An example of a Risk Management Procedure
<Downloadable MS Office Templates are at the bottom of the page>
I'm a fan of straightforward documents. Especially when you want people to take action. Fifty page procedures rarely get followed - or even read. The following however, is an example of a risk management procedure which addresses six main areas:
RISK MANAGEMENT PROCEDURE
This procedure provides information for all personnel who are responsible for risk management.
The objectives of this risk-based system of internal control are to assist in achieving our strategic objectives for the benefit of shareholders and the community by:
protecting our people, the community, and commonwealth assets (financial, property, and information)
facilitating optimal use of resources and provide a system for setting priorities when there are competing demands on limited resources
assisting us to realise opportunities
providing stakeholders and the Australian Community with grounds for confidence in the Organization
supporting innovative decision making through recognition of threats and opportunities
improving service delivery, reporting systems, outcomes and accountability
ISO31000:2018 Risk Management Guidelines
Risk Management Policy
Strategic (Enterprise) Risk Management Guideline
Program (Divisional) Risk Management Guideline
Project Risk Management Guideline
Operational Risk Management Guideline
Risk Monitoring and Reporting Manual
Risk Management Team Intranet Site
Barrier An existing control. includes systems and procedures already in place to mitigate risks. Consequence Collective sum of all impacts to the capabilities of an organization(s) including long term and indirect effects such as combined health, economic, and psychological impacts. Environment Conditions or influences comprising built, physical and social elements, which surround or interact with stakeholders and communities. Escalation Factors Conditions that lead to increased risk due to improvement or diminution of barriers or controls, Eg. Maintenance, foreign currency conditions, failure to audit or inspection treatments or controls. Hazard Something which has the potential to adversely impact (ie. cause harm) to an asset if not controlled or if deliberately released or applied. Eg. explosives, bio-hazards, flammable liquids, firearms, trojan, virus et cetera. Likelihood The qualitative of semi-quantitative assessment or estimation of whether an event will occur, Used as a qualitative description of probability and frequency. Impact The immediate downstream result of a risk manifesting. Multiple direct or indirect impacts, when aggregated, form the collective consequence(s) of the risk event. Risk The effect of uncertainty on objectives. Risk level The relative measure of risk as defined by the combination of likelihood and consequence. Risk Management The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. The coordinated activities to direct and control an organization with regard to risk. Risk Treatment Measures that modify the characteristics of organizations, sources of risks, communities and environments to reduce risk, Source (of Risk) A real or perceived event, situation or condition with a real or perceived potential to cause harm or loss to stakeholders, communities or environment. Threat An indication of something impending that could attack the system. includes strategic threats such as a regional conflict or tactical threats such as impending physical attack. threats are usually measured in terms of intent and capability. the term includes known (stated or assessed intention or determination to inflict pain, loss or punishment on someone or something) or unknown (undeclared, hidden or potential) threats. Malicious threats such as system hacks, data destruction, data modification, theft of iP, bomb threats, sabotage, fraud, can be categorized within a range going from rational (obtaining something of value) to irrational (attack against of assets without benefit). Treatment Controls that are proposed (i.e. not yet existing) to reduce or mitigate the likelihood or consequence of an event occurring, that is to reduce the residual risk. Vulnerability The susceptibility of stakeholders, communities and environment to consequences of events.
Risk management is a core management requirement and integral part of day-to-day operations. As individuals we all play our part in managing risk and staff at all levels are responsible for understanding and implementing risk management principles and practices in their work areas. Division Heads, Line Managers, and Team Leaders are responsible for applying agreed risk management policy and strategies in their area of responsibility and are expected to:
Ensure that risk management is fully integrated with corporate planning processes and considered in the normal course of activities at all levels
Identify and evaluate the significant risks that may influence the achievement of business objectives
Assign accountability for managing risks within agreed boundaries
Ensure that a risk based approach is communicated to our people and embedded in business processes
Comply with internal policies, legislation, and relevant standards which relate to particular types of risk
Define acceptable levels for risk taking and apply fit for purpose mitigation measures where necessary
Design, resource, operate, and monitor internal risk management systems
Monitor the effectiveness of the system of risk management and internal control
Report identified weaknesses or incidents to executive management in timely fashion
Provide quarterly risk management and treatment progress reports to executive management
The Chief Risk Officer is responsible for the development, coordination, and promulgation of the Risk Management Framework including monitoring and reporting systems capable of identifying and reporting new and evolving risks. The Branch will coordinate training and assistance regarding implementation of the risk management framework, and ensure adequate information is available to all staff. The CEO is responsible for managing risk across the organization.
ISO31000 was developed with the objectives of providing a generic framework for identification, analysis, assessment, treatment and monitoring of risk. This Risk Management process follows the ISO31000 methodology (illustrated below).
Figure 1: ISO 31000 Risk Management Process The process of managing risk at <our company> involves:
establishing the context associated with the program goals and activities;
identifying the risks (including identifying the likelihood and consequences associated with each risk);
analyzing the risks;
assessing and prioritizing the risks;
treating the risks (including a cost/benefit analysis of the treatment options); and
continually monitoring and reviewing the risks and treatments
This is illustrated below in Figure 2 where responsibilities for each step are shown by the lines entering and leaving the respective element of the process flow.
Figure 2: Risk Management Process Flow This procedure should be read and applied in conjunction with the relevant <insert your company name> Risk Management Guideline and tailored accordingly to the appropriate level of area/activity being managed. These Guidelines and tools have been developed for the following organizational levels:
Strategic (Enterprise) Risk Management Guideline
Program Risk Management Guideline
Project Risk Management Guideline
Operational Risk Management Guideline
Establish the scope, context, and criteria. Define the stakeholders and review the levels of acceptable risk using tools such as consultative groups, and develop risk evaluation criteria. Successful RM requires the effective engagement of stakeholders and subject matter experts. Effective engagement enables the strategic management of uncertainty and develops resilience amongst those involved. RM goes far beyond being a technical or political process - it is also a communications process. Identify risks. Succinctly identify and describe the sources of risk, stakeholders, communities and environments. Scope the vulnerabilities and describe the risks. There may be great diversity of opinion on the actual risks and their various sources, given different perceptions, knowledge and experience. Analyze risks. Analyze the risk associated with the problem by determining the likelihood and consequence of the identified risks using appropriate tools and techniques.
Evaluate risks. Compare risks against risk evaluation criteria, prioritize the risks and decide on risk acceptability. Treat risks. Identify and evaluate the treatments. Respond to the level of risk by deciding which source of risk, stakeholders, communities or environment can be addressed, either by increasing resilience or robustness, to reduce risk. Model changes to obtain the new level of risk. Select treatments, plan and implement.
7. CONTINUOUS ACTIVITIES
Communication and consultation. Where stakeholders and communities contribute to the decision making process there is a much larger pool of information and expertise to enable appropriate solutions to be developed. For catastrophic events, communication and consultation is particularly important. Communication and consultation develop resilience amongst stakeholders and communities and will be invaluable in terms of regaining control of business activities.
Monitor and review. Systems that monitor and review risk, and its management, must be established and maintained. Latent and residual risk are ever-present. RM must be on going to ensure that change and uncertainty can be accommodated.
Recording and Reporting
Each stage of the risk management process should be appropriately documented to retain knowledge and satisfy audit requirements. Documentation should include objectives, information sources, assumptions, methods, decisions, and results. Individual projects and groups maintain Risk Registers, and enterprise risks are escalated to a Strategic Risk Database (SRDB) such as SECTARA. Decisions concerning the extent of documentation may involve costs and benefits and should take into account a range of factors. At each stage of the process, documentation should include: a) objectives; b) information sources; c) assumptions; and d) decisions. The Appendices include examples of a risk register and treatment plan, however more detailed templates are also available from the Risk Management team.
This is an example of a risk management procedure:
The Excel Spreadsheet that I used to create the process flow in Figure 2:
And just in case you need it, a procedure on how to create a procedure (yes, it's all a bit circular but there you go anyway):
You can also download a risk register and other templates from the DOWNLOADS menu.
if you'd like a one-on-one consultation to help with a particular challenge, feel free to book a free 15 minute consultation via this link. Best to act now by the way, as the free call option will expire in a few days. You might also find this process helpful. I've used it to help a lot of organizations, as well as personally, to resolve in hours, challenges and decisions that had been hanging around for months. It's worth a try. It's pretty intuitive but give me a call if you'd like to know more.
Free Training Course
I'm about to publish a free short course on 'How to develop, communicate, and apply a risk management procedure' so if you'd like to know more about it, just subscribe to my occasional emails and I'll let you know when it's ready. If you've got an idea for a short course on risk management or would like to see a particular topic covered in the RM Procedure course, now is you chance to influence that by sending me an email.
This article and the attached templates are just examples of risk management procedures. And procedure is only a small part of a risk management framework. Other elements can include policies, forms, codes of practice, or any variety of management elements. The best place to start for a template is with your own organization's templates and modify them accordingly. I've also chosen to use ISO31000 Risk Management Guidelines because it is the internationally recognized standard, endorsed by 162 (at last count) countries. But there are plenty of others, and if you want to start from scratch that is fine also. I tend to prefer ISO31000 though because if I should ever have to explain myself in a court of law, I'd prefer not to explain in detail why I created an new process rather than follow the international standard. I think you can see where I'm coming from with that.