Designing Risk Management Framework

Risk Management – Article 4

Designing Risk Management Framework

Keshav Ram Singhal

Clause 4.3 of ISO 31000:2004 deals with guidelines for design of framework for managing risk and processes to design risk management framework mentioned in sub-clauses are related to:
4.3.1 – Understanding of the organization and its context
4.3.2 – Establishing risk management policy
4.3.3 – Ensuring accountability
4.4.4 – Integrating into organizational processes
4.4.5 – Allocating resources
4.4.6 – Establishing internal communication and reporting mechanisms
4.4.7 – Establishing external communication and reporting mechanisms

Understanding – Organization and its context

It is important to examine and understand the internal and external context of the organization. Internal and external contexts are important factors that can significantly influence the design of the framework for managing risk in an organization. As such there is need to understand these context.
To understand internal context we need to understand the internal environment in which the organization attempts to achieve its objectives and the internal environment of the organization may include:
- Governance in the organization
- Organizational structure
- Roles, accountability and responsibility in the organization
- Organization’s policies, objectives and strategies
- Organization’s capabilities – knowledge and resources, such as capital, time, people, processes, systems, technologies
- Information systems
- Information flows
- Formal and informal decision-making processes
- Relationship with internal stakeholders
- Internal stakeholders’ perceptions and values
- Organization’s culture
- Standards, guidelines, norms, models etc. adopted by the organization
- Contractual relationships form and its extent

To understand external context we need to understand the external environment in which the organization attempts to achieve its objectives and the external environment of the organization may include cultural environment, social environment, political environment, statutory and regulatory (legal) environment, financial environment, technological environment, economic environment, natural and competitive environment that may be international, national, regional or local. The external environment of an organization may also include key drivers and trends having impact on organization’s objectives, relationship with external stakeholders, and perceptions and values of external stakeholders.

Before starting the design of framework for managing risk and its implementation, the organization should evaluate and understand both its external and internal environment (context). All the factors mentioned above and other relevant factors to external and internal context should be evaluated.

Establishing – Risk management policy

The organization should take steps to establish risk management policy that should clearly state the organization’s objectives for risk management and also the organization’s commitment to risk management. The risk management policy should typically address:
- Organization’s set of reasons or logical basis for a course of action or belief (rationale) for managing risk
- Relationship between organization’s policies (and objectives) and organization’s risk management policy
- Responsibility, authority and accountability for managing risk
- Process solution (way) to deal with conflicting interests
- Commitment to provide necessary resources for managing risk
- Risk management performance measurement and reporting process
- Commitment to review and improve the risk management policy and framework periodically and in response to an event or change in circumstances

The organization should communicate appropriately the risk management policy within the organization and to its stakeholders.

Ensuring – Responsibility, authority and accountability

The organization should ensure responsibility, authority, accountability and appropriate competence for implementing and maintaining risk management process to manage risk. The organization should ensure adequacy, effectiveness and efficiency of its controls to risk management process by:
- Identifying risk owners having responsibility, authority and accountability to manage risk
- Identifying the personnel accountable for developing, implementing and maintaining risk management framework
- Identifying responsibility of personnel at all levels in the organization for risk management process
- Establishing performance measurement
- Establishing external and internal reporting
- Establishing escalation processes
- Ensuring recognition at appropriate levels

By building a culture of accountability, the organization moves towards minimizing risks in the organization.

Integrating – Risk management into organizational processes

Risk management must be integrated into organizational processes to achieve objectives and goals of the organization. Integration to risk management in all organization’s practices and processes should be relevant, effective and efficient and should be firmly integrated. The risk management process should become part of organizational processes. Especially (in particular) risk management should be firmly fixed into:
- Development of organization’s policy
- Organization’s business and strategic planning and review
- Organization’s change management processes

Organization-wide risk management plan should ensure implementation of its risk management policy and firmly integration of risk management in all organization’s practices and processes. Risk management plan of an organization should be integrated into organization’s strategic or other plans.

Allocating – Resources for risk management

It is necessary to allocate suitable and proper resources for risk management considering the following:
- Human resources and their skills, experience and competence
- Resources needed for each step of the risk management
- Resources needed for organization’s processes, methods and tools
- Organization’s processes and procedures
- Organization’s information system and knowledge management systems
- Training programmes

Establishing – Internal communication, external communication and reporting mechanisms

In order to support and encourage accountability and ownership of risk, the organization should establish:
- Internal communication
- External communication
- Reporting mechanisms

The organization should establish process for internal communication and reporting that should ensure appropriately communicating key components of the risk management framework and subsequent modifications. Internal reporting on the framework, its effectiveness and outcomes should be adequate. Relevant information derived from the risk management application should be available at appropriate levels and appropriate times. There should be processes for consultation with internal stakeholders, such as employees, management, unions etc.

There is a need to develop and implement plan that provides ways to communicate with external stakeholders and this should involve:
- Engaging appropriate external stakeholders
- Ensuring an effective exchange of information
- External reporting to act in accordance with statutory, regulatory and governance requirements
- Providing feedback and reporting on communication and consultation
- Using communication to build confidence in the organization
- Communicating with stakeholders when there is crisis or contingency

Reporting mechanism should appropriately include processes to consolidate risk information from various sources and to consider information sensitivity.