PART I
Risk agenda
This component requires the organization to set the agenda for risk management, including a clear understanding of why the organization undertakes risk management activities and the main features of those activities.
Importance of the risk agenda
Part I is concerned with the risk agenda for the organization. The risk agenda component defines what the organization is going to do in relation to risk management and how is it going to do it. This will require identification of the passive and proactive risk management drivers for the organization, as well as the design of the features of the risk management initiative. Establishing the risk agenda starts with a consideration of why the organization undertakes risk management activities. This may be for passive reasons, such as:
ā¢ it is a mandatory requirement placed on the organization by regulators, customers or other stakeholders;
ā¢ there is a need to provide assurance regarding the existence of adequate risk management procedures; and/or
ā¢ risk management information needs to be available to make better informed business decisions.
Risk management activities may also be undertaken for proactive reasons and it is in these circumstances that the organization gains maximum benefit from risk management. The proactive reasons include the need to have efficient and effective:
ā¢ strategy and strategic decisions;
ā¢ tactics, including project identification and implementation;
ā¢ operations that are free from unplanned disruption;
ā¢ compliance with all relevant rules and regulations.
The risk agenda also includes consideration of the principles that will be followed or the features that will be incorporated when the risk management initiative is designed and implemented. Following these principles and incorporating these features will ensure that the risk management initiative itself is also efficient and effective. The principles that should be applied to the design and implementation of a risk management initiative are that risk management activity should be:
ā¢ proportionate to the level of risk faced by the organization, but comprehensive by considering all types of risks;
ā¢ aligned with all the activities and processes of the organization and embedded within those activities and processes; and
ā¢ dynamic and responsive to emerging risks, changing circumstances and developing situations.
The importance of the risk agenda is that it establishes the context within which risk management activities will take place. This will ensure that risk management activities are coordinated, but are always appropriate for the size, nature and complexity of the organization. These principles should be embedded within the risk management architecture and protocols for the organization.
Decisions about the scope of risk management activities within the organization and the reasons for undertaking those activities will ensure that they are always relevant and focused, while at the same time being suitable and sufficient for the organization. Establishing an appropriate risk agenda will maximize the opportunities for gaining benefit from those risk management activities.
Scope of the risk agenda
The scope of the risk agenda can be demonstrated by use of the risk management bow-tie. This simple diagram, shown in Figure PI, extracts information from the risk management cube shown in Figure I in the Introduction. It incorporates the key messages relevant to an effective risk agenda.
FIGURE PI Risk agenda bow-tie
The risk agenda bow-tie illustrates that development of an appropriate risk agenda depends on consideration of the potential impact of risk events on the finances, infrastructure, reputation and marketplace of the organization. The risk agenda should also ensure that the organization makes appropriate plans to successfully manage the anticipated consequences of these events for strategy, tactics, operations and compliance.
Key messages for Part I
Part I is concerned with the organizationās risk agenda, including consideration of why the organization is launching a risk management initiative and the features of the approach that should be taken. In summary, the key requirements are that risk management activities within an organization should be undertaken for explicitly identified reasons, either passive or proactive, as this will enable the organization to quantify the benefits that are being sought and ensure that they are achieved; and planned in a way that is appropriate for the size, nature and complexity of the organization and, in particular, the initiative should have features that are proportionate, aligned and dynamic.
CHAPTER ONE
RELEVANCE OF THE RISK AGENDA
Definitions and types of risk
The Oxford English Dictionary definition of risk is: āa chance or possibility of danger, loss, injury or other adverse consequencesā and the definition of at risk is āexposed to dangerā. In this context, risk is used to signify negative consequences. To undertake risk management within an organization, a definition of risk that is more aligned with business activities is required.
Risk in an organizational context is usually defined as anything that can impact the fulfilment of corporate objectives. This is a useful definition that is used by many organizations to define the risks to their activities and processes. However, it is helpful to clarify two issues: 1) whether risk can be attached to features of the organization other than corporate objectives; and 2) whether risk should always be considered as a negative.
The difficulty in attaching risks to corporate objectives is that the objectives may not be stated in full and they will often be established as annual objectives, usually associated with achieving change in the organization. However, it is possible to identify the risks faced by the organization by undertaking an analysis of its other features, such as the key dependencies, stakeholder expectations and/or core processes. These options for the attachment of risk are explored in more detail throughout this book.
In common usage, risks are considered to be events with an adverse outcome. This is an appropriate basis on which to plan risk management activities and is the approach that is taken in this book. In simple terms, risks may be considered to be those events with the potential to have a significant (negative) impact on the organization. The following box provides an example of the definition of risk used by an organization. It is worth emphasizing defining risk is a critical starting point for an organization and a vital component of the risk agenda.
Definition of risk used by a council:
Risk can be defined as the chances of something happening or not happening that will have an influence upon the achievement of business objectives. A risk can also be the failure to take advantage of opportunities to optimize the council achieving its planned objectives.
Considering risk to be associated with events that can only have negative outcomes is a useful and valid starting point for any risk management initiative. This will help bring clarity to the purpose of the initiative and will also have the benefit that the word āriskā will be used in a way that aligns with everyday usage and understanding. Throughout this book, risk is used to indicate negative events and/or those events with an unacceptable level of uncertainty. This approach recognizes that the management of an organization is concerned with the rewards that the organization is seeking to achieve for stakeholders.
Compiling a risk description
Having decided on the definition of risk that will be used in an organization, the next step is to decide the information that will be required to adequately describe each risk. A detailed description is necessary to fully understand a risk. This will ensure that a common understanding of the risk can be shared across the whole organization and shared with stakeholders, as necessary.
There are many ways in which a risk can be defined and/or described. The purpose of establishing a list of features that will be collected about a risk is to ensure that the potential impact and anticipated consequences of the risk are understood. It is important that sufficient information is collected about each risk, but it is also important that unnecessary or theoretical information is avoided. This is consistent with seeking to ensure that risk management activities do not give rise to data that is unrelated to the information used to manage the organization.
The list below is consistent with the overall methodology for risk management described in this book. The focus is on keeping risk management activities relevant to the success of the organization. This means that information about risks should not be compiled in a way that is separate from managing the organization. Figure PI illustrated that risk management is not only concerned with an understanding of the potential impact of risks on the organization, but (more importantly) the anticipated consequences should the risk event occur.
The level of detail required when describing a risk will depend on the size, nature and complexity of the organization. However, to keep risk management as relevant as possible to the success of th...