Robert Chapman summarises 12 principles that should underpin risk management
The Office of Government Commerce (OGC) recently commissioned an update of their publication entitled Management of Risk: Guidance for Practitioners. Risk management practitioners Siemens Insight Consulting (Insight) were invited be contributors to this new publication, which was released in March 2007.
On behalf of the OGC, the authors included within the update a series of principles of risk management as the essential foundation or starting point that should underpin all risk management activity. These principles are universally applicable guidelines for aiding and influencing risk management practices. Insight considers that the future of risk management lies in returning to the past, to understand developments in corporate governance and risk management, and to gain clarity about the reason for risk management, the ingredients of effective risk management and the direction the discipline should now take.
We identified 12 principles as follows:
• Organisational context
• Stakeholder involvement
• Organisational objectives
• M_o_R® approach
• Roles and responsibilities
• Support structure
• Early warning indicators
• Review cycle
• Overcoming barriers to M_o_R®
• Support culture
• Continual improvement.
The authors considered that some of the principles had to be in place before others could be introduced and so we introduced the concept of 'foundation' and 'successive' principles. Foundation principles have the greatest initial benefit and must be in place prior to the establishment of successive principles, which will also provide significant benefits, but on a diminishing scale. The sequence in which any one organisation adopts the principles will depend on how long it has been established, its size, organisational structure, management culture and current risk maturity. Figure 1 shows one possible sequence in which the principles may be implemented.
The updated publication describes the principles and their individual supporting factors. The supporting factors are the issues that need to be addressed and the activities that need to be undertaken to implement the principles.
The 12 principles can be summarised as follows: A full description of the principles and their supporting factors is contained in the publication (See panel for details of how to obtain it).
A key step in risk management is the identification of threats, opportunities and other areas of uncertainty. Effective identification of these is dependent on an understanding of the context of the organisation or activity under examination, to avoid blind spots and subsequent unpleasant surprises.
As the trend for increasingly complex, large and costly organisational activities continues unabated, so does the effort required for the management of stakeholders. A lack of engagement with primary stakeholders can be detrimental to establishing, agreeing and achieving an activity's objectives.
The success of any organisation is measured by whether it accomplishes its objectives and whether they are achieved in a satisfactory and responsible way. As the purpose of risk management is to strive to understand and manage the threats to, and opportunities arising from, these objectives, risk management can only take effect once it is clear what these objectives are.
Organisations should develop an approach to the management of risk which reflects their unique objectives. It is common for organisations to describe their approach through their policies, processes and plans. Collectively, these documents describe the what, when, where, who, how and why. They set out how risks will be identified, estimated, evaluated, responded to and managed. They indicate when risk management will be carried out, by whom and for what purpose.
The governing body of organisations should receive, review and act on management of risk reports. Therefore a fundamental aspect of risk management is communication of risk information to management to enable them to make informed decisions. All significant planned organisational activities should be accompanied by a risk report.
Roles and responsibilities
When a board establishes the roles to be performed (and the organisational structure to enable those roles to function and deliver the organisational objectives), it has to decide on the commitment it is going to make to risk management. Hence, for risk management to be supported, there must be an understanding of both the need for a risk management role and the responsibilities of that role.
For the benefits to be obtained, risk management needs to be led, directed, driven, supported and encouraged through the creation of a support structure. In particular, risk management needs to be supported by risk management personnel who, for instance, will ensure that the policies are adhered to, the process is followed and appropriate techniques are adopted.
Early warning indicators
An aim of risk management is to be proactive and address potential problems before they materialise. Hence, organisations should establish early warning indicators for critical business activities as part of active management of risk, to provide information on the potential sources of risk. Early warning indicators can be used as a way of tracking business-sensitive issues, so that should certain levels be reached, corrective action will be triggered.
An organisation's system of internal control has a key role to play in the management of risks that are significant to the fulfilment of its overall objectives. However, an organisation's objectives, its internal organisation and the environment within which it operates are continually evolving and, as a result, the risks it faces are continually changing. A sound and effective risk process, therefore, depends on a regular review of the risks the organisation is facing and the policies, processes and plans it is adopting to manage them.
Overcoming barriers to M_o_R
There needs to be recognition that even though an organisation has risk management policies, processes and plans in place, this will not automatically lead to robust effective and efficient risk management practices. It is commonly accepted that there are a series of barriers or obstacles to the implementation of risk management that need to be addressed to secure the benefits of risk management. Failure to understand these barriers can restrict an organisation in improving the maturity of its processes.
Organisations should establish the right culture for supporting management of risk throughout the organisation. The culture will reflect how beneficial risk management is considered to be by the board. The degree of support for risk management will occur somewhere on the continuum between ‘do the minimum to satisfy governance requirements’ to driving business improvement to become a market leader.
While risk management reviews will enable organisations to understand the effectiveness of risk response planning on current or recently completed activities, it will not equip management with an adequate understanding of their risk maturity to enable them to plan and implement a step change improvement in their risk management practices. Organisations that are interested in continual improvement should develop strategies to improve their risk maturity.
The objectives of risk management need to be made explicit, and there needs to be a well reasoned argument over what is undertaken, why it is undertaken and the benefits that are expected. Senior management in the majority of organisations have corporate governance expectations placed upon them, and they need to understand how these requirements are translated into risk management practices. These practices need to be based on established risk management principles which have their roots in proven corporate governance and risk management best practice.
Robert Chapman is head of risk management at Siemens Insight Consulting,
About the publication
Management of Risk: Guidance for Practitioners
The PDF 2007 Edition has been prepared by the Office of Government Commerce (OGC). It is published by The Stationery Office, at £52.88, and can be downloaded from the Stationery Office website at:http://tinyurl.com/2owbg7
The publishers state that M_o_R takes a best practice approach, which offers a structured and effective framework for risk management. Its aim is to help organisations to achieve their objectives by first identifying the risks, and then choosing the right response to the threats and opportunities that are created by uncertainty.
Providing a route map for risk management, M_o_R brings together key principles, a recommended approach, a set of inter-related processes and pointers to more detailed sources of advice on risk management techniques and specialisms. It also shows how the guidance should be embedded, reviewed and applied differently, depending on the nature of the objectives at risk.
The 2007 edition is a major update of the M_o_R guidance written in 2002.
The framework has been strengthened in the following areas:
• Corporate governance and internal control reflects advice from the Turnbull report and covers the new regulatory regimes in the UK, Europe and the US
• M_o_R Principles expanded to reflect the requirements of corporate governance and internal control and the growing interest in continual improvement and organisational maturity
• M_o_R Framework the 2002 edition makes reference to this in both the Principle Chapters and the Process Chapter. In this edition the guidance is greatly expanded through a brand new chapter on this topic.
• M_o_R Process updated and expanded to reflect current thinking, changes made to the HM Treasury Orange Book, and the relationship between these and M_o_R Principles and Framework
• Embedding and reviewing M_o_R expands the guidance within the 2002 edition to show how M_o_R can be successfully introduced into an organisation
• M_o_R Perspectives with a clear focus on successful business change, considers the different aspects of risk management within an organisation from strategy, programme, project and operational perspectives
• Appendices six key topics now replace 11 appendices: risk management techniques; document outlines; health check: the use of maturity models; risk specialism; selecting tools to support risk management.
• Glossary updated to reflect common language used across M_o_R PRINCE2 and MSP and aligned with BSI's emerging risk standard.