of responsibility, the possible impacts these may have on other areas and the consequences other areas may have on them

• have perfor mance indicators whic h allow them to monitor the key business and financial activities, progress towards objectives and identify developments whic h require inter vention (e.g. forecasts and budgets)

• have systems whic h communicate var iances in budgets and forecasts at appropr iate frequency to allow action to be taken

• repor t systematically and promptly to senior management any perceived new r isks or failures of existing control

measures

Individuals should:

• understand their accountability for individual r isks

• understand how they can enable continuous improvement of r isk management response

• understand that r isk management and r isk awareness are a key par t of the organisation’s culture

• repor t systematically and promptly to senior management any perceived new r isks or failures of existing control

measures

6.2 Exter nal Reporting

A company needs to repor t to its stakeholder s on a regular basis setting out its r isk management policies and the effectiveness in achieving its objectives.

Increasingly stakeholder s look to organisations to provide evidence of effective management of the organisation’s non-financial perfor mance in such areas as community aff air s, human r ights, employment practices, health and safety and the environment.

Good cor porate gover nance requires that companies adopt a methodical approach to r isk management which:

• protects the interests of their stakeholders

• ensures that the Board of Directors disc harges its duties to direct strategy, build value and monitor perfor mance of the organisation

• ensures that management controls are in place and are perfor ming adequately

The ar rangements for the for mal repor ting of r isk management should be clearly stated and be available to the stakeholder s.

The for mal repor ting should address:

• the control methods - par ticularly management responsibilities for r isk management

• the processes used to identify r isks and how they are addressed by the r isk management systems

• the pr imar y control systems in place to manage significant r isks

• the monitor ing and review system in place

Any significant deficiencies uncovered by the system, or in the system itself , should be repor ted together with the steps taken to deal with them.

7. Risk Treatment

Risk treatment is the process of selecting and implementing measures to modify the r isk. Risk treatment includes as its major element, r isk control/mitigation, but extends fur ther to, for example, r isk avoidance, r isk transfer, r isk financing, etc

NOTE: In this standard, r isk financing refers to the mec hanisms (eg insurance programmes) for funding the financial consequences of r isk. Risk financing is not generally considered to be the provision of funds to meet the cost of implementing r isk treatment (as defined by ISO/IEC Guide 73; see page 17).

Any system of r isk treatment should provide as a minimum:

• effective and efficient operation of the organisation

• effective inter nal controls

• compliance with laws and regulations.

The r isk analysis process assists the effective and efficient operation of the organisation by identifying those r isks which require attention by management. They will need to pr ior itise r isk control actions in ter ms of their potential to benefit the organisation.

Effectiveness of inter nal control is the deg ree to which the r isk will either be eliminated or reduced by the proposed control measures.

Cost effectiveness of inter nal control relates to the cost of implementing the control compared to the r isk reduction benefits expected.

The proposed controls need to be measured in ter ms of potential economic effect if no action is taken ver sus the cost of the proposed action(s) and invar iably require more detailed infor mation and assumptions than are immediately available

Fi r stl y, the cost of implementation has t o be esta blished. This has to be calculate d with some accuracy since it quickl y becomes the baseline against which cos t effect iveness is measu red. The loss to b e expected if no action is ta ken must als o be estimated and by compa r ing th e results, management can decide whethe r or not to implement the r isk cont ro l measu res

Compliance with laws and regulations is not an option. An organisation must under stand the applicable laws and must implement a system of controls to achieve

compliance. There is only occasionally some flexibility where the cost of reducing

a r isk may be totally dispropor tionate to that r isk.

One method of obtaining financial protection against the impact of r isks is through r isk financing which includes insurance. However, it should be recognised that some losses or elements of a loss will be uninsurable eg the uninsured costs associated with work-related health, safety or environmental incidents, which may include damage to employee morale and the organisation’s reputation.

8. Monitoring and Review of the Risk Management Process

Effective r isk management requires a repor ting and review str ucture to ensure that r isks are effectively identified and assessed and that appropr iate controls and responses are in place. Regular audits of policy and standards compliance should be car r ied out and standards perfor mance reviewed to identify oppor tunities for improvement. It should be remembered that organisations are dynamic and operate in dynamic environments. Changes in the organisation and the environment in which it operates must be identified and appropr iate modifications made to systems.

The monitor ing process should provide assurance that there are appropr iate controls in place for the organisation’s activities and that the procedures are understood and followed

Changes in the organisation and the environment in which it operates must be identified and appropr iate changes made to systems.

Any monitor ing and review process should also deter mine whether :

• the measures adopted resulted in what was intended

• the procedures adopted and infor mation gathered for under taking the assessment were appropr iate

• improved knowledge would have helped to reac h better decisions and identify what lessons could be lear ned for future assessments and management of r isks

9. The Structure and Administration of Risk Management

An organisation’s r isk management policy should set out its approach to and appetite for r isk and its approach to r isk management. The policy should also set out responsibilities for r isk management throughout the organisation.

Fur ther more, it should refer to any legal requirements for policy statements eg. for Health and Safety.

Attaching to the r isk management process is an integ rated set of tools and techniques for use in the var ious stages of the business process. To work effectively, the r isk management process requires:

• commitment from the c hief executive and executive management of the organisation

• assignment of responsibilities within the organisation

• allocation of appropr iate resources for training and the development of an enhanced r isk awareness by all stakeholders.

The Board has responsibility for deter mining the strateg ic direction of the organisation and for creating the environment and the str uctures for r isk management to operate effectively.

This may be through an executive g roup, a non-executive committee, an audit committee or such other function that suits the organisation’s way of operating and is capable of acting as a ‘sponsor’ for r isk management.

The Board should, as a minimum, consider, in evaluating its system of inter nal control:

• the nature and extent of downside r isks acceptable for the company to bear within its par ticular business

• the likelihood of suc h r isks becoming a reality

• how unacceptable r isks should be managed

• the company’s ability to minimise the probability and impact on the business

• the costs and benefits of the r isk and control activity under taken

• the effectiveness of the r isk management process

• the r isk implications of board decisions

This includes the following:

• the business units have pr imar y responsibility for managing r isk on a dayto-day basis

• business unit management is responsible for promoting r isk awareness within their operations; they should introduce r isk management objectives into their business

• r isk management should be a regular management-meeting item to allow consideration of exposures and to repr ior itise work in the light of effective r isk analysis

• business unit management should ensure that r isk management is incor porated at the conceptual stage of projects as well as throughout a project

Depending on the size of the organisation the r isk management function may range from a single r isk champion, a par t time r isk manager, to a full scale r isk management depar tment. The role of the Risk Management function should include the following:

• setting policy and strategy for r isk management

• pr imar y c hampion of r isk management at strategic and operational level

• building a r isk aware culture within the organisation inc luding appropr iate education

• establishing inter nal r isk policy and structures for business units

• designing and reviewing processes for r isk management

• co-ordinating the var ious functional activities whic h advise on r isk management issues within the organisation

• developing r isk response processes, inc luding contingency and business continuity programmes

• prepar ing repor ts on r isk for the board and the stakeholders

The role of Inter nal Audit is likely to differ from one organisation to another. In practice, Inter nal Audit’s role may include some or all of the following:

• focusing the inter nal audit work on the significant r isks, as identified by management, and auditing the r isk

management processes across an organisation

• providing assurance on the management of r isk

• providing active suppor t and involvement in the r isk management process

• facilitating r isk identification/assessment and educating line staff in r isk management and inter nal control

• co-ordinating r isk repor ting to the board, audit committee, etc

In deter mining the most appropr iate role for a par ticular organisation, Inter nal Audit should ensure that the professional requirements for independence and objectivity are not breached.

The resources required to implement the organisation’s r isk management policy should be clearly established at each level of management and within each business unit.

In addition to other operational functions they may have, those involved in r isk management should have their roles in coordinating r isk management policy/strategy clearly defined. The same clear definition is also required for those involved in the audit and review of inter nal controls and f acilitating the r isk management process.

Risk management should be embedded within the organisation through the strategy and budget processes. It should be highlighted in induction and all other training and development as well as within operational processes e.g. product/ser vice development projects.

ming

Business studies whic h look at eac h

process and descr ibe

nal processes and exter nal factors

h can influence those

Industr y benc hmarking

Scenar io analysis

Risk assessment workshops

Incident investigation

Auditing and inspection

HAZOP (Hazard & Operability Studies)

Upside risk

Market sur vey

marketing

h

Development

impact analysis

Both

Dependency modelling

analysis (Strengths, Weaknesses, Oppor tunities, Threats)

Event tree analysis

Business continuity planning

BPEST (Business, Political, Economic, Social, Tec hnological) analysis

Real Option Modelling

Decision taking under conditions of r isk and uncer tainty

Statistical inference

Measures of central tendency and dispersion

(Political Economic Social Tec hnical Legal Environmental)

Downside risk

Threat analysis

Fault tree analysis

FMEA (Failure Mode & Effect Analysis)