- Julian Talbot
An example of a Risk Management Procedure
<Downloadable MS Office Templates are at the bottom of the page>
I'm a fan of straightforward documents. Especially when you want people to take action. Fifty-page procedures rarely get followed - or even read. The following, however, is an example of a risk management procedure that addresses six main areas:
RISK MANAGEMENT PROCEDURE
This procedure provides information for all personnel who are responsible for risk management.
The objectives of this risk-based system of internal control are to assist in achieving our strategic objectives for the benefit of shareholders and the community by:
protecting our people, the community, and commonwealth assets (financial, property, and information)
facilitating optimal use of resources and providing a system for setting priorities when there are competing demands on limited resources
assisting us to realize opportunities
providing stakeholders and the Australian Community with grounds for confidence in the Organization
supporting innovative decision-making through recognition of threats and opportunities
improving service delivery, reporting systems, outcomes, and accountability
ISO31000:2018 Risk Management Guidelines
Risk Management Policy
Strategic (Enterprise) Risk Management Guideline
Program (Divisional) Risk Management Guideline
Project Risk Management Guideline
Operational Risk Management Guideline
Risk Monitoring and Reporting Manual
Risk Management Team Intranet Site
Barrier An existing control. includes systems and procedures already in place to mitigate risks. Consequence The collective sum of all impacts on the capabilities of an organization(s), including long-term and indirect effects such as combined health, economic, and psychological impacts. Environment Conditions or influences comprising built, physical and social elements that surround or interact with stakeholders and communities.
Escalation Factors Conditions that lead to increased risk due to improvement or diminution of barriers or controls, Eg. Maintenance, foreign currency conditions, failure to audit or inspection treatments or controls. Hazard Something which has the potential to adversely impact (i.e., cause harm) an asset if not controlled or if deliberately released or applied. E.g., explosives, bio-hazards, flammable liquids, firearms, trojan, viruses, et cetera. Likelihood The qualitative semi-quantitative assessment or estimation of whether an event will occur is used as a qualitative description of probability and frequency. Impact The immediate downstream result of a risk manifesting. Multiple direct or indirect impacts, when aggregated, form the collective consequence(s) of the risk event. Risk The effect of uncertainty on objectives. Risk level The relative measure of risk is defined by the combination of likelihood and consequence. Risk Management The culture, processes, and structures that are directed toward effectively managing potential opportunities and adverse effects. The coordinated activities to direct and control an organization concerning risk.
Risk Treatment Measures that modify the characteristics of organizations, sources of risks, communities, and environments to reduce risk, Source (of Risk) A real or perceived event, situation, or condition with a real or perceived potential to cause harm or loss to stakeholders, communities, or the environment. Threat An indication of something impending that could attack the system. includes strategic threats such as a regional conflict or tactical threats such as impending physical attacks. threats are usually measured in terms of intent and capability. the term includes known (stated or assessed intention or determination to inflict pain, loss, or punishment on someone or something) or unknown (undeclared, hidden, or potential) threats. Malicious threats, such as system hacks, data destruction, data modification, theft of IP, bomb threats, sabotage, and fraud, can be categorized within a range going from rational (obtaining something of value) to irrational (attack against assets without benefit). Treatment Controls that are proposed (i.e., not yet existing) to reduce or mitigate the likelihood or consequence of an event to reduce the residual risk. Vulnerability The susceptibility of stakeholders, communities, and the environment to the consequences of events.
Risk management is a core requirement and an integral part of day-to-day operations. As individuals, we all play our part in managing risk, and staff at all levels are responsible for understanding and implementing risk management principles and practices in their work areas. Division Heads, Line Managers, and Team Leaders are responsible for applying agreed risk management policy and strategies in their area of responsibility and are expected to:
Ensure that risk management is fully integrated with corporate planning processes and considered in the normal course of activities at all levels
Identify and evaluate the significant risks that may influence the achievement of business objectives
Assign accountability for managing risks within agreed boundaries
Ensure that a risk-based approach is communicated to our people and embedded in business processes
Comply with internal policies, legislation, and relevant standards which relate to particular types of risk
Define acceptable levels for risk-taking and apply fit-for-purpose mitigation measures where necessary
Design, resource, operate, and monitor internal risk management systems
Monitor the effectiveness of the system of risk management and internal control
Report identified weaknesses or incidents to executive management in a timely fashion
Provide quarterly risk management and treatment progress reports to executive management
The Chief Risk Officer is responsible for developing, coordinating, and promulgating the Risk Management Framework, including monitoring and reporting systems capable of identifying and reporting new and evolving risks. The Branch will coordinate training and assistance regarding implementing the risk management framework and ensure adequate information is available to all staff. The CEO is responsible for managing risk across the organization.
ISO31000 was developed to provide a generic framework for identification, analysis, assessment, treatment, and risk monitoring. This Risk Management process follows the ISO31000 methodology (illustrated below).
Figure 1: ISO 31000 Risk Management Process The process of managing risk at <our company> involves:
establishing the context associated with the program goals and activities;
identifying the risks (including identifying the likelihood and consequences associated with each risk);
analyzing the risks;
assessing and prioritizing the risks;
treating the risks (including a cost/benefit analysis of the treatment options); and
continually monitoring and reviewing the risks and treatments
This is illustrated below in Figure 2 where the lines entering and leaving the respective element of the process flow show responsibilities for each step.
Figure 2: Risk Management Process Flow This procedure should be read and applied in conjunction with the relevant <insert your company name> Risk Management Guideline and tailored to the appropriate level of area/activity being managed. These Guidelines and tools have been developed for the following organizational levels:
Strategic (Enterprise) Risk Management Guideline
Program Risk Management Guideline
Project Risk Management Guideline
Operational Risk Management Guideline
Establish the scope, context, and criteria. Define the stakeholders, review acceptable risk levels using tools such as consultative groups, and develop risk evaluation criteria. Successful RM requires the effective engagement of stakeholders and subject matter experts. Effective engagement enables the strategic management of uncertainty and develops resilience amongst those involved. RM goes far beyond being a technical or political process - it is also a communications process. Identify risks. Succinctly identify and describe the sources of risk, stakeholders, communities, and environments. Scope the vulnerabilities and describe the risks. There may be a great diversity of opinion on the actual risks and their various sources, given different perceptions, knowledge, and experience.
Analyze risks. Analyze the risk associated with the problem by determining the likelihood and consequence of the identified risks using appropriate tools and techniques.
Evaluate risks. Compare risks against risk evaluation criteria, prioritize the risks and decide on risk acceptability. Treat risks. Identify and evaluate the treatments. Respond to the level of risk by deciding which source of risk, stakeholders, communities, or environment can be addressed, either by increasing resilience or robustness, to reduce risk. Model changes to obtain the new level of risk. Select treatments, plan, and implement.
7. CONTINUOUS ACTIVITIES
Communication and consultation. Where stakeholders and communities contribute to the decision-making process, there is a much larger pool of information and expertise to develop appropriate solutions. For catastrophic events, communication and consultation is particularly important. Communication and consultation develop resilience amongst stakeholders and communities and will be invaluable in regaining control of business activities.
Monitor and review. Systems that monitor and review risk, and its management, must be established and maintained. Latent and residual risks are ever-present. RM must be ongoing to ensure that change and uncertainty can be accommodated.
Recording and Reporting
Each stage of the risk management process should be appropriately documented to retain knowledge and satisfy audit requirements. Documentation should include objectives, information sources, assumptions, methods, decisions, and results. Individual projects and groups maintain Risk Registers, and enterprise risks are escalated to a Strategic Risk Database (SRDB) such as SECTARA. Decisions concerning the extent of documentation may involve costs and benefits and should consider a range of factors. At each stage of the process, documentation should include: a) objectives; b) information sources; c) assumptions; and d) decisions. The Appendices include examples of a risk register and treatment plan, however, more detailed templates are also available from the Risk Management team.
This is an example of a risk management procedure:
The Excel Spreadsheet that I used to create the process flow in Figure 2:
And just in case you need it, a procedure on how to create a procedure (yes, it's all a bit circular but there you go anyway):
You can also download a risk register and other templates from the DOWNLOADS menu.
if you'd like a one-on-one consultation to help with a particular challenge, feel free to book a consultation via this link.
You might also find this process helpful. I've used it to help many organizations, as well as personally, resolve challenges and decisions that had been hanging around for months. It's worth a try. It's pretty intuitive, but call me if you'd like to know more.
I'm about to publish a short course on 'How to develop, communicate, and apply a risk management procedure', so if you'd like to know more about it, just subscribe to my occasional emails, and I'll let you know when it's ready.
You can register for my latest free webinars and virtual training at this link.
This article and the attached templates are just examples of risk management procedures. And the procedure is only a small part of a risk management framework. Other elements can include policies, forms, codes of practice, or various management elements. The best place to start for a template is with your own organization's templates and modify them accordingly. I've also chosen to use ISO31000 Risk Management Guidelines because it is the internationally recognized standard endorsed by 162 (at last count) countries. But there are plenty of others, and if you want to start from scratch, that is fine. I tend to prefer ISO31000 because if I should ever have to explain myself in a court of law, I'd prefer not to explain in detail why I created a new process rather than follow the international standard. I think you can see where I'm coming from with that.