Risk Management – Article 2
An Introduction to Risk Management Framework
Keshav Ram Singhal
Every organization, whether it is small, medium or large, private or public, manufacturing or service, faces various factors and influences that may be internal and external. Internal and external factors and influences in an organization lead to uncertainty with regard to achievement of organization’s objectives. The effect of uncertainty on the organization’s objectives is termed as risk. Thus risk is an effect of uncertainty on objectives. An effect is a deviation from the expected. The effect may be positive and/or negative. To manage risk, an organization needs to carry out coordinated activities. Risk management is a process that is underpinned by a set of principles. Also it needs to be supported by a structure that should be appropriate to the organization, its environment and context. International Organization for Standardization (ISO) in 2009 has published an International Standard ISO 31000 that describes Risk management – Principles and guidelines. ISO 31000:2009 standard targets the quality of an organization’s management and suggests risk management frameworks, processes and activities that should be followed to help organizations better meet their goals and objectives.
Clause 4 of ISO 31000:2009 describes risk management framework guidelines. An essential supporting structure for risk management in an organization can be termed as risk management framework. Success of risk management in an organization depends on the effectiveness of the risk management framework. Risk management framework should provide foundations (underlying base) and arrangements (plans or preparations for future) that should firmly and deeply present throughout the organization at all levels. The supporting structure for risk management assists in managing risks effectively. It can be done through the application of the risk management process in the organization at varying levels and within specific context. Clause 5 of ISO 31000:2009 standard provides guidelines for risk management process. An organization should derive information from risk management process of the organization and such information should be adequately reported. The supporting structure (framework) for risk management should ensure adequately reported information be used as a basis for taking decision and accountability in the organization at relevant levels.
The necessary components of the supporting structure (framework) for managing risk in an organization and their interrelation are described in clause 4 that include:
- Mandate and commitment
- Framework design for managing risk – (i) Understanding the organization and its context, (ii) Risk management policy, (iii) Accountability, (iv) Risk management integration into organization’s processes, (v) Resources, (vi) Internal communication and reporting mechanism, (vii) External communication and reporting mechanism
- Risk management implementation – (i) Framework implementation for managing risk, (ii) Process implementation for risk management
- Framework monitoring and its review
- Continual improvement of the framework
It is not the intention of the supporting structure (framework) to prescribe a management system. The supporting structure (framework) for managing risk should be integrated into organization’s management system and the organization should adapt the necessary components of the supporting structure (framework) into its specific needs.
Annex A of ISO 31000:2009 mentions characteristics of enhanced risk management. The organization, adopting formal risk management process, should review and assess risk management practices and processes against ISO 31000:2009 standard and its annex A enabling the organization’s adequacy and effectiveness for risk management.
Characteristics of enhanced risk management include: (i) Continual improvement, (ii) Comprehensive, defined and accepted accountability for risks, controls and risk treatment tasks, (iii) Risk management in decision making, (iv) Continual communication, (v) Risk management integration in governance structure.
Organization, wishes to manage risks, should develop a framework that should be effective. In this regard guidelines given in clause 4 of ISO 31000:2009 standard are relevant and helpful in managing risks.