Академический Документы
Профессиональный Документы
Культура Документы
Introduction
This Risk Management Standard is the should be viewed not just in the context of
result of work by a team drawn from the the activity itself but in relation to the
major risk management organisations in many and varied stakeholders who can be
the UK, including the Institute of Risk affected.
management (IRM).
There are many ways of achieving the
In addition, the team sought the views and objectives of risk management and it would
opinions of a wide range of other be impossible to try to set them all out in a
professional bodies with interests in risk single document. Therefore it was never
management, during an extensive period of intended to produce a prescriptive standard
consultation. which would have led to a box ticking
Risk management is a rapidly developing approach nor to establish a certifiable
discipline and there are many and varied process. By meeting the various
views and descriptions of what risk component parts of this standard, albeit in
management involves, how it should be different ways, organisations will be in a
conducted and what it is for. Some form of position to report that they are in
standard is needed to ensure that there is an compliance. The standard represents best
agreed: practice against which organisations can
measure themselves.
• terminology related to the words used
• process by which risk management can be The standard has wherever possible used
carried out the terminology for risk set out by the
International Organization for
• organisation structure for risk management Standardization (ISO) in its recent
• objective for risk management document ISO/IEC Guide 73 Risk
Importantly, the standard recognises that Management - Vocabulary - Guidelines for
risk has both an upside and a downside. use in standards.
Risk management is not just something for In view of the rapid developments in this
corporations or public organisations, but area the authors would appreciate feedback
for any activity whether short or long from organisations as they put the standard
term. The benefits and opportunities into use (addresses to be found on the back
cover of this Guide). It is intended that
regular modifications will be made to the
standard in the light of best practice.
2. Risk Management
Risk management is a central part of any It must be integrated into the culture of
organisation’s strategic management. It is the organisation with an effective policy
the process whereby organisations and a programme led by the most senior
methodically address the risks attaching to management. It must translate the
their activities with the goal of achieving strategy into tactical and operational
sustained benefit within each activity and objectives, assigning responsibility
across the portfolio of all activities. throughout the organisation with each
The focus of good risk management is the manager and employee responsible for the
identification and treatment of these risks. management of risk as part of their job
Its objective is to add maximum description. It supports accountability,
sustainable value to all the activities of the performance measurement and reward,
organisation. It marshals the thus promoting operational efficiency at
understanding of the potential upside and all levels.
downside of all those factors which can
affect the organisation. It increases the 2.1 External and Internal Factors
probability of success, and reduces both
The risks facing an organisation and its
the probability of failure and the
operations can result from factors both
uncertainty of achieving the organisation’s
overall objectives. external and internal to the organisation.
© IRM: 2002 3
2.2 The Risk Management Process
The Organisation’s
Strategic Objectives
Risk Assessment
Risk Analysis
Risk Identification
Risk Description
Risk Estimation
Modification
Risk Evaluation
Formal
Audit
Risk Reporting
Threats and Opportunities
Decision
Risk Treatment
Monitoring
Risk management protects and adds value to the organisation and its stakeholders through
supporting the organisation’s objectives by:
4. Risk Analysis
4.1 Risk Identification • Financial - These concern the effective
Risk identification sets out to identify an management and control of the finances of
organisation’s exposure to uncertainty. This the organisation and the effects of external
requires an intimate knowledge of the factors such as availability of credit, foreign
organisation, the market in which it operates, exchange rates, interest rate movement and
the legal, social, political and cultural other market exposures.
environment in which it exists, as well as the • Knowledge management - These concern
development of a sound understanding of its the effective management and control of the
strategic and operational objectives, knowledge resources, the production,
including factors critical to its success and the protection and communication thereof.
threats and opportunities related to the
External factors might include the
achievement of these objectives.
unauthorised use or abuse of intellectual
Risk identification should be approached property, area power failures, and
in a methodical way to ensure that all competitive technology. Internal factors might
significant activities within the organisation be system malfunction or loss of key staff.
have been identified and all the risks • Compliance - These concern such issues as
flowing from these activities defined.
health & safety, environmental, trade
All associated volatility related to these
descriptions, consumer protection, data
activities should be identified and
protection, employment practices and
categorised.
regulatory issues.
Business activities and decisions can be Whilst risk identification can be carried
classified in a range of ways, examples of out by outside consultants, an in-house
which include: approach with well communicated,
• Strategic - These concern the long-term consistent and co-ordinated processes and
tools (see Appendix, page 14) is likely to be
strategic objectives of the organisation. They
more effective. In-house ‘ownership’ of
can be affected by such areas as capital
the risk management process is essential.
availability, sovereign and political risks,
legal and regulatory changes, reputation
4.2 Risk Description
and changes in the physical environment.
The objective of risk description is to
• Operational - These concern the day-to- display the identified risks in a structured
day issues that the organisation is format, for example, by using a table. The
confronted with as it strives to deliver its risk description table overleaf can be used
strategic objectives. to facilitate the description and assessment
© IRM: 2002 5
of risks. The use of a well designed structure detail. Identification of the risks associated
is necessary to ensure a comprehensive risk with business activities and decision making
identification, description and assessment may be categorised as strategic, project/
process. By considering the consequence and tactical, operational. It is important to
probability of each of the risks set out in the incorporate risk management at the
table, it should be possible to prioritise the conceptual stage of projects as well as
key risks that need to be analysed in more throughout the life of a specific project.
4ABLE
2ISK $ESCRIPTION
1. Name of Risk
2. Scope of Risk Qualitative description of the events, their size, type,
number and dependencies
3. Nature of Risk Eg. strategic, operational, financial, knowledge or compliance
4. Stakeholders Stakeholders and their expectations
5. Quantification of Risk Significance and Probability
6. Risk Tolerance/ Loss potential and financial impact of risk
Appetite Value at risk
Probability and size of potential losses/gains
Objective(s) for control of the risk and desired level of
performance
7. Risk Treatment & Primary means by which the risk is currently managed
Control Mechanisms Levels of confidence in existing control
Identification of protocols for monitoring and review
8. Potential Action for Recommendations to reduce risk
Improvement
9. Strategy and Policy Identification of function responsible for developing strategy
Developments and policy
Medium Likely to occur in a ten Could occur more than once within the
(Possible) year time period or less time period (for example - ten years).
than 25% chance of Could be difficult to control due to some
occurrence. external influences.
Is there a history of occurrence?
© IRM: 2002 7
Table 4.3.3 Probability of Occurrence - Opportunities
4.4 Risk Analysis methods and treatment efforts. This ranks each identified
risk so as to give a view of the relative
techniques importance.
A range of techniques can be used to
analyse risks. These can be specific to This process allows the risk to be mapped
upside or downside risk or be capable of to the business area affected, describes the
dealing with both. (See Appendix, page 14, primary control procedures in place and
for examples). indicates areas where the level of risk
control investment might be increased,
4.5 Risk Profile decreased or reapportioned.
The result of the risk analysis process can Accountability helps to ensure that
be used to produce a risk profile which ‘ownership’ of the risk is recognised and
gives a significance rating to each risk and the appropriate management resource
provides a tool for prioritising risk allocated.
5. Risk Evaluation
When the risk analysis process has been economic and environmental factors,
completed, it is necessary to compare the concerns of stakeholders, etc. Risk
estimated risks against risk criteria which evaluation therefore, is used to make
the organisation has established. The risk decisions about the significance of risks to
criteria may include associated costs and the organisation and whether each specific
benefits, legal requirements, socio- risk should be accepted or treated.
© IRM: 2002 9
Good corporate governance requires that The formal reporting should address:
companies adopt a methodical approach to
• the control methods - particularly
risk management which:
management responsibilities for risk
• protects the interests of their stakeholders management
• ensures that the Board of Directors • the processes used to identify risks and
discharges its duties to direct strategy, build how they are addressed by the risk
value and monitor performance of the management systems
organisation • the primary control systems in place to
• ensures that management controls are in manage significant risks
place and are performing adequately • the monitoring and review system in place
Any significant deficiencies uncovered by
The arrangements for the formal reporting the system, or in the system itself, should
of risk management should be clearly stated be reported together with the steps taken
and be available to the stakeholders. to deal with them.
7. Risk Treatment
Risk treatment is the process of selecting The risk analysis process assists the effective
and implementing measures to modify the and efficient operation of the organisation
risk. Risk treatment includes as its major by identifying those risks which require
element, risk control/mitigation, but attention by management. They will need
extends further to, for example, risk to prioritise risk control actions in terms of
avoidance, risk transfer, risk financing, etc. their potential to benefit the organisation.
© IRM: 2002 11
9. The Structure and Administration of
Risk Management
2ISK -ANAGEMENT 0OLICY The Board should, as a minimum,
consider, in evaluating its system of internal
An organisation’s risk management policy
control:
should set out its approach to and appetite
for risk and its approach to risk • the nature and extent of downside risks
management. The policy should also set acceptable for the company to bear within
out responsibilities for risk management its particular business
throughout the organisation.
• the likelihood of such risks becoming a
Furthermore, it should refer to any legal reality
requirements for policy statements eg. for • how unacceptable risks should be managed
Health and Safety.
• the company’s ability to minimise the
Attaching to the risk management process probability and impact on the business
is an integrated set of tools and techniques • the costs and benefits of the risk and
for use in the various stages of the business control activity undertaken
process. To work effectively, the risk
• the effectiveness of the risk management
management process requires:
process
• commitment from the chief executive and
executive management of the organisation • the risk implications of board decisions
• assignment of responsibilities within the 2OLE OF THE "USINESS 5NITS
organisation This includes the following:
• allocation of appropriate resources for • the business units have primary
training and the development of an responsibility for managing risk on a day-
enhanced risk awareness by all to-day basis
stakeholders.
• business unit management is responsible
2OLE OF THE "OARD for promoting risk awareness within their
The Board has responsibility for operations; they should introduce risk
determining the strategic direction of the management objectives into their business
organisation and for creating the • risk management should be a regular
environment and the structures for risk management-meeting item to allow
management to operate effectively. consideration of exposures and to
This may be through an executive group, a reprioritise work in the light of effective
non-executive committee, an audit risk analysis
committee or such other function that suits • business unit management should ensure
the organisation’s way of operating and is that risk management is incorporated at
capable of acting as a ‘sponsor’ for risk the conceptual stage of projects as well as
management. throughout a project
© IRM: 2002 13
10. Appendix
2ISK )DENTIFICATION 4ECHNIQUES
2ISK !NALYSIS -ETHODS AND
EXAMPLES 4ECHNIQUES
EXAMPLES
• Brainstorming Upside risk
• Questionnaires • Market survey
• Business studies which look at each • Prospecting
business process and describe both the • Test marketing
internal processes and external factors
• Research and Development
which can influence those processes
• Industry benchmarking • Business impact analysis
• Scenario analysis Both
• Risk assessment workshops • Dependency modelling
• Incident investigation • SWOT analysis (Strengths, Weaknesses,
• Auditing and inspection Opportunities, Threats)
• HAZOP (Hazard & Operability • Event tree analysis
Studies) • Business continuity planning
• BPEST (Business, Political, Economic,
Social, Technological) analysis
• Real Option Modelling
• Decision taking under conditions of risk
and uncertainty
• Statistical inference
• Measures of central tendency and
dispersion
• PESTLE (Political Economic Social
Technical Legal Environmental)
Downside risk
• Threat analysis
• Fault tree analysis
• FMEA (Failure Mode & Effect Analysis)
This document is available for download free of charge from the website of the Institute of Risk Management