Risk Management Guide

Chapter 1: Introduction to the Risk Management Guide

Chapter 2: Establishing Context and Identifying Risks
Chapter 3: Evaluate Existing Controls
Chapter 4: Risk Analysis and Evaluation
Chapter 5: Risk Treatment
Disclaimer
This guide, and the tools and templates available from www.disasterresilience.com will support your
planning processes and strengthen your resilience. Using familiar software (Microsoft Word, Access,
Excel and PowerPoint), we focus on quality processes within a risk management framework. These
approaches serve as best practice models. They should not be used as "templates for duplication"
with global word changes. You should evaluate the significance of any requirements specific to your
context - then tailor your approach accordingly.
IntroductiontotheRisk
Management Guide
Framework
T
his guide provides advice on implementing a risk management approach aligned
with International Risk Management Principles and Guidelines ISO 31000.
Figure 1 Risk Management (ISO31000)
Chapter
Icons
T
his guide is structured around two icons:
1. The folder icon flags advice on what needs to be
done and how to do it. This will generally be as
text, and about a process with an accompanying
diagram.
2. The keyboard icon flags advice on how to record the outputs from what needs
to be done and how to do it.
This text will be specific to the data entry requirements with an accompanying
screenshot (in this case, of the Excel Spreadsheet tool).
Figure 2 Excel Spreadsheet Screenshot whole risk management process - full screen.
I C O N K E Y
Workbook advice
Tool advice
T
R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D I D E N T I F Y R I S K S
EstablishingContext and
IdentifyingRisks
Communication and Consultation - Stakeholders
T
he oil of the machine; the grist for the mill, the underpinning foundation the
central and significant role of effective communication and consultation can not be
understated.
Risks are about the conditions and circumstances which give rise to uncertainty about the
future. Those conditions and circumstances and their management are things about
which many and varied people have an interest. Some more directly than others.
Therefore a first and fundamental step is to identify stakeholders (defined as anyone
with an interest).
Second, not all stakeholders have
the same level of hold that is,
care or interest.
Therefore it is important to
differentiate stakeholders.
Any of several techniques (such as
the matrix provided here) are
useful for mapping stakeholders.
Chapter
R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D
I D E N T I F Y R I S K S
Communication and Consultation - Stakeholders (continued)
A
useful way of generating a list of who has an interest and what type of
interest they have is to generate a process map called a SIPOC which is short for
Suppliers Inputs Process Outputs Customers.
The SIPOC map should be started from the right hand side identifying customers on
the basis of who has an interest and what will be required to address that interest.
This type of mapping also enhances your understanding of context.
Details on how to facilitate a SIPOC mapping process are available as Attachment A (at
the back of this guide).
Communication and Consultation - Stakeholders
T
he output from the stakeholder identification and differentiation process is a list
of initial stakeholders which should be entered into the originator section of the Excel
Spreadsheet by clicking on Add New Originator.
Figure 3 Establish Context and Identify Risks
R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D
I D E N T I F Y R I S K S
Communication and Consultation Risk Statements
P
articular attention to detail should be exercised when generating a risk statement.
A risk statement must derive from context. It is formulated in direct association with a
task, goal, objective or value criterion of your business or organisation often directly
linked to your strategic plan, business plan or corporate plan.
When writing a risk statement, to strengthen clarity and meaning:
1. Write a complete sentence, consisting of a cause and effect.
2. Identify the cause as far upstream - in the chain of cause and effect - as is practical
to manage. State the cause as a set of conditions, or as a trigger event.
3. State the effect upon the task, goal, objective, or value criterion under
consideration.
4. Link the two clauses by a phrase such as leads to; or causing; or results in.
Example: "Having an outdated, unexercised business continuity plan leads to
unacceptable vulnerability across the business"
Communication and Consultation Risk Statements
Risk Statements are entered in individual rows under the Risk Statement column in
Figure 3: Establish Context and Identify Risks (above).
R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D
I D E N T I F Y R I S K S
Communication and Consultation Consequence Criteria
E
ach of your risk statements will have or not have an association with your
(tailored) risk assessment criteria. Your risk assessment criteria measure what you care
about and how much you care. They need to reflect the context of the organisation
not simply be cut and pasted from a template of another organisations set of values.
Considerable care should be taken to ensure that appropriate criteria reflecting your
position - are developed.
Figure 4 Establishing assessment criteria is a social process
Communication and Consultation Consequence Criteria
Where a value criterion (such as Outcome; Output; Community; Governance; People,
and Environment) is triggered by an effect generating a possible consequence, a
specific level of possible consequence should be attributed to the risk statement by
selecting the appropriate drop down threshold in the Consequence column [as
shown on the right hand side of Figure 3: Establish Context and Identify Risks (above)].
The threshold choices are 1 Insignificant; 2 Minor; 3 Moderate; 4 Major; or 5
Critical for each effected value criterion.
To support the clarity of your attribution, the symbol which leads to both the
detailed description of thresholds and indicators should be clicked on. This advice on
the value criteria and their thresholds - can also be reached from the Consequence and
Likelihood TAB at the bottom of the screen.
R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D
I D E N T I F Y R I S K S
Figure 5 Risk Assessment Criteria
R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S
EvaluateExistingControls
What we do now to manage this risk
A
control is any existing process, system, policy, device, structure, practice or
other action that acts to minimize negative risk or enhance positive opportunities.
The identification of current controls is a fundamental and critical step. Risk levels can
not be determined until we can attribute a level of likelihood to the consequence and
the effectiveness of existing controls is crucial to advising our judgment on how likely a
specific consequence is to arise. Once controls have been listed, each should be given an
effectiveness score using performance indicators such as those outlined in Figure 6
below.
Performance Indicator
1. Risk reduction
This control prevents a significant proportion of losses posed by this risk.
2. Continuity of effects
The effects of the application of this control will be long term or ongoing.
3. Timing
The beneficial effects of this control are likely to be quickly realized.
4. Administrative efficiency
We have the expertise and this control is easily administered.
5. Cost-effectiveness
This control is cost-effective.
6. Synergy, leverage and compatibility
This control is likely to lead to further risk reducing actions by others. It is
highly compatibility with other controls that exist or are likely to be adopted
7. Risk creation
Implementation of this control does not introduce new risks.
Figure 6 Considerations when assessing the effectiveness of existing controls
Chapter
R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S
What we do now to manage this risk
T
he controls which have an impact on the consequence of each particular value
criterion should be listed individually against the specific consequence criteria (for the risk
statement under consideration). This will require copying in rows (to correspond with the
number of relevant controls). This will then enable scoring for effectiveness to be
attributed against each control.
To support the clarity of your attribution of effectiveness, the symbol which leads
to both the detailed description of performance levels and performance indicators
should be clicked on. (The Excel worksheet should be copied one sheet per control)
This advice can also be reached from the Effectiveness and Adequacy TAB at the
bottom of the screen.
Figure 7 Control Effectiveness Advice TAB(Excel Spreadsheet)
R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S
Figure 8 Screenshot - Existing Controls Evaluated
An important risk management principle is a recognition that adequacy is a function of
effectiveness and consequence.
Once the level of control is determined, the Adequacy Matrix (below) provides an
important tool to assess whether the control is likely to be appropriate or whether actions
to improve the level or quality of the control are required. Or indeed, if an entirely new
way of thinking about developing other controls needs to be considered.
(The adequacy of the existing control is automatically calculated within the Excel
Spreadsheet based on the matrix below.)
Figure 9 Adequacy Matrix
R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S
RiskAnalysisand
Evaluation
Given the adequacy of current controls, determine the likelihood of
the consequence
A
level of likelihood for each consequence should be premised.
It is important to focus on the likelihood of the consequence NOT on the likelihood of
the trigger event. The attribution of level should be against the criteria listed in Figure
10 below.
L
i
k
e
l
i
h
o
o
d
C
r
i
t
e
r
i
a
A Almost certain to occur in most circumstances
B Likely to occur frequently
C Possible and likely to occur at some time
D Unlikely to occur but could happen
E May occur but only in rare and exceptional circumstances
Figure 10 Likelihood Criteria
Chapter
R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S
Given the adequacy of current controls, determine the likelihood of
the consequence
T
he consequence level will be automatically reproduced from the Establish
Context and Identify Risks stage.
The level of likelihood which you premise will automatically generate a level of risk.
This level of risk will be a function of three things - likelihood, the consequence you have
already premised and your agreed risk appetite [which is reflected in the allocation of risk
levels (Low; Medium; High; Very High) to each of the 25 cells in the Consequence /
Likelihood Matrix displayed on the bottom of Figure 5 and in the Consequence and
Likelihood Worksheet].
Figure 11 Premise the likelihood of the specified consequence
R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S
In order to maximize access, the tool has been deliberately designed using an early version
of Excel (2003).
A constraint of this early version is a formula limitation to not generate more
than three choices of colour therefore, if you change the likelihood attribution,
you will need to click on the running man icon to refresh the risk level colour
displayed.
Figure 12 Risk Levels - suggested prioritisation for action
General advice about whether a level of risk requires treatment is provided in Figure 12.
However, it is important to recognise the need to enable management discretion
regarding both risk acceptance and solution resourcing options. Therefore the Accept
Risk (Yes or NO) and the Future Risk Target levels of the tool are not populated
automatically. They are determined by the responsible party / parties and the risk may
(in certain circumstances) be carried even though the level might be high or very high.
Figure 13 Risk Acceptance and Future Risk Target Levels are management discretions
R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T
RiskTreatment
What we will do; within what budget, by when and by whom.
T
he treatment of risk is very much about the standard governance qualities of any plan.
This calls for a selection of high leverage cost effective controls to be considered using the
performance indicators outlined below and introduced in Chapter 3, Figure 6.
Performance Indicator
1. Risk reduction
This control prevents a significant proportion of losses posed by this risk.
2. Continuity of effects
The effects of the application of this control will be long term or ongoing.
3. Timing
The beneficial effects of this control are likely to be quickly realized.
4. Administrative efficiency
We have the expertise and this control is easily administered.
5. Cost-effectiveness
This control is cost-effective.
6. Synergy, leverage and compatibility
This control is likely to lead to further risk reducing actions by others. It is highly
compatibility with other controls that exist or are likely to be adopted
7. Risk creation
Implementation of this control does not introduce new risks.
Figure 14 Risk Treatment Selection Criteria
Chapter
R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T
What we will do; within what budget, by when and by whom.
T
he criteria can be accessed from the symbol.
This will take you to performance levels and performance indicators.
This advice can also be reached from the Treatment Selection TAB at the bottom of the screen.
Figure 15 Criteria - available fromthe Treatment Selection TAB
R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T
Figure 16 Assess the likely effectiveness of each proposed control - copy one worksheet per control.
Figure 17 Screenshot for recording and tracking Treatment
R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T
Attachment A:
Three steps to developing a sound SIPOC diagram
Purpose: The purpose of a SIPOC Diagram is to define and document the key elements of an activity. This includes
Customers/Requirements, Outputs, Process Steps/Requirements, Inputs and Suppliers.
Materials: SIPOC overview handout, whiteboard, worksheets, flipcharts, PowerPoint (not preferred as it can take away
from engagement and participation), Posters, PostIts(or my favourite, coloured sticky arrows which are then placed on
a large, blank, laminated SIPOC chart)
Time: Varies. Plan for at least two hours based on the complexity of the process, the knowledge of the participants of the
process, and their previous experience creating SIPOCs.
Step ONE: Get everyone on the same purpose
page
Note 1 to facilitator: Do this step even if working with a knowledgeable group by reviewing the elements critical to
conducting a successful SIPOC session.
Use this review as a means of setting a positive tone and developing a conversational style of facilitating the session.
The five critical elements to a good SIPOC are:
1. Provide participants a brief overview of the SIPOC structure and how it important to manage its use in terms of range of
purposes.
Apply the Covey principle begin with the end in mind SIPOCs are flexible tools and can be focused on achieving a range
of purposes such as project planning, or vulnerability mapping or organisational restructuring. So be mindful ask how
will you USE this SIPOC?
2. The challenge for service industries (as distinct from making widgets) is to think beyond the process column (where
many SIPOCs start). The challenge for individuals is to think outside of their square.
3. When recording on the SIPOC use only as much detail as needed to understand/communicate effectively.
4. Record the agreed purpose of this SIPOC session make the agreed purpose the label of the car park. The car park
is an area of white space, such as butchers paper or a whiteboard on wheels, which is structured to capture as they
relate to the SIPOC element being mapped at the time - (1) assumptions (2) constraints (3) risks and (4) decision criteria
5. This is not an academic exercise - define how things really get done, not how we might want them to be.
R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T
Step TWO: Establish the Framework
Note 2 to facilitator: Groups sometimes prefer to be more organic than systematic. Be flexible and accommodate as long
as the entire SIPOC form is completed with enough detail to understand the process. Be flexible and use plain language.
Write it down, and then ask open-ended, clarifying questions to get it right. Place the thing or issue on the SIPOC at a
place of best agreed fit. Challenge the status quo, test the understanding of the process, and encourage dialogue.
Note 3 to facilitator: A challenge from here on out in this process is to keep the group at a high level of detail do not
allow them to get too granular. The detail can come later in the process flow diagram mapping or you can go back and
break each key process step into sub-steps and SIPOC them. (It depends on the purpose of the SIPOC and the complexity
of the process.)
Use the SIPOC framework (on the wall chart, computer, whiteboard, worksheet, or flipchart).
1. Seek permission and agreement from the group to start backwards from the right - from the Customer column.
Identify customers (some will be stakeholders with specified needs to be met which are contractual, or legally
obligatory - others stakeholders may have a more indirect and general interest, needing only to be appropriately
informed).
Back into the customer requirements column by now clearly stating the requirement(s) of each stakeholder.
[This two set customer column should be reviewed whenever something changes so that the ripple effects can be
mapped and managed. (The result from this stage will be your initial stakeholder list)]
2. List the outputs from the process which will deliver the requirements of the customer and collectively, achieve the
required outcome of the activity.
3. Structure a process which will deliver the outputs effectively and efficiently.
Clearly identify the START of your process (cue, prompt, trigger that requires you to act).
Clearly identify the END of your process (how do you know you are done?).
List the 3-5 (NO MORE THAN 7) key steps in the process being mapped.
Incorporate feedback loops how will you, your customer, your supplier communicate?
(Record: Process name; Process owner; Process performance measures/metrics structured to inform improvement
opportunities; any known operational definitions of key process elements; any known assumptions/constraints and
immediately apparent risks - record in car park)
Note 4 to facilitator: Remind the group that the assumptions and operational definitions are ongoing lists and may be added
to as needed during the session. The idea is to make sure everyone is working on the same sheet of paper and means the
same thing when using a term and those assumptions are made visible, discussed, and validated or challenged as
appropriate.
4. List the inputs into each step of the process
List the requirements of each input (your view the person doing the work)
List the supplier of each input of the process
5. List or highlight the Critical-to-Quality (CTQ) elements for the process
Step THREE: Check your work
Review the completed SIPOC.
Verify all key components are completed/addressed.
Determine Next Steps/Action Plan.
Make sure all assumptions are visible, discussed, validated, and documented.
Document operational definitions of terms, symbols, acronyms, equipment, standards, etc.
Do not forget to identify your information/communication loops and feedback mechanisms.
Document source specifications, standard operating procedures, and/or references for your process.
Review where you need to have Service Level Agreements (SLAs) between you and supplier, you and customer.