0 оценок0% нашли этот документ полезным (0 голосов)
19 просмотров19 страниц
The Risk Management guide provides advice on implementing a Risk Management approach aligned with International Risk Management Principles and Guidelines - ISO 31000. The guide is structured around two icons: 1. The folder icon flags advice on what needs to be done and how to do it. 2. The keyboard icon flags advise on how to record the outputs from "what needs to done and how it should be done" this text will generally be as text, and about a process - with an accompanying diagram.
The Risk Management guide provides advice on implementing a Risk Management approach aligned with International Risk Management Principles and Guidelines - ISO 31000. The guide is structured around two icons: 1. The folder icon flags advice on what needs to be done and how to do it. 2. The keyboard icon flags advise on how to record the outputs from "what needs to done and how it should be done" this text will generally be as text, and about a process - with an accompanying diagram.
The Risk Management guide provides advice on implementing a Risk Management approach aligned with International Risk Management Principles and Guidelines - ISO 31000. The guide is structured around two icons: 1. The folder icon flags advice on what needs to be done and how to do it. 2. The keyboard icon flags advise on how to record the outputs from "what needs to done and how it should be done" this text will generally be as text, and about a process - with an accompanying diagram.
Chapter 1: Introduction to the Risk Management Guide
Chapter 2: Establishing Context and Identifying Risks Chapter 3: Evaluate Existing Controls Chapter 4: Risk Analysis and Evaluation Chapter 5: Risk Treatment Disclaimer This guide, and the tools and templates available from www.disasterresilience.com will support your planning processes and strengthen your resilience. Using familiar software (Microsoft Word, Access, Excel and PowerPoint), we focus on quality processes within a risk management framework. These approaches serve as best practice models. They should not be used as "templates for duplication" with global word changes. You should evaluate the significance of any requirements specific to your context - then tailor your approach accordingly. IntroductiontotheRisk Management Guide Framework T his guide provides advice on implementing a risk management approach aligned with International Risk Management Principles and Guidelines ISO 31000. Figure 1 Risk Management (ISO31000) Chapter Icons T his guide is structured around two icons: 1. The folder icon flags advice on what needs to be done and how to do it. This will generally be as text, and about a process with an accompanying diagram. 2. The keyboard icon flags advice on how to record the outputs from what needs to be done and how to do it. This text will be specific to the data entry requirements with an accompanying screenshot (in this case, of the Excel Spreadsheet tool). Figure 2 Excel Spreadsheet Screenshot whole risk management process - full screen. I C O N K E Y Workbook advice Tool advice T R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D I D E N T I F Y R I S K S EstablishingContext and IdentifyingRisks Communication and Consultation - Stakeholders T he oil of the machine; the grist for the mill, the underpinning foundation the central and significant role of effective communication and consultation can not be understated. Risks are about the conditions and circumstances which give rise to uncertainty about the future. Those conditions and circumstances and their management are things about which many and varied people have an interest. Some more directly than others. Therefore a first and fundamental step is to identify stakeholders (defined as anyone with an interest). Second, not all stakeholders have the same level of hold that is, care or interest. Therefore it is important to differentiate stakeholders. Any of several techniques (such as the matrix provided here) are useful for mapping stakeholders. Chapter R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D I D E N T I F Y R I S K S Communication and Consultation - Stakeholders (continued) A useful way of generating a list of who has an interest and what type of interest they have is to generate a process map called a SIPOC which is short for Suppliers Inputs Process Outputs Customers. The SIPOC map should be started from the right hand side identifying customers on the basis of who has an interest and what will be required to address that interest. This type of mapping also enhances your understanding of context. Details on how to facilitate a SIPOC mapping process are available as Attachment A (at the back of this guide). Communication and Consultation - Stakeholders T he output from the stakeholder identification and differentiation process is a list of initial stakeholders which should be entered into the originator section of the Excel Spreadsheet by clicking on Add New Originator. Figure 3 Establish Context and Identify Risks R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D I D E N T I F Y R I S K S Communication and Consultation Risk Statements P articular attention to detail should be exercised when generating a risk statement. A risk statement must derive from context. It is formulated in direct association with a task, goal, objective or value criterion of your business or organisation often directly linked to your strategic plan, business plan or corporate plan. When writing a risk statement, to strengthen clarity and meaning: 1. Write a complete sentence, consisting of a cause and effect. 2. Identify the cause as far upstream - in the chain of cause and effect - as is practical to manage. State the cause as a set of conditions, or as a trigger event. 3. State the effect upon the task, goal, objective, or value criterion under consideration. 4. Link the two clauses by a phrase such as leads to; or causing; or results in. Example: "Having an outdated, unexercised business continuity plan leads to unacceptable vulnerability across the business" Communication and Consultation Risk Statements Risk Statements are entered in individual rows under the Risk Statement column in Figure 3: Establish Context and Identify Risks (above). R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D I D E N T I F Y R I S K S Communication and Consultation Consequence Criteria E ach of your risk statements will have or not have an association with your (tailored) risk assessment criteria. Your risk assessment criteria measure what you care about and how much you care. They need to reflect the context of the organisation not simply be cut and pasted from a template of another organisations set of values. Considerable care should be taken to ensure that appropriate criteria reflecting your position - are developed. Figure 4 Establishing assessment criteria is a social process Communication and Consultation Consequence Criteria Where a value criterion (such as Outcome; Output; Community; Governance; People, and Environment) is triggered by an effect generating a possible consequence, a specific level of possible consequence should be attributed to the risk statement by selecting the appropriate drop down threshold in the Consequence column [as shown on the right hand side of Figure 3: Establish Context and Identify Risks (above)]. The threshold choices are 1 Insignificant; 2 Minor; 3 Moderate; 4 Major; or 5 Critical for each effected value criterion. To support the clarity of your attribution, the symbol which leads to both the detailed description of thresholds and indicators should be clicked on. This advice on the value criteria and their thresholds - can also be reached from the Consequence and Likelihood TAB at the bottom of the screen. R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D I D E N T I F Y R I S K S Figure 5 Risk Assessment Criteria R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S EvaluateExistingControls What we do now to manage this risk A control is any existing process, system, policy, device, structure, practice or other action that acts to minimize negative risk or enhance positive opportunities. The identification of current controls is a fundamental and critical step. Risk levels can not be determined until we can attribute a level of likelihood to the consequence and the effectiveness of existing controls is crucial to advising our judgment on how likely a specific consequence is to arise. Once controls have been listed, each should be given an effectiveness score using performance indicators such as those outlined in Figure 6 below. Performance Indicator 1. Risk reduction This control prevents a significant proportion of losses posed by this risk. 2. Continuity of effects The effects of the application of this control will be long term or ongoing. 3. Timing The beneficial effects of this control are likely to be quickly realized. 4. Administrative efficiency We have the expertise and this control is easily administered. 5. Cost-effectiveness This control is cost-effective. 6. Synergy, leverage and compatibility This control is likely to lead to further risk reducing actions by others. It is highly compatibility with other controls that exist or are likely to be adopted 7. Risk creation Implementation of this control does not introduce new risks. Figure 6 Considerations when assessing the effectiveness of existing controls Chapter R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S What we do now to manage this risk T he controls which have an impact on the consequence of each particular value criterion should be listed individually against the specific consequence criteria (for the risk statement under consideration). This will require copying in rows (to correspond with the number of relevant controls). This will then enable scoring for effectiveness to be attributed against each control. To support the clarity of your attribution of effectiveness, the symbol which leads to both the detailed description of performance levels and performance indicators should be clicked on. (The Excel worksheet should be copied one sheet per control) This advice can also be reached from the Effectiveness and Adequacy TAB at the bottom of the screen. Figure 7 Control Effectiveness Advice TAB(Excel Spreadsheet) R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S Figure 8 Screenshot - Existing Controls Evaluated An important risk management principle is a recognition that adequacy is a function of effectiveness and consequence. Once the level of control is determined, the Adequacy Matrix (below) provides an important tool to assess whether the control is likely to be appropriate or whether actions to improve the level or quality of the control are required. Or indeed, if an entirely new way of thinking about developing other controls needs to be considered. (The adequacy of the existing control is automatically calculated within the Excel Spreadsheet based on the matrix below.) Figure 9 Adequacy Matrix R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S RiskAnalysisand Evaluation Given the adequacy of current controls, determine the likelihood of the consequence A level of likelihood for each consequence should be premised. It is important to focus on the likelihood of the consequence NOT on the likelihood of the trigger event. The attribution of level should be against the criteria listed in Figure 10 below. L i k e l i h o o d C r i t e r i a A Almost certain to occur in most circumstances B Likely to occur frequently C Possible and likely to occur at some time D Unlikely to occur but could happen E May occur but only in rare and exceptional circumstances Figure 10 Likelihood Criteria Chapter R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S Given the adequacy of current controls, determine the likelihood of the consequence T he consequence level will be automatically reproduced from the Establish Context and Identify Risks stage. The level of likelihood which you premise will automatically generate a level of risk. This level of risk will be a function of three things - likelihood, the consequence you have already premised and your agreed risk appetite [which is reflected in the allocation of risk levels (Low; Medium; High; Very High) to each of the 25 cells in the Consequence / Likelihood Matrix displayed on the bottom of Figure 5 and in the Consequence and Likelihood Worksheet]. Figure 11 Premise the likelihood of the specified consequence R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S In order to maximize access, the tool has been deliberately designed using an early version of Excel (2003). A constraint of this early version is a formula limitation to not generate more than three choices of colour therefore, if you change the likelihood attribution, you will need to click on the running man icon to refresh the risk level colour displayed. Figure 12 Risk Levels - suggested prioritisation for action General advice about whether a level of risk requires treatment is provided in Figure 12. However, it is important to recognise the need to enable management discretion regarding both risk acceptance and solution resourcing options. Therefore the Accept Risk (Yes or NO) and the Future Risk Target levels of the tool are not populated automatically. They are determined by the responsible party / parties and the risk may (in certain circumstances) be carried even though the level might be high or very high. Figure 13 Risk Acceptance and Future Risk Target Levels are management discretions R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T RiskTreatment What we will do; within what budget, by when and by whom. T he treatment of risk is very much about the standard governance qualities of any plan. This calls for a selection of high leverage cost effective controls to be considered using the performance indicators outlined below and introduced in Chapter 3, Figure 6. Performance Indicator 1. Risk reduction This control prevents a significant proportion of losses posed by this risk. 2. Continuity of effects The effects of the application of this control will be long term or ongoing. 3. Timing The beneficial effects of this control are likely to be quickly realized. 4. Administrative efficiency We have the expertise and this control is easily administered. 5. Cost-effectiveness This control is cost-effective. 6. Synergy, leverage and compatibility This control is likely to lead to further risk reducing actions by others. It is highly compatibility with other controls that exist or are likely to be adopted 7. Risk creation Implementation of this control does not introduce new risks. Figure 14 Risk Treatment Selection Criteria Chapter R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T What we will do; within what budget, by when and by whom. T he criteria can be accessed from the symbol. This will take you to performance levels and performance indicators. This advice can also be reached from the Treatment Selection TAB at the bottom of the screen. Figure 15 Criteria - available fromthe Treatment Selection TAB R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T Figure 16 Assess the likely effectiveness of each proposed control - copy one worksheet per control. Figure 17 Screenshot for recording and tracking Treatment R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T Attachment A: Three steps to developing a sound SIPOC diagram Purpose: The purpose of a SIPOC Diagram is to define and document the key elements of an activity. This includes Customers/Requirements, Outputs, Process Steps/Requirements, Inputs and Suppliers. Materials: SIPOC overview handout, whiteboard, worksheets, flipcharts, PowerPoint (not preferred as it can take away from engagement and participation), Posters, PostIts(or my favourite, coloured sticky arrows which are then placed on a large, blank, laminated SIPOC chart) Time: Varies. Plan for at least two hours based on the complexity of the process, the knowledge of the participants of the process, and their previous experience creating SIPOCs. Step ONE: Get everyone on the same purpose page Note 1 to facilitator: Do this step even if working with a knowledgeable group by reviewing the elements critical to conducting a successful SIPOC session. Use this review as a means of setting a positive tone and developing a conversational style of facilitating the session. The five critical elements to a good SIPOC are: 1. Provide participants a brief overview of the SIPOC structure and how it important to manage its use in terms of range of purposes. Apply the Covey principle begin with the end in mind SIPOCs are flexible tools and can be focused on achieving a range of purposes such as project planning, or vulnerability mapping or organisational restructuring. So be mindful ask how will you USE this SIPOC? 2. The challenge for service industries (as distinct from making widgets) is to think beyond the process column (where many SIPOCs start). The challenge for individuals is to think outside of their square. 3. When recording on the SIPOC use only as much detail as needed to understand/communicate effectively. 4. Record the agreed purpose of this SIPOC session make the agreed purpose the label of the car park. The car park is an area of white space, such as butchers paper or a whiteboard on wheels, which is structured to capture as they relate to the SIPOC element being mapped at the time - (1) assumptions (2) constraints (3) risks and (4) decision criteria 5. This is not an academic exercise - define how things really get done, not how we might want them to be. R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T Step TWO: Establish the Framework Note 2 to facilitator: Groups sometimes prefer to be more organic than systematic. Be flexible and accommodate as long as the entire SIPOC form is completed with enough detail to understand the process. Be flexible and use plain language. Write it down, and then ask open-ended, clarifying questions to get it right. Place the thing or issue on the SIPOC at a place of best agreed fit. Challenge the status quo, test the understanding of the process, and encourage dialogue. Note 3 to facilitator: A challenge from here on out in this process is to keep the group at a high level of detail do not allow them to get too granular. The detail can come later in the process flow diagram mapping or you can go back and break each key process step into sub-steps and SIPOC them. (It depends on the purpose of the SIPOC and the complexity of the process.) Use the SIPOC framework (on the wall chart, computer, whiteboard, worksheet, or flipchart). 1. Seek permission and agreement from the group to start backwards from the right - from the Customer column. Identify customers (some will be stakeholders with specified needs to be met which are contractual, or legally obligatory - others stakeholders may have a more indirect and general interest, needing only to be appropriately informed). Back into the customer requirements column by now clearly stating the requirement(s) of each stakeholder. [This two set customer column should be reviewed whenever something changes so that the ripple effects can be mapped and managed. (The result from this stage will be your initial stakeholder list)] 2. List the outputs from the process which will deliver the requirements of the customer and collectively, achieve the required outcome of the activity. 3. Structure a process which will deliver the outputs effectively and efficiently. Clearly identify the START of your process (cue, prompt, trigger that requires you to act). Clearly identify the END of your process (how do you know you are done?). List the 3-5 (NO MORE THAN 7) key steps in the process being mapped. Incorporate feedback loops how will you, your customer, your supplier communicate? (Record: Process name; Process owner; Process performance measures/metrics structured to inform improvement opportunities; any known operational definitions of key process elements; any known assumptions/constraints and immediately apparent risks - record in car park) Note 4 to facilitator: Remind the group that the assumptions and operational definitions are ongoing lists and may be added to as needed during the session. The idea is to make sure everyone is working on the same sheet of paper and means the same thing when using a term and those assumptions are made visible, discussed, and validated or challenged as appropriate. 4. List the inputs into each step of the process List the requirements of each input (your view the person doing the work) List the supplier of each input of the process 5. List or highlight the Critical-to-Quality (CTQ) elements for the process Step THREE: Check your work Review the completed SIPOC. Verify all key components are completed/addressed. Determine Next Steps/Action Plan. Make sure all assumptions are visible, discussed, validated, and documented. Document operational definitions of terms, symbols, acronyms, equipment, standards, etc. Do not forget to identify your information/communication loops and feedback mechanisms. Document source specifications, standard operating procedures, and/or references for your process. Review where you need to have Service Level Agreements (SLAs) between you and supplier, you and customer.