- Define What You Want to Get Out of Managing Operational Risk
- Select and Apply a ‘Set of Rules’ How to Manage Operational Risk in Your Organisation – The Risk Management Framework
- Understand Key Information About the Standard
- Implement Your Risk Management Framework or Align Your Existing Risk Management Activities with the Standard – The Author’s Experience
- Final Remarks
Raising the subject of operational risk management provokes a range of reactions in line management and staff alike. Those I witnessed over the years span from excitement (particularly on the part of risk practitioners) to eye rolling. While a plethora of great technical information on risk management has been produced over the years, it is yet to win over the eye-rolling fraction. This piece includes practical experience, including failures and how to overcome them, when developing and implementing risk management frameworks. The article provides a series of considerations and steps to assist preparation for the implementation of formalised risk management or to enhance the effectiveness of existing risk management efforts. In doing so, I will demonstrate the value going beyond merely ticking the risk management box while providing practical tips on how to do this in the ‘real world’. Yes, there will be some technical information that provides important context, in particular that which relates to the International Standard ‘ISO 31000:2009 Risk management – Principles and guidelines’ (The Standard). However, it is located in an appendix connected through links in the body of the article. You can choose to omit this information or to go into more depth, where you are interested. Due to the complexity of this subject and the size of this article, I can only address key information. Therefore, first I will outline three main preparatory steps which should precede implementation, and then relate important considerations which should guide implementation gleaned from my years in risk management roles. In other words, how to manage operational risk ‘in a nutshell’.
Define What You Want to Get Out of Managing Operational Risk
The Standard defines risk as “effect of uncertainty on objectives”. The key outcomes of managing operational risk should include:
a) Support the achievement of your organisation’s objectives
Effective risk management should support your organisation to achieve its objectives. That is, it must be aligned with the objectives of your organisation as outlined in its corporate/strategic/business or other individual plans and the individual plans of its line management. You want to utilise your resources only on managing risks that have actually consequences to your organisation’s objectives, if they don’t, they might not even be your organisation’s risks.
b) Decision making is supported by risk assessment
When making key decisions in your organisation, you want to understand the risks and opportunities involved in each decision based on the best information available, at the time of decision making.
c) Satisfy stakeholder expectations and improve their confidence and trust
Customers, shareholders, insurance providers, boards, risk and audit committees, along with governments and relevant regulators typically have a strong expectation (or even require) organisations to implement an effective risk management framework which the organisation needs to demonstrably fulfil. Australian examples of formal requirements include:
- ASX Principle 7 (Corporate Governance Principles and Recommendations - ASX Corporate Governance Council) related to ASX listed entities; and
- TPP 15-03 — Internal Audit and Risk Management Policy for the New South Wales Public Sector
d) Improve loss prevention and incident management
There are always valuable lessons learned from incidents that caused your organisation to suffer financial loss, or loss of reputation etc. Unfortunately, the lessons learned on are not always documented and could be lost, for example through staff turnover. Even when documented the information gain may not be always available to those who need to know, when they need it as part of their decision making. A good and cost effective approach to solve this issue is to link the lessons learned from incidents to the risk assessments in your risk register. Needless to say, an incident with negative consequences which can reoccur, is indeed itself, a risk.
Select and Apply a ‘Set of Rules’ How to Manage Operational Risk in Your Organisation – The Risk Management Framework
In order to implement operational risk management across all levels of an organisation, and to ensure that all employees who are involved in risk management pull together, a common ‘set of rules’ is required. This set of rules determines how risk management is performed in the organisation. It includes a ‘set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation’ (ISO 31000:2009). This is called a Risk Management Framework (The Framework). To ensure stakeholder recognition and practicality of the Framework, organisations typically choose one that is based on a widely accepted approach. Please refer to the appendix, if you are interested in more information. Due to its wide scope, and high level of acceptance in Australia across industry and the public service, this article is based on the Standard.
Understand Key Information About the Standard
As mentioned in the introduction, the scope of this article cannot include detailed explanation of the Standard and how it is applied to an organisation. However, there is some basic information one should be aware of when talking about the Standard.
a) Key components of the Standard and their relationship
e) Certification against the standard
According to the International Organisation for Standardisation (ISO) the Standard cannot be used for certification purposes.
f) Enterprise risk management
The Standard does not include the term ‘Enterprise Risk Management’. It takes, by definition, a whole-of-organisation view of risk management. In the author’s opinion, using the term Enterprise Risk Management people typically imply risk management being:
- applied to an organisation as a whole;
- at all its levels; and
- to specific functions, projects and activities.
This is again consistent with the Standard.
Implement Your Risk Management Framework or Align Your Existing Risk Management Activities with the Standard – The Author’s Experience
In this section I would like to share some of my personal experience regarding the implementation or enhancement of an organisation’s risk management framework with you. For a more detailed understanding take a look at technical report ISO/TR 31004:2013, which assists organisations to implement or enhance the effectiveness of their risk management efforts by aligning them with the Standard.
In my opinion it is fair to say that without demonstration of top down leadership, the implementation of formalised operational risk management in your organisation will inevitably fail. In my experience, where the head of an organisation does not own their risk management framework and does not demonstrate to line management that they are expected to follow the process, the following issues with respect to line management’s cooperation can occur:
- Ignoring the process as a whole;
- Implementing their own process within their area of responsibility that might even compete with the organisations process but will certainly confuse staff; and
- Denying support to the individual who has been assigned the responsibility to execute the implementation of the framework, which will jeopardise its success.
b) Risk management as part of planning
One of the expectations related to the key outcomes of operational risk management, as mentioned above, is that risk management supports the achievement of your organisation’s objectives. During planning is the perfect time to perform risk assessments related to the objectives of each function of your organisation. Once you understand the risks and opportunities related to the objectives of each of your particular plans, you gain improved understanding of the related budget (including the cost of risk mitigation) or might even change the plan altogether (being more or less risk averse). This may sound trivial but you might want to check how formalised this process is in your organisation. A simplified example is given below.
The success of your risk management framework is directly contingent upon the organisation’s internal and external personnel being able to discharge their risk management duties. Unfortunately, training such as formal external courses can be relatively costly, yet needs to be both effective and efficient; that is, training not only needs to result in effective outcomes but also must do so provided cost effectively and with minimal interruption to the business. Scope of training Not every internal and external staff member in the organisation needs to know everything about the organisation’s risk management framework. In practice, the document itself is often only used as a reference material being supported by customised procedures related to functions, projects or activities. Depending on your organisation’s resources and attitude, training might only cover a defined skillset required to fulfil only the risk management tasks allocated to individual roles. Pitfalls of training and how to avoid them I encountered one of my worst failures when I was naive enough to think that I could simply explain to colleagues the risk management process related to their area of responsibility, which would then lead to a situation where these individuals promptly executed their duties. My first training session ended up with an extremely bored group reading emails, falling asleep and one person snoring. In cooperation with a professional trainer, I then developed a training course which involved the manager of a team executing their own risk workshop together with their team, analysing risks within their area of responsibility. This method proved to be successful. However, it can also be challenging as the manager may sometimes be put ‘on the spot’ in front of their team. Such a situation can be prevented through detailed preparation prior to, and appropriate support during, the training. It is paramount to train the line manager to identify risks in line with their objectives prior to the workshop, as the workshop will be less effective when people do not perceive the workshopped risks as their key risks. Training on-demand Less complex activities, such as performing a control action in the organisation’s Governance, Risk and Compliance management (GRC) software can be trained through customised tutorial videos, integrated in the software or accessible through the organisation’s intranet.
d) Risk ownership
I have encountered organisations where risk workshop participants assessed a risk and allocated a risk owner who was neither present nor informed of the fact that this risk was assigned to them. There was also no set of rules in place defining what risk had to be assigned to what risk owner. Such an approach is prone to failure. However, sometimes, a risk analysis is required in order to identify the right risk owner in the first place. Only the risk owner can approve the outcome of the risk assessment and relevant risk treatment, where required. The risk owner takes responsibility for the risk being managed and only the risk owner can perform and approve recurring assessments of the risk; e.g. determining reduced level of risk due to the gradual implementation of additional controls.
e) Delegation of authority
Not every risk owner can approve every level of risk. Defined risk levels (e.g. Very High, High Moderate) need to be linked to delegated authorities. This will also ensure risk escalation. Example: Finance Team - Organisation Chart (by Risiko)
f) Quality of risk information and reporting
Training and leadership, as mentioned above, should aim to ensure high quality risk information. Risk register and further risk reporting Where the quality of the risk register and further risk reporting, such as Executive risk reporting, is insufficient, such as when:
- identified risks are not aligned with objectives;
- risk events, causes, consequences, existing controls and additional risk mitigation are incomplete or not clear; or
- the articulation of a risk register or report as a whole is difficult to understand
The readers of these reports (responsible line management) might ask themselves why they should read this information on top of their workload. Not reading and questioning these reports leads in turn to a situation where those who generate these reports ask themselves why they should maintain their risk registers and provide these reports, on top of their workload. It is clear how this situation can then lead to the failure of operational risk management in an organisation. Risk performance reporting The quality of risk information also depends on its timeliness and completeness. Where risk registers are not updated and their risks not reassessed on a regular basis, information becomes outdated and loses its value. Additionally, planned risk mitigation, including actions as outlined in the risk register must be updated so that the reader can identify that these actions are actually executed. Simple risk performance reporting, including traffic lights (nobody wants to be reported against red traffic lights) will help keeping risk information up to date.
g) Meeting diverse risk management needs
The different functions of your organisation operate in varying environments and therefore have individual risk management needs; e.g.:
- Project management requests reporting on project as well as on program level;
- The Finance team requests specific Key Risk Indicator (KRI) reporting; and
- The Safety team requests reporting on Hierarchy of Risk Control.
Unfortunately, these individual needs can turn out to be mutually exclusive. For example, a Hierarchy of Risk Control has no value for Finance and IT managers, and the project management’s need to report on program and project level is likely to be irrelevant to the Safety team. A practical solution to manage the diversity of risk management needs is to identify, what I have been calling in this context ‘areas of risk’ and to define them in the organisation’s risk management framework. This definition can include:
- Individual risk management requirements of functions and how to meet them;
- Individual risk reporting;
- Individual risk categories; etc.
A highly simplified example is given below. The areas of risk can, of course, be different from organisation to organisation.
h) Risk Management/GRC Software
Depending on the complexity of your organisation and the number of people being involved in risk management activities, execution of risk management responsibilities may not be feasible through application of spreadsheets and emails. Risk management/GRC software should put your risk management framework into action, provide cost effective support and increased efficiency. It should be intuitive and relatively easy to use. The more difficult to use the software, the more training required and the higher the chance of staff not adopting the system. It needs to be easily used on mobile devices, as not all of the organisation’s users necessarily work at a computer. The software should also support the concept of individual risk areas, as explained above.
i) Reduce complexity and cost of Framework, software implementation and training
Again, depending on size and complexity of an organisation, risk management/or GRC software implementations can be complex and expensive, especially where there is a need to deploy an implementation team, including IT specialists and business process people. Fortunately, within less complex, smaller and mid-size organisations, flexible on-demand software can be implemented by the same person who advises your organisation on its framework and process. These organisations have the opportunity to deal with just one point of contact not only advising them on framework and process but also executing their software implementation and executing or supporting staff training, as outlined above. After all, this person would know as much about your organisation’s risk management/or GRC software as your user administrator who was trained by them.
You can see, or would have known already prior to reading this article, that making all personnel involved in risk management in your organisation pulling together and receive good outcomes from your investment, can become somewhat complex. This article can certainly not replace professional advice you could receive from an elite operational risk consultant, that may be required to help your organisation to implement formalised risk management or to enhance the effectiveness of existing risk management efforts. However, I hope that I could provide you with valuable background information, considerations and ideas ‘in a nutshell’ to go about this subject. I would look forward to receiving your feedback and hearing of your challenges.
– Technical Information Related to the Standard
Select and Apply a ‘Set of Rules’ How to Manage Operational Risk in Your Organisation – The Risk Management Framework
– The most prevalent Framework approaches include: ISO 31000:2009 Risk management – Principles and guidelines The Standard, developed by risk management practitioners, has been reviewed and revised many times, by thousands of contributors around the world. Consequently, it encapsulates a high degree of consensus on how best to manage risk within organisations. It provides principles and generic guidelines on risk management that can be used by any public, private or community enterprise, association, group or individual. According to the scope, it can be applied to any types of risk, whatever its nature and whether having positive or negative consequences. The Standard is recognised as the national risk management standard in more than 40 countries around the world. COSO 2013 Internal Control – Integrated Framework COSO 2013 Internal Control – Integrated Framework has been developed predominantly by accountants and auditors. It is mainly applied in the U.S. and widely perceived to have a narrower scope than the Standard.
Understand Key Information about the Standard
a) The key components of the Standard and their relationship: The Standard comprises three key components:
- Framework; and
The depiction below is abstracted from the Standard and shows these three components and their relationship to one another:
Figure 1 - Relationships between the risk management principle, framework and process.
b) Principles: According to the Standard, risk management in an organisation can only be effective when it complies with all 11 principles, as outlined in the left box of the depiction above. In order to successfully apply the 11 principles, your organisation will need to define how it puts these principles into action.
Example – principle H): ‘Risk management takes human and cultural factors into account.’ The Standard states that: ‘Risk management recognises and addresses the capabilities, perceptions and intentions, cultural background and level of training of its external and internal people that can facilitate or hinder the achievement of the organisation’s objectives.’
How to implement this principle
You need to define or explain how this is done in your organisation and ensure it is integrated into related HR and line management processes. After all, if you want to live by your organisation’s principles and maintain credibility, you need to be able to demonstrate that you comply with your statement.
c) Framework: Clarification of term In the depiction above, the second component of the Standard (box in the middle) is called Framework. To avoid confusion, it should be mentioned that in practice an organisation’s document describing how it applies Principles, Framework and Process is often also called the organisation’s risk management framework. Explaining the content of the Framework (being the second component of the Standard), unfortunately, is beyond the scope of this article. Therefore, we need to leave it at the following definition of the Standard, for now.
Definition: “A risk management framework is a set of components that provide the foundations and organisational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organisation."
d) Process: As with the Framework, explaining the content of the Process is beyond the scope of this article. Therefore, we will need to leave it at the following definition of the Standard, for now:
Definition: ‘Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, analysing, evaluating, treating, monitoring and reviewing risk.’ What do you think of this article? Please let us know your thoughts in the comments below.