CPA Australia logo  











Quick Links

 Edit


Home > Technical Resources > Risk Management > Establishing the context

Establishing the context
Blue horizontal line

Before one begins to consider risk management, it is necessary to identify the strategic and organisational context under which an organisation operates.

Elements of these include the following dimensions of the organisation's functions:

  • financial
  • operational
  • competitive
  • political
  • social
  • client
  • cultural
  • legal

The organisation's goals, objectives, values, policies and strategies and how one contributes to these are also important considerations. These considerations help define the criteria by which decisions are made on the acceptability or otherwise of risks, form and basis of controls and management options available.

Some further areas that should be closely looked at in context to planning include the following:

  • How well does your organisation currently address the issue of risk management?
  • What is its financial position?
  • How well does the operation of the organisation lend itself to efficient risk management?
  • Does its culture place an importance on the management of risks? For example, if a facility or equipment is not safe, is it raised as an issue?
  • Is everyone committed to the need for risk management?
  • How responsible are users of premises, especially long-term users?
  • Who are the stakeholders?
  • What importance should be placed on risk management and where would it sit in terms of priority?
  • At an organisational level, would the organisation's (business) plan provide a criterion to determine acceptable and unacceptable risks?

In setting the risk management context:

  • What are the key areas of risks faced by the organisation?
  • Once identified, how would you establish policy and related strategies to control the risks?

Policy

To achieve an effective risk management program, it is essential to develop a clear policy statement which should:

  • outline the scope
  • outline the process
  • reaffirm commitment to resources
  • clarify roles and responsibilities
  • clearly state documentation and reporting requirements.

This policy then sets the framework for the development of the risk management strategy. Then, once the context and policy framework is clearly established, it makes the process of developing a risk management strategy a lot easier. The policy will apply to all areas and entities within the organisation and the implementation of this policy is primarily the responsibility of all managers and staff.

Strategy

Why develop a risk management strategy? Risk management is an integral part of good management. The application of sound risk management allows for continual improvement in decision making and processes. It encourages:

  • improved delivery of products and services
  • effective resource allocation
  • high standard of customer service
  • increased flexibility in meeting objectives
  • increased accountability
  • transparency and improved morale

The maximum benefit to an organisation is achieved if the risk management exercise is carried out at the start of the life of an activity, function, project, product or asset.

The person charged with a coordinating role cannot, in most cases, be in a position to also manage individual areas of risk. Responsibility of managing risks rests with the party that has responsibility for that area of activity, function, project, product or asset.

An effective risk management strategy involves the systematic application of management policies, procedures and practices and these should include a clear understanding of roles and responsibilities.

Roles and responsibilities

As mentioned, everyone is responsible for the effective management of risks. The risk management process should be integrated with other planning and management activities.

Managers and staff

All managers and staff are responsible for:

  1. Developing and implementing risk management plans
  2. Reporting all serious risk exposures to the risk manager
  3. Reporting immediately all serious incidents to the risk manager
  4. Reporting annually on the status of risk management actions to the corporate level through the risk manager.

The managers and staff are responsible for assisting in identifying potential risk exposures and for developing and implementing risk mitigation plans for all unacceptable exposures which may include:

  • preventing potentially damaging events from occurring through implementing minimisation strategies;
  • providing decision makers with information on Risk Management to assess acceptable risks; and
  • where appropriate, transferring the impact of potentially damaging events to third parties (e.g. through insurance and contractual arrangements).

Other stakeholders may be invited to assist identify potential risks and suggest any proposed mitigation.

Corporate level

The corporate level has overall responsibility for risk management. The corporate level will approve the risk management program and its implementation.

It is also responsible for reporting all other risk exposures in the i.e. corporate, financial, commercial, IT and program delivery risks. The CEO has full risk management responsibility for reporting of risk management to stakeholders and any entity external to the organisation.

Risk manager

The risk manager is responsible for the overall coordination and review of all risk management activities including:

  • reporting on all risk management activities to the corporate level including annual reporting on the implementation of risk management plans
  • coordinating risk management (including claims management) activities with business units and staff especially where there are unacceptable risk exposures and claims arising
  • monitoring the organisation's risk environment through reports from managers and staff
  • reporting risks and the status of risk mitigation actions to the corporate level
  • providing training and education to all staff on risk assessment, mitigation and management techniques
  • increasing risk awareness throughout the organisation

Reporting of risk management plans

All risk management plans should be formally reported as follows:

  1. All staff must report all risk management activities to their respective managers.
  2. Individual business unit risk management plans will be reported to the risk manager annually.
  3. The organisation's risk management plan, prepared and coordinated by the risk manager, will be reported annually to the corporate level for approval.
  4. Serious unacceptable personal injury and asset risk exposures occurring in any area or activity within the organisation must be reported immediately to the risk manager.

As well as identifying the strategic context, organisations tend to be more successful in their attempts to introduce a risk management philosophy when they have given adequate thought to how ready their organisation is to undertake a risk management exercise.

Listed are four readiness-check tools which are not intended to be complete diagnostics but rather a guide to some of the more important issues that must be considered and resolved when introducing risk management approaches to the organisation. These tools will be useful when assessing the readiness of the operating environment.

The four readiness areas of process and planning, structure, organisational culture and people, do not operate in isolation from each other, but are mutually interdependent. An organisation must have a minimum platform in each of these areas if it is to effectively implement the risk management process.

Page last updated: Monday, 5 April 2004

Top


Login Log in
Print-friendly version Print-friendly version
Add to my links Add to my links
Email this page Email this page


Home | Help | Site Map | Contact Us | Terms of Use | Privacy Policy | © Copyright 1997-2008 CPA Australia Ltd