Before one begins to consider risk management, it is necessary to identify the strategic and organisational context under which an organisation operates.
Elements of these include the following dimensions of the organisation's functions:
financial
operational
competitive
political
social
client
cultural
legal
The organisation's goals, objectives, values, policies and strategies and how one contributes to these are also important considerations. These considerations help define the criteria by which decisions are made on the acceptability or otherwise of risks, form and basis of controls and management options available.
Some further areas that should be closely looked at in context to planning include the following:
How well does your organisation currently address the issue of risk management?
What is its financial position?
How well does the operation of the organisation lend itself to efficient risk management?
Does its culture place an importance on the management of risks? For example, if a facility or equipment is not safe, is it raised as an issue?
Is everyone committed to the need for risk management?
How responsible are users of premises, especially long-term users?
Who are the stakeholders?
What importance should be placed on risk management and where would it sit in terms of priority?
At an organisational level, would the organisation's (business) plan provide a criterion to determine acceptable and unacceptable risks?
In setting the risk management context:
What are the key areas of risks faced by the organisation?
Once identified, how would you establish policy and related strategies to control the risks?
Policy
To achieve an effective risk management program, it is essential to develop a clear policy statement which should:
outline the scope
outline the process
reaffirm commitment to resources
clarify roles and responsibilities
clearly state documentation and reporting requirements.
This policy then sets the framework for the development of the risk management strategy. Then, once the context and policy framework is clearly established, it makes the process of developing a risk management strategy a lot easier. The policy will apply to all areas and entities within the organisation and the implementation of this policy is primarily the responsibility of all managers and staff.
Strategy
Why develop a risk management strategy? Risk management is an integral part of good management. The application of sound risk management allows for continual improvement in decision making and processes. It encourages:
improved delivery of products and services
effective resource allocation
high standard of customer service
increased flexibility in meeting objectives
increased accountability
transparency and improved morale
The maximum benefit to an organisation is achieved if the risk management exercise is carried out at the start of the life of an activity, function, project, product or asset.
The person charged with a coordinating role cannot, in most cases, be in a position to also manage individual areas of risk. Responsibility of managing risks rests with the party that has responsibility for that area of activity, function, project, product or asset.
An effective risk management strategy involves the systematic application of management policies, procedures and practices and these should include a clear understanding of roles and responsibilities.
Roles and responsibilities
As mentioned, everyone is responsible for the effective management of risks. The risk management process should be integrated with other planning and management activities.
Managers and staff
All managers and staff are responsible for:
Developing and implementing risk management plans
Reporting all serious risk exposures to the risk manager
Reporting immediately all serious incidents to the risk manager
Reporting annually on the status of risk management actions to the corporate level through the risk manager.
The managers and staff are responsible for assisting in identifying potential risk exposures and for developing and implementing risk mitigation plans for all unacceptable exposures which may include:
preventing potentially damaging events from occurring through implementing minimisation strategies;
providing decision makers with information on Risk Management to assess acceptable risks; and
where appropriate, transferring the impact of potentially damaging events to third parties (e.g. through insurance and contractual arrangements).
Other stakeholders may be invited to assist identify potential risks and suggest any proposed mitigation.
Corporate level
The corporate level has overall responsibility for risk management. The corporate level will approve the risk management program and its implementation.
It is also responsible for reporting all other risk exposures in the i.e. corporate, financial, commercial, IT and program delivery risks. The CEO has full risk management responsibility for reporting of risk management to stakeholders and any entity external to the organisation.
Risk manager
The risk manager is responsible for the overall coordination and review of all risk management activities including:
reporting on all risk management activities to the corporate level including annual reporting on the implementation of risk management plans
coordinating risk management (including claims management) activities with business units and staff especially where there are unacceptable risk exposures and claims arising
monitoring the organisation's risk environment through reports from managers and staff
reporting risks and the status of risk mitigation actions to the corporate level
providing training and education to all staff on risk assessment, mitigation and management techniques
increasing risk awareness throughout the organisation
Reporting of risk management plans
All risk management plans should be formally reported as follows:
All staff must report all risk management activities to their respective managers.
Individual business unit risk management plans will be reported to the risk manager annually.
The organisation's risk management plan, prepared and coordinated by the risk manager, will be reported annually to the corporate level for approval.
Serious unacceptable personal injury and asset risk exposures occurring in any area or activity within the organisation must be reported immediately to the risk manager.
As well as identifying the strategic context, organisations tend to be more successful in their attempts to introduce a risk management philosophy when they have given adequate thought to how ready their organisation is to undertake a risk management exercise.
Listed are four readiness-check tools which are not intended to be complete diagnostics but rather a guide to some of the more important issues that must be considered and resolved when introducing risk management approaches to the organisation. These tools will be useful when assessing the readiness of the operating environment.
The four readiness areas of process and planning, structure, organisational culture and people, do not operate in isolation from each other, but are mutually interdependent. An organisation must have a minimum platform in each of these areas if it is to effectively implement the risk management process.
This page is available online at:
http://www.cpaaustralia.com.au/cps/rde/xchg/cpa/hs.xsl/2742_3461_ENA_HTML.htm
