This case study looks at the development and operation of risk management within a mid-sized business. The intention was to have risk management become an integral and ongoing part of the usual management practices of the business.

A program of scheduled tasks and activities was devised to develop and implement the organisation's risk management. Fundamentally, this program consisted of the identification of the organisation's risks, resultant improvements to its risk controls, training and advice to the organisation's personnel and service providers in support, and monitoring of the results and their benefits to the business.

Like many such risk management programs, the aims were to provide the business with:

• Proper compliance with applicable legislation, codes of practice and company policy
• A level of preparedness and contingency planning in response to any loss, threats or vulnerabilities and their impact
• An improvement in its cost of losses and insurances
• Thus, a bolstering of its corporate governance – that is, in a management sense, the identification and monitoring of the major risks to the business, with appropriate procedures and reporting to assure its Executive that prudent and diligent measures are in place to protect operations and minimise liabilities

Setting

The organisation in this case study was a medium-sized company. It had been in business for quite a number of years in a mature market. It consisted of a number of business units, namely: sales and marketing; corporate, including finance, IT and secretariat; operations, including QA/QC and product development; engineering and maintenance; warehousing and distribution.

The organisation operated over several sites, namely a sales office, warehouse and depot, manufacturing site and corporate office. Some sites were owned and some leased. A variety of plant and equipment was also leased, or on hire at times. An old depot site was now closed and vacant and awaiting sale. The business used a number of contractors for a range of purposes like transport, maintenance, storage, wholesale distribution, advertising, professional advice, accounting, audit support and so on. A tenant leased part of the warehouse.

The Board and Executive wished to establish risk management across the business in a straightforward and efficient manner. It wanted the benefits as stated above, that is, compliance and control of risks and a reduction in costs of insurances and losses.

Method

The organisation approached the development and implementation of risk management in five steps. These five steps are outlined below.

Step 1 – Risk identification

The goals for risk management were clear, and were as stated above. These goals were communicated to all personnel and a check made of their understanding. The first step was to obtain a reasonable and wide-ranging picture of the organisation's risk exposures, any vulnerabilities and the adequacy of its current risk controls. Lacking the resources in-house to do this, the company contracted a risk advisor for this task. The intention was also to subsequently use the risk advisor for ongoing risk management assistance and training of the organisation's personnel.

The advisor inspected all sites and interviewed all managers, supervisors and relevant personnel as a part of preparing a risk 'profile' and initial risk register of the business. The approach and structure of this risk profile generally followed that described by the Australian standard on risk management, AS/NZS 4360. The scope of the risk profiling concentrated largely on business and operational risks.

The results of the risk profiling were documented in an initial risk register. This register was in spreadsheet format and used Microsoft Excel. Risk assessments and risk ratings were qualitative. Typically, risk ratings were indicated by a numerical score on a five-point rating scale. This helped the evaluation of priorities, as described below.

The risk profiling provided input to a subsequent consideration of the organisation's higher-level strategic risks, and possible emerging exposures, by its Board and Executive. This consideration was formalised and again adopted a systematic procedure for risk appraisal akin to that described in the Australian standard.

Step 2 – Risk priorities

The second step taken was to review the initial risk profile to establish priorities for forward action. A risk management steering committee of relevant company personnel was set up to do this, and also subsequently oversaw the development and implementation of risk management.

Setting priorities involved a number of steps. The risk profiling and risk register had been based on qualitative assessments and rating scores.

Firstly, the risk exposures in the risk register were weighted by committee agreement in terms of their perceived relative importance to the business. Similarly, each business unit and site was weighted in regard to each exposure. Secondly, the risk register was then extended to calculate the weighted rating scores for each exposure, each business unit and site. These weighted scores were rank ordered to indicate relative risk priority.

These simple calculations were made on the risk register spreadsheet. Note that such risk rating scores are ordinal data – that is, the numbers represent a rating category of the level of risk on an ordinal scale and care must therefore be taken with calculations and interpretations using these scores. For example, simply put, a low risk (rating = 1) and a high risk (rating = 5) do not readily combine by averaging to produce a medium risk (rating = 3) say. A high risk is a high risk. The calculations helped the committee's deliberations.

Thirdly, the relative cost of the organisation's risk exposures was reviewed. For example, the cost of claims and self-insured losses for such matters as workers compensation and motor vehicle accidents was evaluated. This evaluation looked at relevant benchmarking data obtained from its workers compensation agents, and motor vehicle insurer so that the organisation could see what potential there might be for cost reductions. This benchmarking data was readily available and so this was a quick and simple exercise. The evaluation also examined the company's loss trends and where the losses were arising. It was apparent that savings could be made to the cost of workers compensation and motor vehicle accident performance.

Fourthly and finally, consideration was given to the timing and cost-benefit of possible risk improvements. These factors were combined to establish a relative priority for forward action. Improvements were indicated by the risk register. For example, a high priority was given where a risk control improvement was urgent and/or could be made immediately. Many such risk improvements were administrative and promptly undertaken, like refresher training sessions in trade practices for sales personnel.

In terms of cost-benefit, high priority for risk improvement was indicated by the greatest risk improvement in the highest rated risk exposure for the lowest improvement cost. This was combined with the timing factor above. Again, the risk register spreadsheet was extended to do these simple assessments and calculations as an input to help the committee's deliberations.

Step 3 – Forward plan

A forward plan for the organisation's risk management was devised on the basis of the risk priorities and risk improvements indicated by the assessment process above. This forward plan was prepared on a project planner and listed the necessary tasks, schedules, resources, and risk management plan costs.

Step 4 – Implementation

The implementation of risk management was simple and straightforward. In summary, the organisation's business unit managers were responsible and accountable for implementation of defined risk management tasks. These tasks were incorporated into business planning and budgeting. This suited the organisation's structure and mode of operation.

For each business unit and each site, the risk management tasks were defined in a specific planner sheet prepared in accordance with the overall task planner shown above. Support for managers and other personnel was provided by the risk advisor, primarily in the form of training, preparation of materials like standards and checklists, other guidance and advisory input.

An audit team measured progress. The audit team comprised several of the company's personnel and a member of its external audit service provider. Audit standards were prepared as part of the organisation's risk management standards and checklists. Audits of all business units and sites were scheduled in a cycle over a year. A typical site audit took one day. An audit report was issued as a draft to the site manager, with copies to the relevant business manager(s). Audit schedules and standards were issued in advance, thus providing known performance targets in line with the risk management planners.

The Risk Management Steering Committee met quarterly in an overseeing role. Meetings were properly formalised with agenda, distribution list and minutes. The committee's role included reviewing progress, refining objectives and priorities in light of business dynamics and making decisions where necessary on risk control options, especially where corporate value or impact above business unit level were concerned.

Step 5 – Reporting on progress and performance

Reporting was an integral part of implementation and the monitoring described above. There were four forms of risk report:

1. Immediate report to the relevant business unit manager and executive of any significant incident (like product defect, threatened litigation, lost-time injury, etc)
2. Quarterly report of incident, loss, risk and audit results covering all business units and sites. This quarterly performance report was a one-page spreadsheet
3. Quarterly risk management progress report, against the scheduled task planner. Again, this quarterly report was a one-page spreadsheet.
4. An annual stewardship report for the organisation's Executive and Board, summarising risk management progress, status and performance for the year across the business

Outcomes

The initial development and implementation steps outlined above evolved in the organisation in the following ways:

• Risk management became a demonstrable component of the organisation's annual business planning and budgeting processes
• Risk identification consequently was focused more to business unit and business process rather than applied to a generic operational profile. Greater emphasis was placed on the risks associated with business strategies and achievement of business plans (what could go wrong, what must go right). Accountability and responsibility remained with business unit managers
• Greater stress was placed on 'self-assessment' and 'self-audit' of risks and risk management progress, rather than a reliance on external audit, commensurate with the increased knowledge and appreciation of risk management within the organisation
• Quarterly risk management reports were blended into the organisation's quarterly financial report
• The Board's audit sub-committee became the overseer of performance and risk assurance. The focus remained on the two goals of (1) assurance of risk control and compliance, and (2) reducing the cost of risk.

Risk management guidelines from this case study

This case study suggests the following might be considered for undertaking risk identification and subsequently developing a risk management plan for an organisation:

• Well-defined, straightforward goals and scope for risk identification and risk management
• Well-defined and clear communications to all personnel as to the intention, scope, reasons and benefits for the above and what will be required of them
• A systematic approach and process to risk identification
• Care with the analysis and interpretation of results like risk ratings and risk scores
• A systematic approach and process to the development of the risk management plan and program, using for example, defined tasks, responsibilities and schedules
• A simple 'top down' structure to drive and monitor the development
• A simple means of reporting on status, progress and risk performance

Back to case studies