Carole Edrich breaks down the risk management process, explaining the significance of each step
The risk management lifecycle should be considered as distinct from any risk management framework. While it is a logical set of idealised functions based on a whole system perspective of the enterprise, it is also true that, whether or not an enterprise has formally implemented a risk management framework, many components will already be practised.
However, understanding the generic enterprise risk management process will make the improvement or adoption of any formal structures easier.
Many organisations that manage risk on a formal basis will have a structured approach with similarities to the generic lifecycle shown (see figure). Some enterprises believe the review and lessons learned aspects of the process are implicit in all other stages. Others believe the change of the risk management process itself and consequent alterations to any formal framework should not be included.
However, it is best to consider each module separately to ensure they are shown in a final framework or structure, otherwise what was once taken for granted may end up lost in the many loops of the end-to-end risk management process.
Although the flow as shown appears intuitive, logical and seamless, practical experience shows this is not the case. Project, programme, acquisition and objective-led risk management lifecycles are all subsidiary to the overall enterprise-wide risk management process. They must be integrated into the bigger picture, as does the process at lower organisational levels.
It is also likely that many different individuals and systems contribute to the overall picture and that each must be integrated in perspective with the overall organisation vision, strategy, tactical plans and objectives. The co-ordination and communications involved in this are no mean feat, and can turn the management of even simple risks into a considerable challenge.
The process itself can be roughly split into three main sections: initiate and improve; identify and assign ownership and buy-in; and agree and review risk appetite.
Initiate and improve applies to the risk management process itself as well as the way that risks are identified, assessed, communicated and managed. It also involves understanding the underlying organisational infrastructure and other systemic influences.
Identify and assign ownership and buy-in is the process of identifying, assessing and evaluating the risks and principal stakeholders. It communicates these risks and their potential consequences to those who will be most affected by the risks. It also agrees individual risk owners for each major risk or risk group. Security issues, vulnerabilities, the external environment and external stakeholders must all be analysed in as short a time possible.
Once a risk owner accepts responsibility, he or she needs as much information as possible. This enables them to make well informed risk management decisions. A risk owner is usually the most senior individual whose business units, processes or products may be directly affected by a risk or risk group. Management of risk may be immediately delegated to others, but responsibility remains with the risk owner.
The risk tolerance or appetites of different organisations vary enormously for a range of reasons, including its sector, tasks, products, services, political or media discomfort and even timing.
Displaying this risk appetite formally is a vital part of empowering decision makers so that they understand exactly which risks and risk groups are acceptable, as well as in deciding whether direct or indirect risk management actions are most appropriate.
Agree and review risk appetite applies to that part of the risk management process that establishes the optimum balance of a risk occurrence against the costs, impact, value and consequences of managing that risk. Senior managers can then make further decisions on risk tolerance at business unit, project, programme or objective levels.
Because of the iterative and continuous nature of enterprise-wide risk management, as well as the way that risks may be identified and gathered, it is likely that potential risk owners will be established quite early in the risk management process.
Definitions for proactive or reactive risk responses vary considerably between organisations. The UK central government considers risk management to comprise transfer, treat or tolerate, the US NISSC considers that risk management is risk elimination, risk transfer, risk retention or risk reduction and other organisations group the activities into mitigate, eliminate, monitor and control.
However, what is really important is that every risk or group of risks should be considered, evaluated or re-evaluated regularly
and that actions appropriate to the level of risk, culture and risk tolerance are taken with a full audit trail demonstrating the reasoning for any major actions.
However, although the risk management lifecycle is normally depicted as a linear or circular process it is not that simple. The only safe way to gather and manage risks is as a dynamic and continuous process.
Through understanding of the end-to-end risk management process it is easier for the practitioner to identify optimal points of intervention in and organisation's existing procedures or practices.
Select the odd one out:
The end to end risk management process can be shown as:
a Three main sections
b Eight units
c A well-defined organisational framework
d A variety of iterative functions or processes
e An iterative process
True or false?
The only safe way to manage risks is as a linear, periodic and iterative process
True or false?
The only correct way to view a risk management process is described in this article
Which statement is incorrect
a Once a decision to tolerate a risk is made it should be ignored
b Once a decision to treat a risk is made an action must be taken
c Once a decision to transfer a risk is made adequate insurance must be found
d Once a decision to terminate a risk is made the risk must be eliminated
e A decision to transfer, treat, tolerate or terminate a risk can be changed if circumstances change
Select the exception
a Enterprise wide risk management can only be undertaken with the active participation and buy-in of all internal stakeholders
b Once a risk owner has been identified it is a matter of formality to get him orher to take responsibility for the risk
c Risk owners, their business units or processes stand to lose or be affected by the manifestation of risks they have been allocated
d Once a risk has been managed it can be ignored
e The risk management process is for a closed system only
This CPD unit was contributed by Carole Edrich, who is the principal of KAI Corporation (Risk) and can be reached on firstname.lastname@example.org .
The CPD page is edited by RW Associates, specialists in training, competence and compliance. Email: email@example.com
How to use CPD
This free Insurance Times reader service is intended to help you improve your skills and understanding from the comfort of your office or home. All you have to do is read the text and answer the multiple-choice questions. The answers will appear in next week's issue.
Why CPD is important
The Financial Services National Training Organisation (FSNTO)'s mission is to improve the quality and skills of the workforce as a fundamental requirement for the sustainable competitiveness of the industry. We fully support the practice of continuing professional development (CPD) as a major contributor to achieving this aim. Many people across the sector are required to undertake CPD by virtue of the work they do or the professional body to which they belong, but everyone can benefit from continuing to develop their knowledge and skills.