4. 1. Risk
Risk can be defined as the combination of negative aspects of risk.Therefore this
the probability of an event and its standard considers risk from both
consequences (ISO/IEC Guide 73). perspectives.
In all types of undertaking, there is the In the safety field, it is generally recognised
potential for events and consequences that that consequences are only negative and
constitute opportunities for benefit (upside) therefore the management of safety risk is
or threats to success (downside). focused on prevention and mitigation of
harm.
Risk Management is increasingly recognised
as being concerned with both positive and
2. Risk Management
Risk management is a central part of any It must be integrated into the culture of
organisation’s strategic management. It is the organisation with an effective policy
the process whereby organisations and a programme led by the most senior
methodically address the risks attaching to management. It must translate the
their activities with the goal of achieving strategy into tactical and operational
sustained benefit within each activity and objectives, assigning responsibility
across the portfolio of all activities. throughout the organisation with each
The focus of good risk management is the manager and employee responsible for the
identification and treatment of these risks. management of risk as part of their job
Its objective is to add maximum description. It supports accountability,
sustainable value to all the activities of the performance measurement and reward,
organisation. It marshals the thus promoting operational efficiency at
understanding of the potential upside and all levels.
downside of all those factors which can
affect the organisation. It increases the 2.1 External and Internal Factors
probability of success, and reduces both
The risks facing an organisation and its
the probability of failure and the
operations can result from factors both
uncertainty of achieving the organisation’s
external and internal to the organisation.
overall objectives.
Risk management should be a continuous The diagram overleaf summarises examples
and developing process which runs of key risks in these areas and shows that
throughout the organisation’s strategy and some specific risks can have both external
the implementation of that strategy. It and internal drivers and therefore overlap
should address methodically all the risks the two areas.They can be categorised
surrounding the organisation’s activities past, further into types of risk such as strategic,
present and in particular, future. financial, operational, hazard, etc.
2 A Risk Management Standard
6. 2.2 The Risk Management Process
The Organisation’s
Strategic Objectives
Risk Assessment
Risk Analysis
Risk Identification
Risk Description
Risk Estimation
Modification
Risk Evaluation
Formal
Audit
Risk Reporting
Threats and Opportunities
Decision
Risk Treatment
Residual Risk Reporting
Monitoring
Risk management protects and adds value to the organisation and its stakeholders through
supporting the organisation’s objectives by:
• providing a framework for an use/allocation of capital and resources
organisation that enables future activity within the organisation
to take place in a consistent and • reducing volatility in the non essential
controlled manner
areas of the business
• improving decision making, planning
• protecting and enhancing assets and
and prioritisation by comprehensive and
company image
structured understanding of business
activity, volatility and project • developing and supporting people and
opportunity/threat the organisation’s knowledge base
• contributing to more efficient • optimising operational efficiency
4 A Risk Management Standard
8. of risks.The use of a well designed structure detail. Identification of the risks associated
is necessary to ensure a comprehensive risk with business activities and decision making
identification, description and assessment may be categorised as strategic, project/
process. By considering the consequence and tactical, operational. It is important to
probability of each of the risks set out in the incorporate risk management at the
table, it should be possible to prioritise the conceptual stage of projects as well as
key risks that need to be analysed in more throughout the life of a specific project.
4.2.1 Table - Risk Description
1. Name of Risk
2. Scope of Risk Qualitative description of the events, their size, type,
number and dependencies
3. Nature of Risk Eg. strategic, operational, financial, knowledge or compliance
4. Stakeholders Stakeholders and their expectations
5. Quantification of Risk Significance and Probability
6. Risk Tolerance/ Loss potential and financial impact of risk
Appetite Value at risk
Probability and size of potential losses/gains
Objective(s) for control of the risk and desired level of
performance
7. Risk Treatment & Primary means by which the risk is currently managed
Control Mechanisms Levels of confidence in existing control
Identification of protocols for monitoring and review
8. Potential Action for Recommendations to reduce risk
Improvement
9. Strategy and Policy Identification of function responsible for developing strategy
Developments and policy
4.3 Risk Estimation Examples are given in the tables overleaf.
Risk estimation can be quantitative, semi- Different organisations will find that
quantitative or qualitative in terms of the different measures of consequence and
probability of occurrence and the possible probability will suit their needs best.
consequence.
For example many organisations find that
For example, consequences both in terms assessing consequence and probability as high,
of threats (downside risks) and medium or low is quite adequate for their
opportunities (upside risks) may be high, needs and can be presented as a 3 x 3 matrix.
medium or low (see table 4.3.1). Probability
may be high, medium or low but requires Other organisations find that assessing
different definitions in respect of threats and consequence and probability using a 5 x 5
opportunities (see tables 4.3.2 and 4.3.3). matrix gives them a better evaluation.
6 A Risk Management Standard
10. Table 4.3.3 Probability of Occurrence - Opportunities
Estimation Description Indicators
High Favourable outcome is Clear opportunity which can be relied
(Probable) likely to be achieved in on with reasonable certainty, to be
one year or better than achieved in the short term based on
75% chance of occurrence. current management processes.
Medium Reasonable prospects of Opportunities which may be achievable
(Possible) favourable results in one but which require careful management.
year of 25% to 75% chance Opportunities which may arise over and
of occurrence. above the plan.
Low Some chance of favourable Possible opportunity which has yet to be
(Remote) outcome in the medium fully investigated by management.
term or less than 25% Opportunity for which the likelihood of
chance of occurrence. success is low on the basis of management
resources currently being applied.
4.4 Risk Analysis methods and treatment efforts.This ranks each identified
techniques risk so as to give a view of the relative
importance.
A range of techniques can be used to
analyse risks.These can be specific to This process allows the risk to be mapped
upside or downside risk or be capable of to the business area affected, describes the
dealing with both. (See Appendix, page 14, primary control procedures in place and
for examples). indicates areas where the level of risk
control investment might be increased,
4.5 Risk Profile decreased or reapportioned.
The result of the risk analysis process can Accountability helps to ensure that
be used to produce a risk profile which ‘ownership’ of the risk is recognised and
gives a significance rating to each risk and the appropriate management resource
provides a tool for prioritising risk allocated.
5. Risk Evaluation
When the risk analysis process has been economic and environmental factors,
completed, it is necessary to compare the concerns of stakeholders, etc. Risk
estimated risks against risk criteria which evaluation therefore, is used to make
the organisation has established.The risk decisions about the significance of risks to
criteria may include associated costs and the organisation and whether each specific
benefits, legal requirements, socio- risk should be accepted or treated.
8 A Risk Management Standard
12. Good corporate governance requires that The formal reporting should address:
companies adopt a methodical approach to • the control methods - particularly
risk management which: management responsibilities for risk
• protects the interests of their stakeholders management
• ensures that the Board of Directors • the processes used to identify risks and
discharges its duties to direct strategy, build how they are addressed by the risk
value and monitor performance of the management systems
organisation • the primary control systems in place to
manage significant risks
• ensures that management controls are in
• the monitoring and review system in place
place and are performing adequately
Any significant deficiencies uncovered by
The arrangements for the formal reporting the system, or in the system itself, should
of risk management should be clearly stated be reported together with the steps taken
and be available to the stakeholders. to deal with them.
7. Risk Treatment
Risk treatment is the process of selecting The risk analysis process assists the effective
and implementing measures to modify the and efficient operation of the organisation
risk. Risk treatment includes as its major by identifying those risks which require
element, risk control/mitigation, but attention by management.They will need
extends further to, for example, risk to prioritise risk control actions in terms of
avoidance, risk transfer, risk financing, etc. their potential to benefit the organisation.
NOTE: In this standard, risk financing Effectiveness of internal control is the
refers to the mechanisms (eg insurance degree to which the risk will either be
programmes) for funding the financial eliminated or reduced by the proposed
consequences of risk. Risk financing is not control measures.
generally considered to be the provision of Cost effectiveness of internal control relates
funds to meet the cost of implementing risk to the cost of implementing the control
treatment (as defined by ISO/IEC Guide compared to the risk reduction benefits
73; see page 17). expected.
Any system of risk treatment should The proposed controls need to be
provide as a minimum: measured in terms of potential economic
• effective and efficient operation of the effect if no action is taken versus the cost
organisation of the proposed action(s) and invariably
require more detailed information and
• effective internal controls assumptions than are immediately
• compliance with laws and regulations. available.
10 A Risk Management Standard
14. 9. The Structure and Administration of
Risk Management
9.1 Risk Management Policy The Board should, as a minimum,
An organisation’s risk management policy consider, in evaluating its system of internal
should set out its approach to and appetite control:
for risk and its approach to risk • the nature and extent of downside risks
management.The policy should also set acceptable for the company to bear within
out responsibilities for risk management its particular business
throughout the organisation.
• the likelihood of such risks becoming a
Furthermore, it should refer to any legal reality
requirements for policy statements eg. for • how unacceptable risks should be managed
Health and Safety. • the company’s ability to minimise the
Attaching to the risk management process probability and impact on the business
is an integrated set of tools and techniques • the costs and benefits of the risk and
for use in the various stages of the business control activity undertaken
process.To work effectively, the risk • the effectiveness of the risk management
management process requires: process
• commitment from the chief executive and
• the risk implications of board decisions
executive management of the organisation
• assignment of responsibilities within the 9.3 Role of the Business Units
organisation This includes the following:
• allocation of appropriate resources for • the business units have primary
training and the development of an responsibility for managing risk on a day-
enhanced risk awareness by all to-day basis
stakeholders. • business unit management is responsible
9.2 Role of the Board for promoting risk awareness within their
The Board has responsibility for operations; they should introduce risk
determining the strategic direction of the management objectives into their business
organisation and for creating the • risk management should be a regular
environment and the structures for risk management-meeting item to allow
management to operate effectively. consideration of exposures and to
This may be through an executive group, a reprioritise work in the light of effective
non-executive committee, an audit risk analysis
committee or such other function that suits • business unit management should ensure
the organisation’s way of operating and is that risk management is incorporated at
capable of acting as a ‘sponsor’ for risk the conceptual stage of projects as well as
management. throughout a project
12 A Risk Management Standard
16. 10. Appendix
Risk Identification Techniques - Risk Analysis Methods and
examples Techniques - examples
• Brainstorming Upside risk
• Questionnaires • Market survey
• Business studies which look at each • Prospecting
business process and describe both the • Test marketing
internal processes and external factors • Research and Development
which can influence those processes
• Business impact analysis
• Industry benchmarking
• Scenario analysis Both
• Risk assessment workshops • Dependency modelling
• Incident investigation • SWOT analysis (Strengths,Weaknesses,
Opportunities,Threats)
• Auditing and inspection
• Event tree analysis
• HAZOP (Hazard & Operability
Studies) • Business continuity planning
• BPEST (Business, Political, Economic,
Social,Technological) analysis
• Real Option Modelling
• Decision taking under conditions of risk
and uncertainty
• Statistical inference
• Measures of central tendency and
dispersion
• PESTLE (Political Economic Social
Technical Legal Environmental)
Downside risk
• Threat analysis
• Fault tree analysis
• FMEA (Failure Mode & Effect Analysis)
On the following pages are extracts from the document PD ISO/IEC Guide 73: 2002
reproduced with the permission of British Standards Institution under licence number
2002SK/0313. British Standards can be obtained from BSI Customer Services,
389 Chiswick High Road, London W4 4AL. (Tel + 44 (0) 20 8996 9001)
14 A Risk Management Standard
17. The Institute of Risk Management 6 Lloyd’s Avenue,
Telephone 020 7709 9808 London EC3N 3AX
Facsimile 020 7709 0716
Email enquiries@theIRM.org
www.theirm.org
ALARM The National Forum for Queens Drive, Exmouth
Risk Management in the Public Sector Devon, EX8 2AY
Telephone 01395 223399 Facsimile 01395 223304
Email admin@alarm.uk.com
www.alarm-uk.com
The Association of 6 Lloyd’s Avenue,
Insurance and Risk Managers London EC3N 3AX
Telephone 020 7480 7610 Facsimile 020 7702 3752
Email enquiries@airmic.co.uk
www.airmic.com
This publication is available from the above organisations for download from their respective websites free of charge.
Please contact the individual associations if you wish to purchase more copies of this Risk Management Standard in printed form