Transcription of A RISK MANAGEMENT STANDARD
1 F E D E R AT I O N O F. E U RO P E A N R I S K. M A NAG E M E N T. A S S O C I AT I O N S. A RISK MANAGEMENT . STANDARD . A RISK MANAGEMENT STANDARD . Introduction The Risk MANAGEMENT STANDARD is the result of There are many ways of achieving the work by a team drawn from the major risk objectives of risk MANAGEMENT and it would be MANAGEMENT organisations in the UK - The impossible to try to set them all out in a single Institute of Risk MANAGEMENT (IRM),The document. Therefore it was never intended to Association of Insurance and Risk Managers produce a prescriptive STANDARD which would (AIRMIC) and ALARM The National Forum for have led to a box ticking approach nor to Risk MANAGEMENT in the Public Sector. establish a certifiable process. By meeting the various component parts of this STANDARD , In addition, the team sought the views and albeit in different ways, organisations will be in opinions of a wide range of other professional a position to report that they are in bodies with interests in risk MANAGEMENT , compliance.
2 The STANDARD represents best during an extensive period of consultation. practice against which organisations can measure themselves. Risk MANAGEMENT is a rapidly developing discipline and there are many and varied views The STANDARD has wherever possible used the and descriptions of what risk MANAGEMENT terminology for risk set out by the International involves, how it should be conducted and what Organization for Standardization (ISO) in its it is for. Some form of STANDARD is needed to recent document ISO/IEC Guide 73 Risk ensure that there is an agreed: MANAGEMENT - Vocabulary - Guidelines for use in standards. terminology related to the words used process by which risk MANAGEMENT can be In view of the rapid developments in this area carried out the authors would appreciate feedback from organisation structure for risk MANAGEMENT organisations as they put the STANDARD into use objective for risk MANAGEMENT (addresses to be found on the back cover of this Guide).
3 It is intended that regular Importantly, the STANDARD recognises that risk modifications will be made to the STANDARD in has both an upside and a downside. the light of best practice. Risk MANAGEMENT is not just something for corporations or public organisations, but for any activity whether short or long term. The benefits and opportunities should be viewed not just in the context of the activity itself but in relation to the many and varied stakeholders who can be affected. AIRMIC, ALARM, IRM : 2002, translation copyright FERMA : 2003. 2. A RISK MANAGEMENT STANDARD . 1. Risk can affect the organisation. It increases the probability of success, and reduces both the Risk can be defined as the combination of the probability of failure and the uncertainty of probability of an event and its consequences achieving the organisation's overall objectives.
4 (ISO/IEC Guide 73). Risk MANAGEMENT should be a continuous and developing process which runs throughout the In all types of undertaking, there is the organisation's strategy and the implementation potential for events and consequences that of that strategy. It should address methodically constitute opportunities for benefit (upside) or all the risks surrounding the organisation's threats to success (downside). activities past, present and in particular, future. Risk MANAGEMENT is increasingly recognised as It must be integrated into the culture of the being concerned with both positive and organisation with an effective policy and a negative aspects of risk. Therefore this programme led by the most senior STANDARD considers risk from both perspectives. MANAGEMENT .
5 It must translate the strategy into tactical and operational objectives, In the safety field, it is generally recognised assigning responsibility throughout the that consequences are only negative and organisation with each manager and employee therefore the MANAGEMENT of safety risk is responsible for the MANAGEMENT of risk as part focused on prevention and mitigation of harm. of their job description. It supports accountability, performance measurement and reward, thus promoting operational efficiency 2. Risk MANAGEMENT at all levels. Risk MANAGEMENT is a central part of any External and Internal Factors organisation's strategic MANAGEMENT . It is the The risks facing an organisation and its process whereby organisations methodically operations can result from factors both address the risks attaching to their activities external and internal to the organisation.
6 With the goal of achieving sustained benefit within each activity and across the portfolio of The diagram overleaf summarises examples of all activities. key risks in these areas and shows that some specific risks can have both external and The focus of good risk MANAGEMENT is the internal drivers and therefore overlap the two identification and treatment of these risks. areas. They can be categorised further into Its objective is to add maximum sustainable types of risk such as strategic, financial, value to all the activities of the organisation. It operational, hazard, etc. marshals the understanding of the potential upside and downside of all those factors which AIRMIC, ALARM, IRM : 2002, translation copyright FERMA : 2003. 3. A RISK MANAGEMENT STANDARD . Examples of the Drivers of Key RNALLY DRIVEN.
7 E XTE. FINANCIAL RISKS STRATEGIC RISKS. INTEREST RATES COMPETITION. FOREIGN EXCHANGE CUSTOMER CHANGES. CREDIT INDUSTRY CHANGES. CUSTOMER DEMAND. M & A INTEGRATION. LIQUIDITY & RESEARCH & DEVELOPMENT. CASH FLOW INTELLECTUAL CAPITAL. INTERNALLY DRIVEN. ACCOUNTING CONTROLS. INFORMATION SYSTEMS. RECRUITMENT PUBLIC ACCESS. SUPPLY CHAIN EMPLOYEES. PROPERTIES. PRODUCTS &. SERVICES. REGULATIONS CONTRACTS. CULTURE NATURAL EVENTS. BOARD COMPOSITION SUPPLIERS. ENVIRONMENT. OPERATIONAL RISKS HAZARD RISKS. EXTE. RNALLY DRIVEN. AIRMIC, ALARM, IRM : 2002, translation copyright FERMA : 2003. 4. A RISK MANAGEMENT STANDARD . The Risk MANAGEMENT Process Risk MANAGEMENT protects and adds value to The Organisation's the organisation and its stakeholders through Strategic Objectives supporting the organisation's objectives by.
8 Risk Assessment providing a framework for an organisation Risk Analysis that enables future activity to take place in Risk Identification a consistent and controlled manner Risk Description improving decision making, planning and Risk Estimation prioritisation by comprehensive and structured understanding of business Formal Audit Modification Risk Evaluation activity, volatility and project opportunity/threa Risk Reporting contributing to more efficient use/allocation Threats and Opportunities of capital and resources within the organisation Decision reducing volatility in the non essential areas of the business Risk Treatment protecting and enhancing assets and company image Residual Risk Reporting developing and supporting people and the organisation's knowledge base Monitoring optimising operational efficiency AIRMIC, ALARM, IRM : 2002, translation copyright FERMA : 2003.
9 5. A RISK MANAGEMENT STANDARD . 3. Risk Assessment Financial - These concern the effective MANAGEMENT and control of the finances of Risk Assessment is defined by the ISO/ IEC the organisation and the effects of external Guide 73 as the overall process of risk analysis factors such as availability of credit, foreign and risk evaluation. exchange rates, interest rate movement and (See appendix) other market exposures. Knowledge MANAGEMENT - These concern the effective MANAGEMENT and control of 4. Risk Analysis the knowledge resources, the production, protection and communication thereof. Risk Identification External factors might include the Risk identification sets out to identify an unauthorised use or abuse of intellectual organisation's exposure to uncertainty.
10 This property, area power failures, and requires an intimate knowledge of the competitive technology. Internal factors organisation, the market in which it operates, might be system malfunction or loss of key the legal, social, political and cultural staff. environment in which it exists, as well as the development of a sound understanding of its Compliance - These concern such issues as strategic and operational objectives, including health & safety, environmental, trade factors critical to its success and the threats descriptions, consumer protection, data and opportunities related to the achievement protection, employment practices and of these objectives. regulatory issues. Risk identification should be approached in a Whilst risk identification can be carried out by methodical way to ensure that all significant outside consultants, an in-house approach with activities within the organisation have been well communicated, consistent and co- identified and all the risks flowing from these ordinated processes and tools (see Appendix).
