Transcription of ARiskManagementStandard - The IRM
1 ARiskManagementStandardPublished by IRM: 2002 This Risk management Standard is theresult of workby a team drawn from themajorrisk management organisations inthe UK, including the Institute of Riskmanagement (IRM).In addition, the team sought the views andopinions of a wide range of otherprofessional bodies with interests in riskmanagement, during an extensive period management is a rapidly developingdiscipline and there are many and variedviews and descriptions of what riskmanagement involves, how it should beconducted and what it is for. Some form ofstandard is needed to ensure that there is anagreed: terminology related to the words used processby whichrisk management can becarried out organisation structure for risk management objective for risk managementImportantly, the standardrecognises thatrisk has both an upside and a management is not just something forcorporations or public organisations, butfor any activity whether short or longterm.
2 The benefits and opportunitiesshould be viewed not just in the context ofthe activity itself but in relation to themany and varied stakeholders who can are manyways of achieving theobjectives of risk management and it wouldbe impossible to try to set them all out in asingle document. Therefore it was neverintended to produce a prescriptive standardwhichwould have led to a box tickingapproach nor to establish a certifiableprocess. By meeting the variouscomponent parts of this standard, albeit indifferentways, organisations will be in aposition to report that they are incompliance. The standardrepresents bestpractice against which organisations canmeasure standard has wherever possible usedthe terminology for risk set out by theInternational Organization forStandardization (ISO) in its recentdocument ISO/IEC Guide 73 RiskManagement - Vocabulary - Guidelines foruse in view of the rapid developments in thisarea the authorswould appreciate feedbackfrom organisations as they put the standardinto use (addresses to be found on the backcover of this Guide).
3 It is intended thatregular modifications will be made to thestandard in the light of best Risk management Standard IRM: 20021 IntroductionRisk management is a central part of anyorganisation s strategicmanagement. It isthe process whereby organisationsmethodically address the risks attaching totheir activities with the goal of achievingsustained benefit within each activity andacross the portfolio of all focus of good risk management is theidentification and treatment of these objective is to add maximumsustainable value to all the activities of theorganisation. It marshals theunderstanding of the potential upside anddownside of all those factors which canaffect the organisation. It increases theprobability of success, and reduces boththe probability of failure and theuncertainty of achieving the organisation soverall management should be a continuousand developing process which runsthroughout the organisation s strategy andthe implementation of that strategy.
4 Itshould address methodically all the riskssurrounding the organisation s activities past,present and in particular, must be integrated into the culture ofthe organisation with an effective policyand a programme led by the most seniormanagement. It must translate thestrategy into tactical and operationalobjectives, assigning responsibilitythroughout the organisation with eachmanager and employee responsible for themanagement of risk as part of their jobdescription. It supports accountability,performance measurement and reward,thus promoting operational efficiency atall External and Internal FactorsTherisksfacing an organisation and itsoperations can result fromfactors bothexternal and internal to the organisation. The diagramoverleaf summarises examplesofkeyrisks in these areas and shows thatsome specific risks can have both externaland internal drivers and thereforeoverlapthe two areas.
5 They can be categorisedfurther into types of risk such as strategic,financial, operational, hazard, Risk management StandardRisk can be defined as the combination ofthe probability of an event and itsconsequences (ISO/IEC Guide 73).In all types of undertaking, there is thepotential for events and consequences thatconstitute opportunities for benefit (upside)or threats to success (downside).Risk management is increasingly recognisedas being concerned with both positive andnegative aspects of risk. Therefore thisstandard considers risk from the safety field, it is generally recognisedthat consequences are only negative andtherefore the management of safety risk isfocused on prevention and mitigation Risk2. Risk management IRM: Examples of the Drivers of Key RisksRisk management is a central part of anyorganisation s strategicmanagement.
6 It isthe process whereby organisationsmethodically address the risks attaching totheir activities with the goal of achievingsustained benefit within each activity andacross the portfolio of all focus of good risk management is theidentification and treatment of these objective is to add maximumsustainable value to all the activities of theorganisation. It marshals theunderstanding of the potential upside anddownside of all those factors which canaffect the organisation. It increases theprobability of success, and reduces boththe probability of failure and theuncertainty of achieving the organisation soverall management should be a continuousand developing process which runsthroughout the organisation s strategy andthe implementation of that strategy. Itshould address methodically all the riskssurrounding the organisation s activities past,present and in particular, must be integrated into the culture ofthe organisation with an effective policyand a programme led by the most seniormanagement.
7 It must translate thestrategy into tactical and operationalobjectives, assigning responsibilitythroughout the organisation with eachmanager and employee responsible for themanagement of risk as part of their jobdescription. It supports accountability,performance measurement and reward,thus promoting operational efficiency atall External and Internal FactorsTherisksfacing an organisation and itsoperations can result fromfactors bothexternal and internal to the organisation. The diagramoverleaf summarises examplesofkeyrisks in these areas and shows thatsome specific risks can have both externaland internal drivers and thereforeoverlapthe two areas. They can be categorisedfurther into types of risk such as strategic,financial, operational, hazard, Risk management StandardRisk can be defined as the combination ofthe probability of an event and itsconsequences (ISO/IEC Guide 73).
8 In all types of undertaking, there is thepotential for events and consequences thatconstitute opportunities for benefit (upside)or threats to success (downside).Risk management is increasingly recognisedas being concerned with both positive andnegative aspects of risk. Therefore thisstandard considers risk from the safety field, it is generally recognisedthat consequences are only negative andtherefore the management of safety risk isfocused on prevention and mitigation Risk2. Risk management IRM: Examples of the Drivers of Key risks providing a framework for anorganisation that enables future activityto take place in a consistent andcontrolled manner improving decision making, planningand prioritisationby comprehensive andstructured understanding of businessactivity,volatility and projectopportunity/threat contributing to more efficientuse/allocation of capital and resourceswithin the organisation reducingvolatility in the non essentialareas of the business protecting and enhancing assets andcompany image developing and supporting people andthe organisation s knowledge base optimising operational The Risk management ProcessRisk management protects and adds value to the organisation and its stakeholders throughsupporting the organisation s objectivesby.
9 NoitacifidoMFormalAuditThe Organisation sStrategic ObjectivesRisk AssessmentRisk AnalysisRisk IdentificationRisk DescriptionRisk EstimationRisk EvaluationRisk ReportingThreats and OpportunitiesDecisionRiskTreatmentResidu al Risk ReportingMonitoringA Risk management Risk IdentificationRisk identification sets out to identify anorganisation s exposure to uncertainty. Thisrequires an intimate knowledge of theorganisation, the market in which it operates,the legal, social, political and culturalenvironment in which it exists, as well as thedevelopment of a sound understanding of itsstrategic and operational objectives,including factors critical to its success and thethreats and opportunities related to theachievement of these identification should be approachedin a methodical way to ensure that allsignificant activities within the organisationhave been identified and all the risksflowing from these activities defined.
10 All associated volatilityrelated to theseactivities should be identified activities and decisions can beclassified in a range of ways, examples ofwhich include: Strategic - These concern the long-termstrategic objectives of the organisation. Theycan be affected by such areas as capitalavailability, sovereign and political risks ,legal and regulatory changes, reputationand changes in the physical environment. Operational - These concern the day-to-day issues that the organisation isconfronted with as it strives to deliver itsstrategic objectives. Financial - These concern the effectivemanagement and control of the finances ofthe organisation and the effects of externalfactors such as availability of credit, foreignexchangerates, interest rate movement andother market exposures. Knowledge management - These concernthe effective management and control of theknowledge resources, the production,protection and communication factors might include theunauthorised use or abuse of intellectualproperty, area power failures, andcompetitive technology.