Managers-Net

Risk Management

An 'at a glance' guide to Risk Management

Why Manage Risk?

Good risk management at a strategic level helps protect an organisation's reputation, safeguard against financial loss, minimise disruption to services and increase the likelihood of achieving business objectives successfully.

This also gives assurance on how an organisation's business is managed and at the same time will satisfy any compliance requirements of the organisation, where an internal control mechanism is established. Internal control includes:

The establishment of clear business objectives, standards, processes and procedures
Clear definition of responsibilities
Measurement of inputs, outputs and performance outcomes in relation to objectives
Performance Management
Financial controls over expenditure and budget.

What does it require?

The establishment and understanding of a risk management policy and framework
The identification, assessment and judgement of threats to the achievement of clear business objectives
Effecting the right action to anticipate and mitigate against risk - this includes establishing effective internal controls to counter key risks
Where necessary, to take reasonable and calculated risks based on well informed management decisions
Balancing risks by design control to give reasonable assurance to contain risks and offer value for money
Monitoring risks and reviewing progress
Quantifying risks by assessing any potential costs or benefits arising from possible impact
Reporting on the above.

How to identify risks?

Step 1 - Clarity of Objectives

Be clear first of all about the overall objectives of the organisation and understand how departmental objectives are aligned to the delivery of same. Think about:

What needs to be done
By when
Who is accountable for delivery.

Step 2 - Identify Risks

With your objectives in mind, ask the following questions:

What can go wrong?
How and why can it happen?
What do we depend on for continued success?
What could happen?

Consult with staff and others as appropriate and consider a range of possible scenarios including the best and worst cases. Be as creative with this process as possible. Consider the 'cause and effect' and scope of the risk and state as clearly as possible to avoid misunderstanding and misinterpretation. Try to quantify where possible based on what the effect might be.

Go back to Step 1 above and do the same for external risks by considering the relationship between the organisation and its wider environment and follow the steps above. Consider potential external cause of business disruption, issues affecting relationship with partners, suppliers and any possible changes in government policy and legislation.

Step 3 - Assess Risks

Identify existing controls and their effectiveness
Assess what other controls may be necessary
Determine likelihood / impact - use a bespoke template:
- Likelihood of risk occurring is used as a qualitative description of probability or frequency
- Impact is the outcome of the risk impacting and is expressed qualitatively or quantitatively, i.e. being a loss, injury, disadvantage or gain. NB - there may be a range of possible outcomes.
Set out a realistic timeframe for managing / mitigating risk.

Step 4 - Address Risks

This involves practical steps to managing and controlling risks. Think about:

what actions or responses are required to control risks
what are the associated cost of these actions
are the costs proportionate to the risk that it is controlling
What information is needed to make an informed decision to accept, manage, avoid, transfer or reduce the risks
Is it better to work to eliminate or innovate through taking reasonable calculated risks.

Step 5 - Review, Quantify and report Risks

Although policy may dictate a review and half yearly update should be enacted, risk owners need to regularly review to ensure there is ongoing relevant management of risks

Advice should be sought where quantification / confirmation is needed, i.e. Finance or Audit Department

Build into the current reporting structure via the business planning round. Where key risks need to be considered, ensure it is given priority within the agreed framework.

Risk Defined

Risk: is the actual exposure of something of human value to a hazard and is often regarded as the product of probability and loss - Source: Smith K 2001; Environmental Hazards Assessing Risk and Reducing Disaster: London: Routledge: 6 -7.

Risk Assessment: The evaluation of a risk to determine its significance, either quantitatively or qualitatively.

Risk Management: Determines the levels at which risk acceptability is set and methods of risk reduction are evaluated and applied.

Resilience: The ability at every relevant level to detect, prevent and, if necessary handle disruptive challenges. Source: CCS Resilience

Business Continuity: A proactive process which identifies the key functions of an organisation and the likely threats to those functions; from this information plans and procedures which ensure that key functions can continue, whatever the circumstances, can be developed.