IMPLEMENTATION OF A RISK MANAGEMENT FRAMEWORK



HOW TO IMPLEMENT A RISK MANAGEMENT FRAMEWORK
After successful establishment/development of the risk management framework/document, an organization has to start implementing the same. An organization should ensure risk management concept is embedded initially from planning process within an organization. Implementing the   risk   management   framework means   carrying out   all   the procedural components of the risk management framework, especially by conducting the risk management process.

At this stage the following should be done:
i.      Prepare a risk management implementation plan.
ii.      Align the risk management process with the strategic planning process.
iii.       Conduct a risk management process (i.e. establishing context, risk assessment,   risk   treatment,   communicating   and   consulting,   and   monitoring   and reviewing),
iv.        Report on implementations of risk treatment action plans and progress.



Preparation of a Risk Management Implementation Plan
Prepare a risk management implementation action plan through the normal planning processes. The risk management plan should set out how you will implement your risk management framework and policy. The focus of the plan should be to integrate risk management into your organization’s management systems.

The plan should be simple, but should clearly outline the activities associated with pursuing your risk management strategy. It should include:
i.                 Roles, accountabilities and responsibilities.
ii.               Timeframes for risk management activities.
iii.             Resourcing requirements (e.g. finances, people, IT and physical assets).
iv.             Capacity building, training and development issues.
v.               Performance measures, and
vi.             The review processes.

Since the aim is to involve all staff in relevant risk management activities, full implementation of an organization’s risk management plan may take some time it may take years rather than months to reach a high level of maturity. It is proper to regularly monitor progress against the plan. The Board has the overall responsibility of approving the organization’s risk management plan.




 Linking the Risk Management Process with Planning Process of an organization
Since the purpose of risk management is to deal with the uncertainty associated with the achievement of objectives, there is an intrinsic link between planning and risk management. In this  case  the  risk  management  process  must  be  embedded  into  strategy  development  and planning process.

Risk management implementation action plan may include the followings; (however this depends on the size and complexity of your organization)
  1. Organization’s strategic plan.
  2. Functional plans, such as those for human resource management, asset management, financial management
  3. Activity   plans,   such   as   those   for   procurement,   communications,   information management, work health and safety, and security etc.
  4. Divisional business plans, such as regional service delivery plans. v.            Project plans,
  5. Individual work plans

The extent of such linkage depends on the level at which you choose to conduct the risks management process into your organization (e.g. at strategic, functional, or operation levels).

If you develop an integrated hierarchy of plans and risk assessments, you can optimize the benefits of both planning and risk management, which can help ensure risks are managed at the appropriate level in your organization.

The best way to do it is to conduct both the strategic planning process with the risk assessment process as a parallel exercise, such that when strategic objectives and their implementing strategies and activities are formulated, the respective risks to those objective are also identified, assessed and treatment control activities are planned along with strategy implementation activities.




Allocation of Appropriate Resources for Risk Management
Organization’s resources (funds, human resources, time) should be allocated to various areas including the followings;
i.                 Training on risk management (internally and externally).
ii.               Risk assessment activities (e.g.workshops).
iii.             Meetings relating to risk management issues.
iv.             Implementation  of  risk  treatment  activities  as  suggested  in  the  risk  register  (this  is particularly important since most of the risk treatment activities have budget implications. However, the best way to do this is by linking the risk assessment process with the planning process as suggested above).


Conducting the Risk Management Process

The risk management process is conducted by carrying out procedures stipulated in the organization’s risk management policy and procedures.

It is expected that these procedures are in accordance to the elements of a risk management process given by an international standards. In this case the ISO 31000  : 2009,
Risk management process involves the followings;
i.                 Establishing context.
ii.               Conducting risk assessment (i.e. risk identification, analysis, and evaluation).
iii.             Planning and implementing risk treatments.
iv.             Communicating and consulting.
v.               Monitoring and reviewing.



Establish Context
Establishing the context is concerned with three important aspects:
i.                 Understanding the background of the organization and its risks.
ii.               Scoping the risk management activities being undertaken,
iii.             Developing a structure for the risk management tasks to follow.

The objective of this step is to provide a comprehensive appreciation of all the factors that may have an influence on the ability of the organization to achieve its intended results.

The result is a concise statement of the organizational objectives and specific criteria for success, the objectives and scope for risk management, and a set of key elements for structuring the risk identification activity in the next stage.

This process required the following key steps:

i.                 Understand your external context
  1. The external context defines the external environment in which the organization operates.
  2. Understanding the external context is important to ensure that stakeholders and their objectives are considered when developing risk management criteria and that externally generated   threats   and   opportunities   are   captured   during   the   risk identification” step.

ii.               Understand your internal context
  1. Understanding the organization is required before commencing any risk management activity, at any level.
  1. Understanding the internal context is important because:

Ø  Risk management takes place in the context of the goals and objectives of the organisation,
Ø  The  major  risk  for  most  organizations  is  that  they  fail  to  achieve  their strategic, business or project objectives, or are perceived to have failed by stakeholders.
Ø  Organizational    objectives,    policies,    and    processes    help    define    the organization’s risk management policy, specific objectives and criteria of a project.

iii.     Develop your risk management context.
  1. After understanding the internal and external context, the next step is to develop the risk management context for an organization.
  2. It is recommended to take into consideration the following when developing risk management context.
Ø  Objectives and strategies for risk management
Ø  Scope, i.e. parts of the organization where you apply the risk management processes (e.g. strategic only, directorate, departments, units etc)
Ø  Resource required.
  1. The outcome of this process is to ensure that the risk management approach adopted is   appropriate and proportionate to the situation of the organization and to the risk affecting   the achievement of its objectives.

iv.      Set your Risk Appetite
  1. Risk appetite is the amount of risk that your organisation is willing to accept in pursuit of the achievement of its objectives.
  2. The risk appetite will need to be re-evaluated:

Ø  As part of the annual strategy planning cycle and objective-setting processes
Ø  When significant changes are made to the organisation.
Ø  When changes are made to the overall strategy and objectives.
Ø  With changes in the political and economic landscape.
Ø  With changes in expectations and risk preferences of key stakeholders. c)  
  1. Risk appetite is developed at the entity level by the top management.
  2. Once approved, it is the responsibility of the Board and top management team to communicate the organization’s risk appetite to the staff and key stakeholders (as deemed necessary).

See a Table below for an example of risk appetite statement.
Table: Example of Risk Appetite Statements

Risk appetite categories
Risk appetite example
Strategic
Our organisation will accept a moderate degree of risk in pursuing a new strategic initiative that is in alignment with our organisations long term goals.
Operations
Our  organisation  will  accept  a  minimal  level  of
skilled personnel turnover given the nature of its sector.
Reporting
Our organisation will not accept any deviation from
financial reporting policies and procedures.
Compliance
Our organisation will not tolerate non-compliance
with any legal or regulatory requirement.

v.      Determine your Risk Tolerance

  1. You need to determine the level at which your agency is prepared to accept or tolerate a specific risk without developing further strategies to modify the level of risk.

  1. This is generally a decision for an organisations executive and will depend on an organisation’s internal and external context, including such factors as:
  • The nature of the services that your agency delivers.
  • Your operating environment.
  • Your legal and public sector obligations.
  • The type of consequence from the risk (e.g. to reputation, finances, safety, service delivery), and
  • Internal and external stakeholders, their perceptions of risk and how much risk they are prepared to allow an organisation to accept.

Table below presents an example of how risk can be classified into tolerable levels.
Table : Risk Tolerance Table

Response
Threat
Opportunity
Action required
Unacceptable risks

Threats that your organisation cannot tolerate at their current levels because their consequences, coupled with their likelihood, are unacceptably high.
Opportunities whose positive
consequences, coupled with
their likelihood, are so large that your organisation must pursue them because it cannot afford to forgo the benefits associated with them.
Potential action
Threats that your organization is
prepared to tolerate at their current levels if the costs associated with implementing additional control measures outweigh the associated benefits.
Opportunities that your
organization may wish to pursue, as the benefits outweigh the costs associated with implementing the
strategies required to realize the opportunity.
No action required
Acceptable risks

Threats that your organization can accept at their current levels after existing controls.

Opportunities that your organization will give a low priority to, as the benefits are not sufficient to expend resources on pursuing.

Comments

Post a Comment

Popular posts from this blog

Routes of communications and their advantages and disadvantages

Communication has been defined as exchange of information creating and maintaining relationship as well as sharing understanding with those around us. Also communication is defined as process in which people share information, ideas and feelings. It involves spoken and written words, body language personal mannerisms, styles and anything that adds meaning to a message. Therefore, Communication is a transfer of information to achieve a goal. Organizational communication is the process by which information is shared within organizations such as businesses. Outside of informal social interactions, individuals in an organization typically communicate with coworkers in their departments who have attained the same status they have, or they communicate with their direct superiors or subordinates. Routs of Communication are ways in which information transfer from one place/person to another, these are: Lateral/Horizontal communication  is  communication  b...
Read more

How to listen properly? - Strategies to improve listening skills

Image
Strategies to improve listening skills Most groups of people such as students spend a lot of time listening to their teachers/instructors during learning/class sessions. Listening is practiced in our daily life experiences. It is important to improve the level of listening so that to improve communication. Oral communication is the one mostly involving the listening skills. Various strategies can be used to improve listening skills. Some of these strategies have been stipulated here below; Maintain eye contact with the instructor. Eye contact keeps you focused on the subject matter at hand and keeps you involved in the matter. Eye contact Increases the level of concentration and understanding. If eye contact is not maintained, it is likely to lose focus, concentration and understandability. Focus on content, not delivery. Content carries the message that someone is about to deliver during the speech. Focusing on the content increases the level of understandabil...
Read more