An example of a Risk Management Procedure


In case you haven't gathered, I'm a fan of straightforward documents. This is especially true of when you want people to take action. Fifty page procedures rarely get followed - or even read. The following however, is an example of a risk management procedure which addresses six main areas:

  • Scope

  • Purpose

  • Reference

  • Definitions

  • Responsibilities

  • Procedure

  • Documentation

RISK MANAGEMENT PROCEDURE

SCOPE

This procedure provides information for all personnel who are responsible for risk management.

PURPOSE

The objectives of this risk-based system of internal control are to assist JBS in achieving its strategic objectives for the benefit of the community by:

  • protecting our people, the community, and commonwealth assets (financial, property, and information)

  • facilitating optimal use of resources and provide a system for setting priorities when there are competing demands on limited resources

  • assisting us to realise opportunities

  • providing stakeholders and the Australian Community with grounds for confidence in the Organization

  • supporting innovative decision making through recognition of threats and opportunities

  • improving service delivery, reporting systems, outcomes and accountability

REFERENCE

  • ISO31000:2009 Risk Management Standard

  • Risk Management Policy

  • Strategic (Enterprise) Risk Management Guideline

  • Program (Divisional) Risk Management Guideline

  • Project Risk Management Guideline

  • Operational Risk Management Guideline

  • JBS Risk Monitoring and Reporting Manual

  • Risk Management Team Intranet Site

DEFINITIONS

Barrier An existing control. includes systems and procedures already in place to mitigate risks. Consequence Collective sum of all impacts to the capabilities of an organization(s) including long term and indirect effects such as combined health, economic, and psychological impacts. Environment Conditions or influences comprising built, physical and social elements, which surround or interact with stakeholders and communities. Escalation Factors Conditions that lead to increased risk due to improvement or diminution of barriers or controls, Eg. Maintenance, foreign currency conditions, failure to audit or inspection treatments or controls. Hazard Something which has the potential to adversely impact (ie. cause harm) to an asset if not controlled or if deliberately released or applied. Eg. explosives, bio-hazards, flammable liquids, firearms, trojan, virus et cetera. Likelihood The qualitative of semi-quantitative assessment or estimation of whether an event will occur, Used as a qualitative description of probability and frequency. Impact The immediate downstream result of a risk manifesting. Multiple direct or indirect impacts, when aggregated, form the collective consequence(s) of the risk event. Risk The effect of uncertainty on objectives. Risk level The relative measure of risk as defined by the combination of likelihood and consequence. Risk Management The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. The coordinated activities to direct and control an organization with regard to risk. Risk Treatment Measures that modify the characteristics of organizations, sources of risks, communities and environments to reduce risk, Source (of Risk) A real or perceived event, situation or condition with a real or perceived potential to cause harm or loss to stakeholders, communities or environment. Threat An indication of something impending that could attack the system. includes strategic threats such as a regional conflict or tactical threats such as impending physical attack. threats are usually measured in terms of intent and capability. the term includes known (stated or assessed intention or determination to inflict pain, loss or punishment on someone or something) or unknown (undeclared, hidden or potential) threats. Malicious threats such as system hacks, data destruction, data modification, theft of iP, bomb threats, sabotage, fraud, can be categorized within a range going from rational (obtaining something of value) to irrational (attack against of assets without benefit). Treatment Controls that are proposed (i.e. not yet existing) to reduce or mitigate the likelihood or consequence of an event occurring, that is to reduce the residual risk. Vulnerability The susceptibility of stakeholders, communities and environment to consequences of events. RESPONSIBILITIES

Risk management is a core management requirement and integral part of day-to-day operations. As individuals we all play our part in managing risk and staff at all levels are responsible for understanding and implementing JBS risk management principles and practices in their work areas. Division Heads, Line Managers, and Team Leaders are responsible for applying agreed risk management policy and strategies in their area of responsibility and are expected to:

  • Ensure that risk management is fully integrated with corporate planning processes and considered in the normal course of activities at all levels

  • Identify and evaluate the significant risks that may influence the achievement of business objectives

  • Assign accountability for managing risks within agreed boundaries

  • Ensure that a risk based approach is communicated to our people and embedded in business processes

  • Comply with JBS and Government standards which relate to particular types of risk

  • Define acceptable levels for risk taking and apply fit for purpose mitigation measures where necessary

  • Design, resource, operate, and monitor internal risk management systems

  • Monitor the effectiveness of the system of risk management and internal control

  • Report identified weaknesses or incidents to executive management in timely fashion

  • Provide quarterly risk management and treatment progress reports to executive management

The Chief Risk Officer is responsible for the development, coordination, and promulgation of the JBS Risk Management Framework including monitoring and reporting systems capable of identifying and reporting new and evolving risks. The Branch will coordinate training and assistance regarding implementation of the risk management framework, and ensure adequate information is available to all staff. The CEO is responsible for managing risk across the organization.

PROCEDURE

ISO31000 was developed with the objectives of providing a generic framework for identification, analysis, assessment, treatment and monitoring of risk. The JBS Risk Management process follows the ISO31000 methodology (illustrated below).


Figure 1: ISO 31000 Risk Management Process The process of managing risk at JBS involves:

  • establishing the context associated with the program goals and activities;

  • identifying the risks (including identifying the likelihood and consequences associated with each risk);

  • analyzing the risks;

  • assessing and prioritizing the risks;

  • treating the risks (including a cost/benefit analysis of the treatment options); and

  • continually monitoring and reviewing the risks and treatments

This is illustrated below in Figure 2 where responsibilities for each step are shown by the lines entering and leaving the respective element of the process flow.


Figure 2: Risk Management Process Flow at JBS This procedure should be read and applied in conjunction with the relevant JBS Risk Management Guideline and tailored accordingly to the appropriate level of area/activity being managed. These Guidelines and tools have been developed for the following organizational levels:

  • Strategic (Enterprise) Risk Management Guideline

  • Program Risk Management Guideline

  • Project Risk Management Guideline

  • Operational Risk Management Guideline

Establish the context. Define the stakeholders and review the levels of acceptable risk using tools such as consultative groups, and develop risk evaluation criteria. Successful RM requires the effective engagement of stakeholders and subject matter experts. Effective engagement enables the strategic management of uncertainty and develops resilience amongst those involved. RM goes far beyond being a technical or political process - it is also a communications process. Identify risks. Identify and describe the sources of risk, stakeholders, communities and environments. Scope the vulnerabilities and describe the risks. There may be great diversity of opinion on the actual risks and their various sources, given different perceptions, knowledge and experience. Analyze risks. Analyze the risk associated with the problem by determining the likelihood and consequence of the identified risks. Evaluate risks. Compare risks against risk evaluation criteria, prioritize the risks and decide on risk acceptability. Treat risks. Identify and evaluate the treatments. Respond to the level of risk by deciding which source of risk, stakeholders, communities or environment can be addressed, either by increasing resilience or robustness, to reduce risk. Model changes to obtain the new level of risk. Select treatments, plan and implement. Communication and consultation. Where stakeholders and communities contribute to the decision making process there is a much larger pool of information and expertise to enable appropriate solutions to be developed. For catastrophic events communication and consultation is considered extremely important. Communication and consultation develop resilience amongst stakeholders and communities and will be invaluable in terms of regaining control of business activities. Monitor and review. Systems that monitor and review risk, and its management, must be established and maintained. Latent and residual risk are ever-present. RM must be on going to ensure that change and uncertainty can be accommodated.

DOCUMENTATION

Each stage of the risk management process should be appropriately documented to retain knowledge and satisfy audit requirements. Documentation should include objectives, information sources, assumptions, methods, decisions, and results. Individual projects and groups maintain Risk Registers, and enterprise risks are escalated to a Strategic Risk Database (SRDB). Decisions concerning the extent of documentation may involve costs and benefits and should take into account the factors listed in Clause 5.2. At each stage of the process, documentation should include: a) objectives; b) information sources; c) assumptions; and d) decisions. The Appendices include examples of a risk register and treatment plan, however more detailed templates are also available from the Risk and Security Intranet site.

The above procedure and process flow examples work equally well for all types of procedures. If you'd like to download templates in MS Office format, you can find them at my download page: http://www.juliantalbot.com/Downloads.htm


© 2020 Julian Talbot