Quick Links

 Edit


Home > Technical Resources > Risk Management > Developing a risk management culture within an organisation

Developing a risk management culture within an organisation

There are many approaches to managing risk in a business setting. The elements that comprise a risk management plan or program are now well established – see for example, the framework provided in the Australian standard AS/NZS 4360 on risk management.

However, in addition to developing a suitable framework and structure to manage risks, most organisations are faced with the challenge of how to implement this and maintain its effectiveness. In other words, how to develop a 'culture' in the organisation where people attend to risk and risk management as an integral part of doing business.

This case study describes how one organisation went about developing a culture that would address risk and thus provide some assurance that the organisation's losses and exposures were being managed.

Setting

The organisation in this case study is a mid-sized government-owned entity. It operates in a commercial market environment. It has a typical corporate structure, comprising a board of directors, chief executive officer (CEO), executive management team and a number of business units.

It has outsourced several service functions and thus relies on a few contracted service providers to properly supply and deliver some aspects that are crucial to its business and its stakeholders (primarily customers, community and government).

The board and CEO already see risk management as a visible tool to help the organisation further with two things:

  • Corporate governance, especially in terms of providing an assurance that the organisation's risks are properly recognised and attended to
  • Operational efficiency, especially in the sense of reducing the cost of losses and risk transfer

The board and CEO understand what risk management is. However, standing back from the technical elements of what makes up a risk management program, they see the challenge is to get risk management generally adopted by the organisation. The organisation must develop a suitable culture where the need for risk management is understood and where risk is managed appropriately in line with other priorities.

Approach to developing risk management culture and strategy

Aims

The approach to meeting the board's needs as summarised above had several aims:

  • To give risk management a 'profile' and make it more visible
  • To give added value to the organisation – that is, to do the right things in contrast to doing things right
  • To establish a level of mastery – that is, to do a few essential things well rather than do a large number of things poorly
  • To keep it simple and efficient

Risk management concept, goals and context

As a first step, the organistion set up a risk management steering committee to oversee the development and implementation of a risk management plan. This committee was headed by the CEO. It included all business unit heads. It was scheduled to meet quarterly as an extension to the agenda of an existing executive management committee.

Secondly, the organisation contracted a specialist risk management advisor to help develop its risk management program. The role of the advisor was to promote ideas, provide training, use experience to refine options and to act as a sounding board.

Thirdly, the organisation adopted a simple three-part concept of its risk management requirements. It expressed this with a logo to give risk management a visible 'brand' in effect and to thus give it a distinct profile.

The three parts of the risk management program concept were:

  • Awareness – to make all managers of the organisation aware of risk management and competent to apply it to their business
  • Assessment – to recognise the important risks and have preventive and contingency controls of suitable standard in place
  • Assurance – to satisfy the organisation that risks were identified and effectively controlled.

The program was termed triple-A risk management. These three parts also provided a standard for risk management, akin perhaps to a financial rating.

Next a risk management policy statement signed off by the CEO and board was issued. The intention of this was to outline expectations and make it clear that risk management was seen as an important part of the organisation's governance. This policy statement is shown below. As part of risk management branding and visibility, the policy was launched by the CEO in a series of one-hour presentations to managers and key contractors around the organisation.

Risk management policy statement

  1. Risk is currently managed and controlled by the organisation in a variety of ways. However we do not have a formalised and visible process to identify risk exposures across all our activities and to provide us with an explicit and positive assurance that these exposures are adequately controlled.
  2. Risk management involves adopting systematic procedures and practices to identify, evaluate, treat and monitor risk in our strategic planning, management and delivery of programs, outsourced services and organisational functions so that the risks associated with these activities are controlled and acceptable. As the consequences of risk could lead to financial loss, organisational or political embarrassment, operational disruption or ultimately a failure to maintain critical service capability, it is important that these management procedures and practices are put in place.
  3. To this end, risk management will be applied to all our activities. We will achieve this by identifying our priority exposures, addressing these, incorporating appropriate risk management strategies, risk improvements and contingency planning into our business, monitoring and reviewing emerging risk to account for changes in our operations and to enable us to make well-informed decisions on risk controls.
  4. Our challenge is to infuse risk management into our culture, our everyday business operations and those of our contractors and business partners. Everyone's involvement and support is critical to an effective result.
  5. Business unit managers are already responsible for managing risk within their span of control. They are accountable for ensuring that our significant risks are appropriately controlled through corporate and business unit planning and that lower level risks are managed through the relevant procedures. A risk management plan will help them and help service providers to manage risk in a more structured way and ensure visibility of that process.
  6. The organisation's internal audit committee is responsible for assessing the performance of the organisation's risk management and reporting on performance and progress to the board.
  7. The organisation has established a risk management steering committee. This committee will oversee our risk management, endorsing risk mitigation strategies and action plans. The committee is accountable for ensuring that risks overall are managed appropriately through the organisation's business plan and internal audit program.

Each business unit, including corporate, was required to implement a plan for awareness, assessment and assurance of its risks – that is, achieve a triple-A rating for risk management. The extent of implementation and effectiveness of this plan within each business unit was tied to their allocation of insurance costs, as discussed below. Similarly, key contractors and service providers were advised of the organisation's expectations and standards for risk management. In this way, the goals and the context for risk management were defined by the organisation.

Risk management awareness

In addition to the launch of risk management described above and its 'branding', the awareness of risk management was reinforced by:

  • A schedule of training sessions. These sessions encompassed a range of risk and risk treatment issues, existing and emerging, relating to the organisation.
  • A risk management booklet, briefly summarising the organisation's standards and procedures for risk control across a range of business matters.
  • A risk management structure and process within each business unit. Each business unit was required to establish a risk management committee headed by the manager. This would meet at least quarterly, with an agenda and keep minutes. An example of a typical agenda is shown below. The results from each business unit committee fed up to the organisation's overall risk management steering committee.
  • Accountability for cost of risk was devolved to each business unit. The cost of the organisation's insurances and self-insurance was allocated across all business units on the basis of their size, loss performance and extent of risk management implementation. The cost allocation model is also outlined below.
  • A 'blitz' program, whereby a specific theme or single risk issue was emphasized by the organization for a period (typically every six months). In this way, in an environment of a number of competing management priorities, the organisation sought to have attention focused on one key risk issue at a time.

Example of risk management agenda

Meeting #7
16 July 1998 0830-0945
Meeting Room 3

Attendance – present and apologies
Review of previous minutes – matters arising
Items for discussion:

Exposure identification and evaluation

  • Contractual liabilities
  • Six-monthly risk survey/audit results – summary of findings (attached)

Loss, incident and performance reports (attached)

  1. Major incidents for the quarter
  2. Routine quarterly loss reports
  3. Risk management progress and current program status

Communications, promotion and special emphasis programmes

  1. Intranet and website – incorporate RM booklet
  2. Blitz for the next two quarters – motor vehicle losses

Insurances
Special projects

  1. Incident and complaints investigation process; issues response and management process
  2. Due diligence assessments for leases, contracts, service providers, market testing.

Education and training

  1. Results of training needs assessment (see attachment)
  2. Next management RM seminar

General business
Next meeting

Cost allocation model

There are many possible cost allocation models for devolving an organisation's total cost of insurance premiums to its business units. These typically incorporate an allocation in proportion to the relative size of the business unit, its claims performance and its progress with risk management.

The following simple model was applied by the organisation in this case:

Business Unit Premium = (Total Premium x Size Factor) + % RM adjustment

Where:

  • Business Unit Premium = the proportion of the organisation's total premium for property and casualty allocated to the specific business unit BU, in $
  • Total Premium = the organisation's total combined premium for the period for its property and casualty insurances (excluding the cost of statutory workers compensation premium/levy)
  • Size Factor = [(BU Assets + BU Revenue)/(Total Assets + Total Revenue)]
  • % RM Adjustment = (BU RM Score % – Average RM Score % of all BUs) = the percentage difference of the risk management rating of the business unit above or below the average rating for all business units, as rated on a risk management performance assessment scale, and applied to BU premium.

The scale incorporated measures for assessment of risk management against standards, as well as ratings of claims performance for under-excess, high frequency and 'shock' losses. Percentage scores ranged from -12 per cent for good RM to +16 per cent for poor RM for example.

Example:

Business Unit Premium = $0.6M x [($2.5M + $14M)/($160M + $128M)] + (16%)
= $0.6M x (0.057) + 0.16 x ($0.6M x 0.057)
= $0.0344M + $0.0055M
= $0.0399M
= $39,875.

Risk assessment

The organisation viewed its exposures as being on two levels, as illustrated below. A risk assessment and risk management strategy applied at each level.

At the bottom level, 'working' losses and exposures represented self-insured risks and other risks dealt with regularly and capably at an operational level by business units. For example, these included fairly predictable losses like motor vehicle accident claims. The potential impact of risks at this level could be borne by the business unit budget or that of the organisation as a whole.

The financial 'cut-off' or yardstick of risk exposure at this level was notionally 10 per cent of the insurance premium cost. The risk management action here was for each business unit to monitor and reduce its cost of losses. This tied in with the organisation's reporting of risk performance discussed later.

Above working losses, 'managed' losses and exposures represented those that the organisation's budget could not absorb or where a corporate impact beyond the immediate control of a business unit might arise. The risk management action here was:

  • A risk register and risk treatment program of preventive and contingency measures in accordance with the Australian Standard AS/NZS 4360, prepared annually by each business unit as a part of its business planning
  • An overall corporate summary of the above business unit registers and risk programs
  • Risk transfer – primarily consisting of an insurance program managed corporately and standard procedures and risk control provisions for all contracts and agreements with risk potential assessed as being at this higher level
  • Risk audit – risk assessments undertaken by an external expert, predominantly comprised a selected sample of auditable risks and covering all business units in the course of a year. The auditable risks were defined during the organisation's business planning process when the corporate summary mentioned above was prepared.

Risk management assurance and reporting

The organisation's risk assurance and reporting strategy consisted of:

  • A six-monthly risk audit report through the Risk Management Steering Committee to the Board Audit Sub-Committee. This audit report encompassed the auditable risks for the period. It also showed a 'league ladder' of business unit risk performance and this included the progress of each with their risk management program – that is, it rated risk performance of each business unit from best to worst. The intention here was to bring visibility and peer comparison pressures to bear to improve the risk performance and risk management effort of the poorer business units, and to reward by visibility the better performers
  • Quarterly loss summary report across all business units for the Risk Management Steering Committee. This was one page, showing cost of losses by business unit, comparison of this cost with the previous quarter, incident rates, litigation, triple-A risk management rating and progress. An annual report summarizing the organisation's 'cost of risk' was also prepared for the committee.

Risk management guidelines from this case study

This case study suggests the following guidelines and factors to consider in an endeavour to develop attention to risk management in an organisation:

  • Establish explicit 'top down' commitment to risk management by the organization
  • Set simple goals and a simple structure for risk management
  • Provide a direct financial incentive and benefit for risk management progress
  • Maintain the visibility of risk management via regular themes, audits, training, executive committees and comparative performance reporting to the organisation's executive.

Back to case studies

Page last updated: Monday, 7 June 2004

Top


Login Log in
Print-friendly version Print-friendly version
Add to my links Add to my links
Email this page Email this page


© Copyright 1997 - 2008 CPA Australia Ltd.