Risk Management Overview
This risk management blog has been created to simplify the risk management process and align it to the ISO 31000:2018 standard.
It is not expected that this blog will provide an answer to every question or situation, but will give you a good understanding of the overall process.
This blog comprises key stages and provides a guide of the steps and tools you will need, as you progress through each stage.
Key Questions
• Why is it important to identify risks? – So that you can effectively manage business activities & protect against any undue circumstances which would affect your enterprise.
• What will trigger a risk? – Any change or new event that exposes your enterprise to any unforeseen risk.
• What level of risk should we be considering? – This depends on the activity, and you should use the risk management policy as a guide to inform you on this.
• What if someone else has identified it? – Due to the size and complex nature of your enterprise there will be instances where multiple people will be involved, in this situation it is important for all teams to collaborate and share information.
What Is Risk Management?
Risk management is the coordination of activities to direct and control an organisation with regard to risk.
One of the key objectives is that risk management must be pragmatic and practical. To support this objective this blog has been developed to help you in the process of risk management.
Why Do We Need Risk Management?
Risk Management has a wide variety of benefits, some of these are:
• Increasing the range of opportunities you effectively manage, to secure positive outcomes;
• Improved management and increased outcomes of your projects;
• Better management of contracts;
• Reduction in performance variability;
• Focused and effective use of resources;
• Greater confidence on delivering successful initiatives;
• Proactive approach to risk management and how it supports RMIT’s strategic objectives;
• Business sustainability, supporting a sustainable growth approach to business; and
• Identification and management of our enterprise risks.
ISO 31000:2018 has three critical elements:
The first critical element of ISO 31000:2018 is its principles.
The overarching purpose of risk management is to create, maintain, increase, and protect value.
Value has many dimensions and elements.
- Value is the ability to meet organizational goals and objectives.
- Value involves maximizing opportunities where upside risks can be exploited.
- Value results from performance enhancement.
- Value can result from mergers and acquisitions.
The Eight principles are:
Integrated. Risk management is part of all problem solving and decision making within the organization. Risk management is also part of all processes and functions.
Structure and comprehensive. Risk management is consistent and logical so that outcomes can be known and objectives are achieved.
Customized. Risk management framework and process are tailored to the organizational context.
Inclusive. Risk management involves and considers the opinions and knowledge of all critical stakeholders and interested parties. The result is better Risk Based Problem Solving and Risk Based Decision Making.
Dynamic. Risk management considers risks can emerge or change due to uncertainty based on the organization’s context and environment. Risk management identifies and treats these risks and events in a structured and timely way.
Best available information. Risk management is based on actionable and current information so accurate decisions can be made. Risk management considers the context, circumstances, limitations, and quality of information. Information to make decisions must be accurate and reliable.
Human and cultural factors. Risk management considers cultural and behavioral factors at following levels: 1. Enterprise; 2. Programmatic/Project/Process level; 3. Transactional/Product level. Risk
management considers these factors throughout the duration of a project or activity.
Continual improvement. Risk management is continuously enhanced through lessons learned and experiences that are fed back into the risk management systems.
The second critical element of ISO 31000:2018 is the risk management framework.
The purpose of the framework is to guide an organization in integrating risk management into all functions, risk problem solving, and decision making processes.
If the above have been achieved, then risk management is effective, efficient, and economic.
Effectiveness is measured in terms of how well risk management is integrated into an organization’s governance and compliance. Executive management is the key driver for the effectiveness.
Critical features for the framework involve:
Risk management is integrated into all organizational areas including the supply chain.
Risk management is designed according to risk principles tailored to the organizational context.
Risk management implementation is also based on the context of the organization. Controls and treatment are designed based on the culture in context.
Risk management effectiveness is evaluated in each element of the risk process.
Risk management is an ongoing process and is continually improved so it adds value to the organization and its stakeholders.
Organization evaluates current risk management practices, activities common processes, and develops a plan to improve its processes. Gap analysis compares current risk management practices against ‘to be’ practices.
Gap analysis identifies subsequent risk management improvement opportunities by closing the gaps.
The framework and each of its elements work together and are tailored to the needs of the organizations, stakeholders, and context.
Risk Management Process
The risk management process comprises of the following components:
Identify
The identification stage focuses on identifying the risk and what you need to consider in this process. Clearly defining and describing the risk is the most critical stage as all following stages build on this foundation.
Analyse
Once we have identified the risks, we need to analyse them, such as what measures are already in place to manage the risk, the effect and reliability, how does the risk align with your policy and any other data available.
Evaluate
After you have a better understanding of the risk and the potential impact positively and/ or negatively to your intended outcomes , it’s now time to decide if further treatments are needed.
If no further treatments are needed then proceed to monitor and communicate.
Treat
If you decide to further manage the risk, it’s now time to develop the risk management action plan and treatments that you have identified to mitigate or eliminate the risk. In this process you also need to identify your review and monitoring schedule to ensure the risk is continually managed.
Monitor and Communicate
The purpose of the Monitor component is to improve on the quality and effectiveness of each risk but also, to ensure that each risk is known and accounted for.
The Communicate component is to assist relevant stakeholders in understanding risks and ensuring relevant stakeholders are involved in the decision-making process.