Risk management Framework and concept



In order for an organization to achieve its strategic objectives, an organization is expected to ensure various obstacles are identified and controlled properly. Risk based auditing is also expected to assist an organization in this aspect. These obstacles are also referred to as RISKS. If risks are not well identified and proper measure not taken to mitigate them, an organization is likely to fail in achieving the set targets. These obstacles are those events/factors that are likely to hinder achieving of the targets.

Auditors are also expected to examine if the existing internal controls of an organization are adequate enough to curb the risks that might be facing an organization to fulfill its strategic objectives.

Definition of Risk
The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood”.
(Source: The Institute of Internal Auditors)

Various uncertainties both negative (threats) and positive (opportunities) should be addressed by risk management within an organization. It should be noted that risk is also related with both positive and negative deviation from the objectives intended to be achieved by an organization. It may happen for an organization to potentially benefit from the uncertainties.


Definition of risk management

“A process for identifying, assessing, managing, and controlling potential events or situations to provide reasonable assurance regarding the achievement of organisation’s objectives”.
(Source: The Institute of Internal Auditors)
Risk management as a process is expected to ensure maximization of opportunities and minization of risks to an acceptable level. An organization with effective risk management mind expands the chance of fulfilling its strategic objectives. When the process is fully embedded into the whole organization, it is termed as Enterprise Risk Management” (i.e. ERM).


Benefits of managing risks
The following are the potential benefits for managing risks within an organization


i.      Establishment  of  a  reliable  basis  for  decision  making  and  planning  (strategic  and operational planning).
ii.      Assurance on the achievement of organization’s objectives and performance targets through the awareness and management of potential events/and situations that work against the objectives.
iii.     Enhanced communication across all levels of management within the organization.

iv.      Effective use of resources; minimize operational surprises and shocks and other costly and time consuming litigation and/or unexpected losses.
v.      Management will grasp new opportunities in a timely manner.

vi.      Facilitate compliance with relevant legal and regulatory requirements and international norms. 
vii.     Enhance health and safety performance, as well as environmental protection.

viii.     Improve   stakeholders’   confidence   and   trust   (i.e.   Reassure   stakeholders   that   the Organization is managing its risks efficiently and effectively).


Risk Management Framework
This is all about documenting properly all risk procedures within an environment of an organization. This is the first step towards moving into risk based culture for organization. A risk management framework as defined by the ISO 31000: 2009 is:


a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization.

The purpose of a risk management framework is to assist an organization to manage its risks effectively through the application of risk management process at varying levels and within specific contexts of the organization.

The main components of a risk management framework are risk management policy, risk governance structure, and procedures that support the risk management process.

A risk management framework comprise of the following components;
i.                 Risk strategy (or policy).
ii.               Risk architecture (or governance structure).
iii.             Risk protocols (or procedures).



Risk Management Policy


It sets out the organisation’s risk strategy by documenting statements of the overall philosophy, commitment, appetite, attitudes, intentions, and direction of an organisation related to risk management.


Risk Management Structure


This is a risk management architecture which defines role, responsibilities, communications and reporting structure with the organisation.


Risk Management Protocols


These are the risk management procedures which define the risk management guidelines, rules  and  procedures,  as  well  as  the  risk  management  methodologies,  tools  and techniques that should be used in the organization.


Risk Management Process


The risk management framework, while may not be argued to be a component, rather a process that is supported by other components.

Risk management process is as a systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.


How to develop a risk management framework?
The process of developing a risk management framework involves:

i.                 The formulation of an organization risk management policy,
ii.               The design of the risk management governance structure of an organization,
iii.             The development of risk management procedures/practices,
iv.             Documenting the risk management framework,
v.               Getting top management approval and sponsorship. Management should be upfront in ensuring this concept is embedded within an organization culture.
vi.             Creating risk management awareness and getting people-buy in.  This may involve conducting workshops and seminars.



Formulation of a Risk Management Policy
Document a risk management policy which should clearly articulate the organization’s objectives for and commitment to risk management.


The policy typically should specify three important aspects of risk management:
i.                 The purpose: for adopting risk management within an organization.
ii.               Policy statements which will highlight the organization philosophy, attitudes and commitment towards risk management.
iii.             Risk management principles which an organization adopts in implementing risk management (the principles should be specific principles that align with the organizational context).



Designing the Risk Management Governance Structure
This platform sets out responsibilities with regard to risk management within an organization. Everyone within an organization should be aware of individuals and collective risk management responsibilities.

Roles and responsibilities of officials and staffs of an organization are defined/developed during the stage of designing the governance structure for risk management. This process will also depend on the existing structure of an organization. An example below can be used to illustrate the level roles and responsibilities in dealing with risk management. Each level has its roles and responsibilities to play;
i.                 The Board
ii.               Director
iii.             Audit Committee
iv.             Risk Management Coordinator
v.               Executive Management (Top management – Heads of departments)
vi.             Risk owners
vii.           Risk Management Champions (from each division)
viii.         Other staff, contractors and stakeholders.



Developing Risk Management Procedures
Specific procedures that are expected to be adhered when dealing with risk management activities need to be stipulated down. Risk management process as outlined by an international standard for risk management are expected to used as starting point at this stage.
The followings are expected to be included within the procedure document for risk management;
i.                 Risk  management  definitions/language/terms   a  common  risk  language  will  produce consistent understanding of risk management concepts and provide clarify of communication and action.
ii.               Relationship and Integration with other organizational initiatives risk management is not a stand- alone discipline. In order to maximize risk management benefits and opportunities, it needs to be integrated with existing business processes (e.g. strategic planning, budgeting and reporting).
iii.             Description of how each step of the risk management process will be applied within the organisation an organisation’s risk management framework and processes must meet the minimum key principles of the risk management model or standard adopted
iv.             Overview of the organisation’s risk reporting framework content, format, frequency and recipients of risk reports.
v.               Risk  assessment  criteria   agreed  criteria  for  assessment  of  risk  likelihood, consequence, and overall risk rating.



Documenting the Risk Management Framework
All the above steps should result into documented policy statements, risk governance structure and procedures. Combine these components into a single document termed The Risk Management Framework Document” of your organization.
As an example, the document (Risk Management Framework) may have the following minimum chapters/sections:
i.                 Chapter 1: Introduction (background, legal issues, scope, and document structure).
ii.               Chapter  2:  The  Risk  Management  Policy  Statements  (purpose,  policy  statements, principles)
iii.             Chapter 3: Risk Management Governance Structure (responsibilities in risk management of various organs and officials).
iv.             Chapter 4: Risk Management Procedures (rules, methods and approach in conducting risk assessment, treatment and reporting)
v.               Annex: Risk Management Templates (samples of key documents/forms/and sheets)


Get Approval and Mandate for the Risk Management Framework Document
Given  its  importance  and  strategic  nature,  risk  management  requires  strong  and  sustained commitment by the organization’s board, audit/risk committee, and the Managing Director.


Depending on structure of the organization, the approval process should follow the same pattern and should go along the same lines of approving new policies and frameworks.

It is recommended that before initiating the approval process, the key stakeholders (e.g. Top Management,  and  Board,  whichever  is  applicable)  should  be  given  a  brief awareness about risk management and the position of the document they are to approve.
The approval process should result into the official signing of the Risk Management Framework by the approving/authenticating authority or official.



Creating Awareness and Risk-aware Culture within an organization
It is important to provide training so that to create awareness, sensitize and build basic capacity for risk management within an organization. Training needs to be provided to board members, managers, staff and other close stakeholders.

Managers and staff need to be encouraged to comment on risk management procedures that the organization is adopting, so that they may be improved further as part of the learning culture within the organization.

The following is an indicative example on training that may be provided to different stakeholders:

Workshop Type
Target Group
Purpose
Comments

Orientation on risk management and Risk Management Framework

    Board Members  (depending on the type of organization)

i.     To create awareness on risk management

ii.     To obtain Board - level sponsorship

iii.     To review/approve the Risk Management Framework.

While the purposes could be combined (i.e. orientation, review and approval), the
best option could be to have a separate session for:

    Board/Council sensitization and review of Risk Management Framework

    Approval of Framework could be done in normal Board meetings.




Workshop Type
Target Group
Purpose
Comments

Top-Level
Awareness  on  Risk Management       and Review     of     Risk Management Framework

Audit Committee
Top Management

i.     To create awareness on risk management

ii.     To obtain top-level sponsorship and ownership of the Framework

iii.     To review and approve the Risk Management Framework.

iv.       To appoint Risk Management Committee

Top Management and Audit Committee need to review and make improvement on
Framework and Risk register, and appoint risk committee.

This is to prepare the Framework for Board approval.

Middle-level Awareness on Risk Management and Practical Risk Assessment

Top management Middle level Management Audit/Risk Committee Key
Staff/Stakeholders

i.     To provide orientation of risk management,

ii.     To review and refine the Risk
Management
Frameworks

iii.     Provide basic skills in risk management

iv.       To conduct a Risk Assessment for developing a Risk Register.

This is group is the most important group because it will be involved in the practical development of the risk management framework and risk register.





Comments

Post a Comment

Popular posts from this blog

Routes of communications and their advantages and disadvantages

Communication has been defined as exchange of information creating and maintaining relationship as well as sharing understanding with those around us. Also communication is defined as process in which people share information, ideas and feelings. It involves spoken and written words, body language personal mannerisms, styles and anything that adds meaning to a message. Therefore, Communication is a transfer of information to achieve a goal. Organizational communication is the process by which information is shared within organizations such as businesses. Outside of informal social interactions, individuals in an organization typically communicate with coworkers in their departments who have attained the same status they have, or they communicate with their direct superiors or subordinates. Routs of Communication are ways in which information transfer from one place/person to another, these are: Lateral/Horizontal communication  is  communication  b...
Read more

How to listen properly? - Strategies to improve listening skills

Image
Strategies to improve listening skills Most groups of people such as students spend a lot of time listening to their teachers/instructors during learning/class sessions. Listening is practiced in our daily life experiences. It is important to improve the level of listening so that to improve communication. Oral communication is the one mostly involving the listening skills. Various strategies can be used to improve listening skills. Some of these strategies have been stipulated here below; Maintain eye contact with the instructor. Eye contact keeps you focused on the subject matter at hand and keeps you involved in the matter. Eye contact Increases the level of concentration and understanding. If eye contact is not maintained, it is likely to lose focus, concentration and understandability. Focus on content, not delivery. Content carries the message that someone is about to deliver during the speech. Focusing on the content increases the level of understandabil...
Read more