There are a number of current initiatives, including the development of international standards, which are examining the creation of a set of risk management principles. Siemens Insight Consulting (Insight) has recently undertaken research into the development of a set of universally applicable risk management principles. The interest in principles is driven by the desire to re-examine how the benefits of risk management may be realised.
These initiatives consider that the future of effective risk management lies in returning to the past to understand developments in corporate governance and risk management to be clear about the reason for risk management, the ingredients of productive risk management and the direction the discipline should now take. At the same time there is a recognition that while organisations of all types and sizes have to take account of uncertainty in decision-making in the drive to achieve their objectives, the context of that decision making is constantly changing. Hence, any new principles need to take cognisance of the past while recognising organisations' changing context.
The Office of Government Commerce (OGC) recently commissioned a team of risk management practitioners (including Insight) to refresh their publication Management of Risk: Guidance for Practitioners. The new publication will be released in March 2007. On behalf of the OGC, the authors have included a series of principles of risk management as an essential foundation or starting point that should underpin all risk management activity. These are universally applicable guidelines to aid and influence risk management practices.
The summary headings of the principles are as follows:
- organisational context
- stakeholder involvement
- organisational objectives
- MoR(R) approach
- reporting
- roles and responsibilities
- support structure
- early warning indicators
- review cycle
- overcoming barriers to MoR(R)
- support culture
- continual improvement.
The forthcoming publication Management of Risk: Guidance for Practitioners will provide a full description of the principles, together with their supporting factors.
The authors consider that risk management principles are essential for the development of good risk management practice. They are intended to be concise, readily understood and easily applicable. They are all derived from proven corporate governance principles in the recognition that risk management is a subset of any organisation's internal controls. These principles are not intended to be prescriptive but to provide supportive guidance to enable organisations to improve their own policies, processes and plans to meet their specific needs.
They are evolutionary in nature in that the way they are applied may need to change over time to reflect a change in circumstances. Organisations must innovate and adapt their risk management practices to remain competitive in a changing and uncertain world, so that they can respond to new demands and exploit new opportunities.
Additionally, the adoption of risk management principles must support scalable risk management practices to reflect an organisation's size and the extent of its operations and services. The principles are aimed at providing a foundation for effective risk management, which contributes to the improvement of performance.
The authors consider the principles are interdependent to the point where they cannot all be implemented simultaneously, ie some principles have to be in place before the remainder can be established. Hence we have distinguished between what we call 'foundation' and 'successive' principles. Foundation principles have the greatest initial benefit and must be in place prior to the establishment of successive principles, which will also provide significant benefits, but on a diminishing scale. The sequence in which any one organisation adopts the principles will depend on how long it has been established, its size, organisational structure, culture and current risk maturity.
Risk management principles are inextricably linked to an organisation's risk maturity. All organisations are likely to have developed risk management practices which embrace these principles to some degree. However, the benefits of risk management derived by an organisation will depend directly on the level of maturity of its risk management practices. Continual learning organisations look to improve their processes to enhance their overall performance in an ever changing and increasingly competitive environment.
A way of understanding an organisation's risk maturity is with the aid of a maturity model. In general terms, a risk maturity model is a generally accepted reference model or framework of mature practices for appraising an organisation's risk management competency. Experience has shown that risk management maturity can be described as a series of distinct incremental steps which progressively provide greater benefits. A maturity model is a structured collection of elements that describe the characteristics of effective processes.
Maturity models are valuable tools in enabling organisations to benchmark their current risk management capability and maturity and understand how and where improvement may be achieved. They are intended to provide a well-structured and detailed guide to facilitate the progressive incremental improvement in risk management practices. With the aid of a maturity model, organisations can set their realistic long-term goals for risk management.
Summary
Effective risk management practices need to be based on a series of fundamental risk management principles which reflect proven corporate governance and risk management best practice. In addition, there needs to be an understanding that these principles need to be introduced incrementally and a recognition that organisations will already have established risk management practices in some form. Lastly, embedding risk management principles is inextricably linked with developing risk management maturity. Organisations looking for improvement and performance growth will adopt these principles to make their practices more mature.
Dr Robert Chapman is head of risk management at Siemens Insight Consulting, E-mail: robert.chapman@siemens.com
