How to build a risk management framework (RMF)
When I joined the Department of Health and Ageing (yes, that's the correct spelling), my mandate was to "build a risk management framework and embed it across the Department." Easy to say - not so easy to do.
In my view, a good RMF is essential. ISO31000 risk management standard (in the 2009 version) opens Section 4 with the following assertion.
"The success of risk management will depend on the effectiveness of the management framework providing the foundations and arrangements that will embed it throughout the organization at all levels."
That's hard to argue with, but ISO31000 isn't big on detail. Eventually, I did build a decent risk management framework, and the model in Figure 2 is a good summary of the result. Figure 2 is more than just a risk management framework. It is an excellent summary of how to implement any management system. At least in terms of structure and relationships of the various elements.
But first, what does the 2018 update to the standard have to say on the subject? It's slightly different but still not so obvious how to implement it. The (now) Section 5 on risk management frameworks sums framework development as follows.
"Framework development encompasses integrating, designing, implementing, evaluating and improving risk management across the organization."
The standard then sums it up in the illustration below and devotes five pages to these concepts.
Figure 1: Relationship between the components of the framework for managing risk (ISO31000:2018)
It can be tempting to skip the process of building a risk framework. Partly because it seems less important than the risk assessment process. But also partly because it is a big daunting project. But no matter how excellent your risk management system, it will not be sustainable unless an organization has a well-structured and appropriate risk management framework. In the following sections I've tried to address at least the 'big daunting' element by breaking it down into the key elements. The framework is where policy, mandate, organizational commitment, and structure set the scene for the ongoing successful risk management application. And it isn't a one-time event. Risk management is an iterative, adaptive process, and as you can see from Figure 1, the authors of ISO31000 intended it to be a cyclical process. At the very least, a framework should provide you with guidance regarding how your organization manages risk, and in particular, it needs to provide:
A centralized and comprehensive source of risk policy, procedures, and information.
A consistent taxonomy for classification and prioritization of risk.
Automated (or at least consistent) workflow for risk management.
An auditable paper trail of records, decisions made, and changes.
The three most important elements in turning risk management theory into risk management practice will inevitably be policy, assurance, and compliance. However, how you put together the underlying framework for your organization will depend on your context and existing management systems. It's likely to include three common elements: Direction, Systems, and Execution. I built this framework for a large Commonwealth government department a few years ago, and part of the brief was that it had to be easy to grasp the underlying principle.
The Executive Management team establishes DIRECTION by setting:
Organizational objectives, vision, and mission - the reason that the organization exists.
A risk assessment based on those objectives
A risk treatment plan to support the achievement of objectives (which might also be known as a Strategic Plan, Operational Plan, etc)
SYSTEMS are the management infrastructure that provides technical and policy guidance for implementation of the organizations plans and uses four core elements:
Policies and Management Standards - set the high level expectations and guide decision making
Procedures and Guidelines - provide the step by step process flows to implement the policies as well as some general guidance about how to interpret high level policy or standards. See also my article on Risk Management Procedures for more details and downloadable templates.
Work Instructions – provide task specific detailed instructions for each step in the process flow.
Forms, Templates & Tools – are the specific tools and documentation that people will use to identify, assess and document risks.
EXECUTION is the phase where the plans, policies, and objectives so carefully developed, are finally implemented using three stages of this process:
Training Needs Analysis – involves identifying what people need to know to implement the 'Systems' previously developed.
Training & implementation – consists of training your people, so they can implement the various elements that support organizational objectives correctly.
Reporting, Monitoring & Review – are the final elements to close the feedback look, assess how useful the framework is, and provide appropriate feedback for continuous improvement.
You'll find this concept illustrated in Figure 2 below. It's a relatively simple example of a framework but is easy enough to explain to people and, equally importantly, is highly scalable.
Figure 2: Example of a Risk Management Framework
There are, of course, many ways to view risk and the interactions of the various elements involved. It's not the intention of this article to provide a single 'perfect' risk management framework – you need to work that out for yourself- but this at least will give a couple of ideas to get you started.
If you'd be interested in a free online training course on how to design and implement a risk management framework, drop me a line and I'll keep you posted when it is ready.
You might also be interested in this article on Risk Management Procedures and downloadable templates. Here is also an example of a succinct one page Risk Management Policy that you can download as MS Word file from the Downloads page.