Designing Risk Management Framework

Risk Management – Article 4

Designing Risk Management Framework

Keshav Ram Singhal

Clause 4.3 of ISO 31000:2004 deals with guidelines for design of framework for managing risk and processes to design risk management framework mentioned in sub-clauses are related to:
4.3.1 – Understanding of the organization and its context
4.3.2 – Establishing risk management policy
4.3.3 – Ensuring accountability
4.4.4 – Integrating into organizational processes
4.4.5 – Allocating resources
4.4.6 – Establishing internal communication and reporting mechanisms
4.4.7 – Establishing external communication and reporting mechanisms

Understanding – Organization and its context

It is important to examine and understand the internal and external context of the organization. Internal and external contexts are important factors that can significantly influence the design of the framework for managing risk in an organization. As such there is need to understand these context.
To understand internal context we need to understand the internal environment in which the organization attempts to achieve its objectives and the internal environment of the organization may include:
- Governance in the organization
- Organizational structure
- Roles, accountability and responsibility in the organization
- Organization’s policies, objectives and strategies
- Organization’s capabilities – knowledge and resources, such as capital, time, people, processes, systems, technologies
- Information systems
- Information flows
- Formal and informal decision-making processes
- Relationship with internal stakeholders
- Internal stakeholders’ perceptions and values
- Organization’s culture
- Standards, guidelines, norms, models etc. adopted by the organization
- Contractual relationships form and its extent

To understand external context we need to understand the external environment in which the organization attempts to achieve its objectives and the external environment of the organization may include cultural environment, social environment, political environment, statutory and regulatory (legal) environment, financial environment, technological environment, economic environment, natural and competitive environment that may be international, national, regional or local. The external environment of an organization may also include key drivers and trends having impact on organization’s objectives, relationship with external stakeholders, and perceptions and values of external stakeholders.

Before starting the design of framework for managing risk and its implementation, the organization should evaluate and understand both its external and internal environment (context). All the factors mentioned above and other relevant factors to external and internal context should be evaluated.

Establishing – Risk management policy

The organization should take steps to establish risk management policy that should clearly state the organization’s objectives for risk management and also the organization’s commitment to risk management. The risk management policy should typically address:
- Organization’s set of reasons or logical basis for a course of action or belief (rationale) for managing risk
- Relationship between organization’s policies (and objectives) and organization’s risk management policy
- Responsibility, authority and accountability for managing risk
- Process solution (way) to deal with conflicting interests
- Commitment to provide necessary resources for managing risk
- Risk management performance measurement and reporting process
- Commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances

The organization should communicate appropriately the risk management policy within the organization and to its stakeholders.

Ensuring – Responsibility, authority and accountability

The organization should ensure responsibility, authority, accountability and appropriate competence for implementing and maintaining risk management process to manage risk. The organization should ensure adequacy, effectiveness and efficiency of its controls to risk management process by:
- Identifying risk owners having responsibility, authority and accountability to manage risk
- Identifying the personnel accountable for developing, implementing and maintaining risk management framework
- Identifying responsibility of personnel at all levels in the organization for risk management process
- Establishing performance measurement
- Establishing external and internal reporting
- Establishing escalation processes
- Ensuring recognition at appropriate levels

By building a culture of accountability, the organization moves towards minimizing risks in the organization.

Integrating – Risk management into organizational processes

Risk management must be integrated into organizational processes to achieve objectives and goals of the organization. Integration to risk management in all organization’s practices and processes should be relevant, effective and efficient and should be firmly integrated. The risk management process should become part of organizational processes. Especially (in particular) risk management should be firmly fixed into:
- Development of organization’s policy
- Organization’s business and strategic planning and review
- Organization’s change management processes

Organization-wide risk management plan should ensure implementation of its risk management policy and firmly integration of risk management in all organization’s practices and processes. Risk management plan of an organization should be integrated into organization’s strategic or other plans.

Allocating – Resources for risk management

It is necessary to allocate suitable and proper resources for risk management considering the following:
- Human resources and their skills, experience and competence
- Resources needed for each step of the risk management
- Resources needed for organization’s processes, methods and tools
- Organization’s processes and procedures
- Organization’s information system and knowledge management systems
- Training programmes

Establishing – Internal communication, external communication and reporting mechanisms

In order to support and encourage accountability and ownership of risk, the organization should establish:
- Internal communication
- External communication
- Reporting mechanisms

The organization should establish process for internal communication and reporting that should ensure appropriately communicating key components of the risk management framework and subsequent modifications. Internal reporting on the framework, its effectiveness and outcomes should be adequate. Relevant information derived from the risk management application should be available at appropriate levels and appropriate times. There should be processes for consultation with internal stakeholders, such as employees, management, unions etc.

There is a need to develop and implement plan that provides ways to communicate with external stakeholders and this should involve:
- Engaging appropriate external stakeholders
- Ensuring an effective exchange of information
- External reporting to act in accordance with statutory, regulatory and governance requirements
- Providing feedback and reporting on communication and consultation
- Using communication to build confidence in the organization
- Communicating with stakeholders when there is crisis or contingency

Reporting mechanism should appropriately include processes to consolidate risk information from various sources and to consider information sensitivity.

Mandate and commitment for risk management framework

Risk Management – Article 3

Mandate and commitment for risk management framework

Keshav Ram Singhal

Clause 4.2 of ISO 31000:2004 deals with guidelines for mandate and commitment for risk management framework.

Mandate = the authority to carry out

Commitment = state of being dedicated to = dedication

To be certain that risk management remains continuing effective in an organization, the organization needs:
- Robust (powerful) and continuing dedication (commitment) of the management
- Strategic and rigorous planning to achieve the dedication (commitment) at all levels within the organization

Organization’s management should:
- Define risk management policy
- Declare and support publically the risk management policy
- Make it certain that culture of organization is aligned with organization’s risk management policy
- Determine risk management performance indicators (and such risk management performance indicators should be aligned with organization’s performance indicators)
- Align risk management objectives with organization’s objectives and strategies
- Make it certain to comply statutory and regulatory norms
- Assign accountability, responsibility and authority at appropriate levels within the organization
- Make it sure to allocate necessary resources
- Communicate risk management benefits to all stakeholders
- Make it sure that risk management framework remains appropriate

A risk management policy as a management prime statement serves two purposes: first, It speaks about to identify, reduce and prevent undesirable incidents or outcomes, and second, it mentions to review past incidents to implement changes to prevent or reduce future incidents.

An organization may utilize its management risk policy in order to continually analyze and improve its strategy, policy and practices that affect the organization’s performance. To write a risk management policy, identify potential risks in context of organization’s processes and state the purpose in clear and simple terms in brief.

A good risk management is supported to determine risk management performance indicators. Capturing, modeling and reporting risk indicators allow a risk practitioner to focus on leading factors in risk management. Risk factors or indicators can be signature or driver of risk. Risk factors or indicators that contribute to causing a risk event or outcome are active indicators. A change in performance indicators, positive or negative, could be an indication of risk. Risk indicators should be timely, relevant and bring insight to the issue.

There is a need to assign accountability and responsibility, without which risk management tasks can easily be missed. An organization’s top management should assign accountability and responsibility to risk management personnel, departmental heads, stakeholders etc. It is important to ensure that the personnel having the assigned accountability and responsibility should have the authority to complete the task or take appropriate action to the task.

Without allocating resources it is difficult to achieve desired goals and objectives, the top management should determine, allocate and provide necessary resources for risk management. Risk communication is powerful exchange of information about risks between interested parties (stakeholders). Risk communication is the act of conveying or transmitting information between stakeholders about a range of areas including levels of risks, significance of risks, and decisions, actions or policies aimed at managing or controlling risks. Interested parties (stakeholders) may include government organizations, corporations, industry groups, unions, society and individuals. Continuing reciprocal communication among all stakeholders is an integral part of risk management process. Risk communication is more than the dissemination of information and a major function is the process by which information and opinion essential to effective risk management is incorporated into the decision.

The management of the organization should make sure that the risk management framework remains continuing effective in the organization.

An Introduction to Risk Management Framework

Risk Management – Article 2

An Introduction to Risk Management Framework

Keshav Ram Singhal

Every organization, whether it is small, medium or large, private or public, manufacturing or service, faces various factors and influences that may be internal and external. Internal and external factors and influences in an organization lead to uncertainty with regard to achievement of organization’s objectives. The effect of uncertainty on the organization’s objectives is termed as risk. Thus risk is an effect of uncertainty on objectives. An effect is a deviation from the expected. The effect may be positive and/or negative. To manage risk, an organization needs to carry out coordinated activities. Risk management is a process that is underpinned by a set of principles. Also it needs to be supported by a structure that should be appropriate to the organization, its environment and context. International Organization for Standardization (ISO) in 2009 has published an International Standard ISO 31000 that describes Risk management – Principles and guidelines. ISO 31000:2009 standard targets the quality of an organization’s management and suggests risk management frameworks, processes and activities that should be followed to help organizations better meet their goals and objectives.

Clause 4 of ISO 31000:2009 describes risk management framework guidelines. An essential supporting structure for risk management in an organization can be termed as risk management framework. Success of risk management in an organization depends on the effectiveness of the risk management framework. Risk management framework should provide foundations (underlying base) and arrangements (plans or preparations for future) that should firmly and deeply present throughout the organization at all levels. The supporting structure for risk management assists in managing risks effectively. It can be done through the application of the risk management process in the organization at varying levels and within specific context. Clause 5 of ISO 31000:2009 standard provides guidelines for risk management process. An organization should derive information from risk management process of the organization and such information should be adequately reported. The supporting structure (framework) for risk management should ensure adequately reported information be used as a basis for taking decision and accountability in the organization at relevant levels.

The necessary components of the supporting structure (framework) for managing risk in an organization and their interrelation are described in clause 4 that include:
- Mandate and commitment
- Framework design for managing risk – (i) Understanding the organization and its context, (ii) Risk management policy, (iii) Accountability, (iv) Risk management integration into organization’s processes, (v) Resources, (vi) Internal communication and reporting mechanism, (vii) External communication and reporting mechanism
- Risk management implementation – (i) Framework implementation for managing risk, (ii) Process implementation for risk management
- Framework monitoring and its review
- Continual improvement of the framework

It is not the intention of the supporting structure (framework) to prescribe a management system. The supporting structure (framework) for managing risk should be integrated into organization’s management system and the organization should adapt the necessary components of the supporting structure (framework) into its specific needs.
Annex A of ISO 31000:2009 mentions characteristics of enhanced risk management. The organization, adopting formal risk management process, should review and assess risk management practices and processes against ISO 31000:2009 standard and its annex A enabling the organization’s adequacy and effectiveness for risk management.

Characteristics of enhanced risk management include: (i) Continual improvement, (ii) Comprehensive, defined and accepted accountability for risks, controls and risk treatment tasks, (iii) Risk management in decision making, (iv) Continual communication, (v) Risk management integration in governance structure.

Organization, wishes to manage risks, should develop a framework that should be effective. In this regard guidelines given in clause 4 of ISO 31000:2009 standard are relevant and helpful in managing risks.

Alex Dali (President, Global Institute for Risk Management Standards - A Non-profit organization for raising awareness on ISO 31000) writes

Excellent initiative, Keshav.

I am pleased to inform you that your contacts should have a copy of the ISO 31000 risk management standard adopted in India as
IS/ISO 31000. For Indian citizens, the Indian Standard is free of charge for educational purpose:

https://law.resource.org/pub/in/bis/S07/is.iso.31000.2009.pdf

BUREAU OF INDIAN STANDARDS. Headquarters: Manak Bhavan, 9 Bahadur Shah Zafar Marg, New
Delhi 110002. Telephones: 2323 0131, 2323 3375, 2323 9402 Website: www.bis.org.in

Feel free to include this reference in your campaign. You have my full support.

Best regards
Alex Dali
President
Global Institute for Risk Management Standards
Non-profit organization for raising awareness on ISO 31000

Risk Management Principles

Risk Management – Article 1
Risk Management Principles

Keshav Ram Singhal

Every organization, whether it is small, medium or large, private or public, manufacturing or service, faces various factors and influences that may be internal and external. Internal and external factors and influences in an organization lead to uncertainty with regard to achievement of organization’s objectives. The effect of uncertainty on the organization’s objectives is termed as risk. Thus risk is an effect of uncertainty on objectives. An effect is a deviation from the expected. The effect may be positive and/or negative. To manage risk, an organization needs to carry out coordinated activities. Risk management is a process that is underpinned by a set of principles. Also it needs to be supported by a structure that should be appropriate to the organization, its environment and context. International Organization for Standardization (ISO) in 2009 has published an International Standard ISO 31000 that describes Risk management – Principles and guidelines. ISO 31000:2009 standard targets the quality of an organization’s management and suggests risk management frameworks, processes and activities that should be followed to help organizations better meet their goals and objectives.

Clause 3 of ISO 31000:2009 describes eleven risk management principles that an organization should comply at all levels for effective risk management and these are:
1. Risk management creates and protects value
2. Risk management is an integral part of all organizational processes
3. Risk management is part of decision making
4. Risk management explicitly addresses uncertainty
5. Risk management is systematic, structured and timely
6. Risk management is based on the best available information
7. Risk management is tailored
8. Risk management takes human and cultural factors into account
9. Risk management is transparent and inclusive
10. Risk management is dynamic, iterative and responsive to change.
11. Risk management facilitates continual improvement of the organization

Creating and protecting value

Risk management creates and protects value. It contributes to achievement of organization’s objectives and improvement of performance within the organization. Organization’s objectives and performance may relate:
- Human health and safety
- Security
- Statutory and regulatory compliances
- Public acceptance
- Environmental protection
- Product quality
- Project management
- Operational efficiency
- Good governance and reputation

The goal of risk management is to increase the likelihood that the organization will achieve its objectives by managing risks to be within the stakeholders’ appetite for risk. Risk management done correctly not only protects but creates value for achievement of objectives and improvement of performance.

Organizational processes and risk management

Risk management is an integral part of all organizational processes. It should include strategic planning, all projects and change management processes. It is not a stand-alone activity. It is not separated from the main activities and processes of the organization. It is part of the organization’s management responsibility.

Risk management and decision making

Risk management is part of decision making. Risk management helps management to take decisions. It helps in identifying informed choices, prioritize action and differentiate among alternative actions.

Risk management and uncertainty

Risk management clearly and in detail describes uncertainty (state of being uncertain – what may happen in future) and its nature.

Risk management approach

Risk management is a systematic, timely and structured approach. It contributes to efficiency and timely action that lead to consistent, comparable and reliable results.

Risk management and information

Risk management is based on the best available information. Information is the input to the risk management and such information is sourced from various information sources that may be from:
- Historical data
- Experience
- Stakeholder feedback
- Observation
- Forecasts
- Judgement from an expert

Decision makers in risk management should be careful and take into account any limitations of the data used, modeling used or possibility of divergence among experts.

Tailoring risk management

Risk management is tailored aligning with internal and external context and risk profile of the organization.

Human and cultural factors in risk management

Risk management takes human and cultural factor into account. It recognizes human capabilities, perceptions and intentions.

Transparency in risk management

Risk management is transparent and inclusive. Risk management requires appropriate and timely involvement of stakeholders including decision makers at all levels of the organization ensuring risk management relevant and up-to-date. To determine risk criteria, involvement of stakeholder include properly representing them and taking their views taken into account.

Risk management responsive to change

Risk management is dynamic, iterative and responsive to change. It continually senses and responds to change. New risks emerge and/or some risks change and/or other risks disappear with occurring of external/internal events, change of context and knowledge, monitoring and review of risks.

Risk management leads improvement

Risk management facilitates continual improvement of the organization. An organization can improve its risk management maturity and other aspects by developing and implementing strategies. Continual improvement in risk management is emphasized and it can be achieved by:
- Setting of organizational goals
- Measurement, review and change (modification) of processes, systems, resources, capabilities and skills.

Conclusion

Risk management principles are helpful in managing effective risk management in an organization and guidelines mentioned in ISO 31000:2009 standard are developed on the basis of risk management principles.

ISO 31000:2009 standard is available from International Organization for Standardization (ISO). Please visit ISO website iso.org.

Preface

Dear readers,

Greetings!

I am starting a new blog on 'Risk Management Awareness' with an objective to create awareness on standards, vocabulary, guidelines, principles, risk assessment techniques etc. I request risk management professionals and experts to please share their views and articles through this blog.

Every organization in the world, whether it is small, medium or big, faces many factors and influences that make uncertain achieving organization's objectives. I hope that this blog will serve its purpose to create awareness.

Any accomplishment requires the effort of many people and this blog is no different. Suggestions for improvements are welcomed.

Best wishes,

Keshav Ram Singhal
Editor