Risk Management – Article 3
Mandate and commitment for risk management framework
Keshav Ram Singhal
Clause 4.2 of ISO 31000:2004 deals with guidelines for mandate and commitment for risk management framework.
Mandate = the authority to carry out
Commitment = state of being dedicated to = dedication
To be certain that risk management remains continuing effective in an organization, the organization needs:
- Robust (powerful) and continuing dedication (commitment) of the management
- Strategic and rigorous planning to achieve the dedication (commitment) at all levels within the organization
Organization’s management should:
- Define risk management policy
- Declare and support publically the risk management policy
- Make it certain that culture of organization is aligned with organization’s risk management policy
- Determine risk management performance indicators (and such risk management performance indicators should be aligned with organization’s performance indicators)
- Align risk management objectives with organization’s objectives and strategies
- Make it certain to comply statutory and regulatory norms
- Assign accountability, responsibility and authority at appropriate levels within the organization
- Make it sure to allocate necessary resources
- Communicate risk management benefits to all stakeholders
- Make it sure that risk management framework remains appropriate
A risk management policy as a management prime statement serves two purposes: first, It speaks about to identify, reduce and prevent undesirable incidents or outcomes, and second, it mentions to review past incidents to implement changes to prevent or reduce future incidents.
An organization may utilize its management risk policy in order to continually analyze and improve its strategy, policy and practices that affect the organization’s performance. To write a risk management policy, identify potential risks in context of organization’s processes and state the purpose in clear and simple terms in brief.
A good risk management is supported to determine risk management performance indicators. Capturing, modeling and reporting risk indicators allow a risk practitioner to focus on leading factors in risk management. Risk factors or indicators can be signature or driver of risk. Risk factors or indicators that contribute to causing a risk event or outcome are active indicators. A change in performance indicators, positive or negative, could be an indication of risk. Risk indicators should be timely, relevant and bring insight to the issue.
There is a need to assign accountability and responsibility, without which risk management tasks can easily be missed. An organization’s top management should assign accountability and responsibility to risk management personnel, departmental heads, stakeholders etc. It is important to ensure that the personnel having the assigned accountability and responsibility should have the authority to complete the task or take appropriate action to the task.
Without allocating resources it is difficult to achieve desired goals and objectives, the top management should determine, allocate and provide necessary resources for risk management. Risk communication is powerful exchange of information about risks between interested parties (stakeholders). Risk communication is the act of conveying or transmitting information between stakeholders about a range of areas including levels of risks, significance of risks, and decisions, actions or policies aimed at managing or controlling risks. Interested parties (stakeholders) may include government organizations, corporations, industry groups, unions, society and individuals. Continuing reciprocal communication among all stakeholders is an integral part of risk management process. Risk communication is more than the dissemination of information and a major function is the process by which information and opinion essential to effective risk management is incorporated into the decision.
The management of the organization should make sure that the risk management framework remains continuing effective in the organization.