Sunday, 12 October 2014

The Risk Environment

Managing uncertainty has become an essential part of ordinary organisational governance.  

Today there are a number of recognised international and national standards dealing with risk management.

Sometimes risk planning produces poor outcomes

1.  Risk Management Standard ISO 31000:2009 Principles and guidelines on risk management.

This is the world standard on risk.  Risk is defined as the “effect of uncertainty on objectives” – emphasising the effect rather than an event. For example, risk is not an earthquake but the chance that an earthquake might impact your business’s objectives. Risk is not necessarily negative (to be avoided or passed onto others). Risk may create strategic opportunities.

Risks may not just arise from sudden unexpected circumstances – some of the circumstances may be entrenched or slow emerging – some may be internal or specific to your organisation, some may be widespread.  However, in every case, risk must be related to the circumstances of your organisation.

It emphasises the need for risk to be managed in an integrated way. It consists of principles for managing risk, a framework for managing risk, and processes for managing risks.

The principles stress the need for risk management to:
1.       create value
2.       be an integral part of organizational processes
3.       be part of decision making
4.       explicitly address uncertainty
5.       be systematic, structured and timely
6.       be based on the best available information
7.       be aligned to a specific organisation and its objectives
8.       take human and cultural factors into account
9.       be transparent and inclusive
1.   be dynamic, iterative and responsive
1.   facilitates continual improvement

The framework for managing risk emphasises the need for the framework to be mandated and committed.  If these conditions are met, the framework proceeds through a cycle of design, implementation, monitoring and continual improvement.  The framework sets policy, demonstrates commitment, provides resources, allocates responsibility and monitors progress.

The processes for managing risk emphasises communication and consultation as essential means of ensuring high quality information.  Risk assessment (risk identification, analysis and evaluation) occurs within a specific context and results in the treatment of the risk.  Core to this is the risk assessment methodology:
1   .       Identification: What could happen?; How and where it could happen?; Why it could happen?; What is the impact or potential impact?
2   .       Analysis: Identify the causes, contributing factors and actual or potential consequences; identify existing or current controls; assess the likelihood & impact/consequence to determine the risk rating
3   .       Evaluation: Is the risk acceptable or unacceptable?; Does the risk need treatment or further action?; Do the opportunities outweigh the threats?

Specific guidance is provided for Enterprise Risk Management and how risk should sit within an organisational framework.

ISO 31000-2009 provides basic guidelines for establishing whole-of-enterprise risk management processes. Risk may managed through a number of strategies, including risk avoidance, sharing, financing, retention, acceptance or mitigation. These management strategies may include clear risk management statements, formalising risk management processes, structuring framework processes and continuous improvement.

A preferential list is given for managing risk:
1   .       Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk
2   .       Accepting or increasing the risk in order to pursue an opportunity
3   .       Removing the risk source
4   .       Changing the likelihood
5   .       Changing the consequences
6   .       Sharing the risk with another party or parties (including contracts and risk financing)
7   .       Retaining the risk by informed decision

Because of the different circumstances in which risk can arise, the standard does not mandate uniformity nor certification.  Released by the International Organisation for Standardisation (ISO) on 15 November 2009.
     AS/NZS ISO 31000:2009 – Risk management - Principles and guidelines  (20 November, 2009)
Direct adoption of Risk Management Standard ISO 31000:2009 by Standards Australia.  Replaces AS/NZS 4360 (1995), Risk Management (similar in many respects, however the older standard defined risks in terms of events rather than effects).

3.  ISO Guide 73:2009 – Risk management – Vocabulary  (15 November, 2009)
Provides definitions of generic terms related to risk management.

4.  IEC/ISO 31010:2009 – Risk Management – Risk Assessment Techniques  (1 December, 2009)
Guidance on selection and application of systematic techniques for risk assessment.  Refers to other international standards.
      HB 327:2010 – Communicating and consulting about risk  (23 February, 2010)
A companion handbook to AS/NZS ISO 31000:2009 emphasising the importance of continuous communication and consultation as part of risk management. It considers how the flow of knowledge is impacted by the mix of facts, uncertainties, perceptions, complexities, beliefs and values.

6.  AS/NZS 5050:2010 Business continuity – Managing disruption-related risk  (28 June, 2010)
This standard sets out detailed proposals for risk management plans designed to reduce events that could cause disruption.  It emphasises mandate and commitment, monitoring and review and the continual improvement of the framework. The approach increases resilience, aimed at stabilisation, resumption, recovery, opportunities and assumption of new risk.

It emphasises the need to undertake proactive risk treatment and preparation during periods of routine management before a risk event is identified.  These proactive controls can minimise the occurrence or severity of future disruptive events (eg, building evacuation drills, off-site computer backups).  Once an event commences, a non-routine management techniques need to be embraced emphasising stability, continuance of critical business functions and recovery, during the transition to routine management.

Adoption of an effective plan can demonstrate dependability to stakeholders, better understand business and business opportunities, protect commercial interests, protect customers, accept further risk and remain compliant.  The standard contributed to a better understanding of non-routine management, including a better understanding of the potential for disruption and the need to remain focussed on business objectives.
     HB 266:2010 – Guide for managing risk in not-for-profit organisations  (12 August, 2010)
A companion handbook to AS/NZS ISO 31000:2009 dealing with risk in not for profit organisations.

     HB 246:2010 Guidelines for managing risk in sport and recreation organisations  (18 August, 2010)
A companion handbook to AS/NZS ISO 31000:2009 dealing with risk in sport and recreation organisations.

ISO 31000-2009 and the related standards provide a sensible basic and generic framework for risk management planning.  They provide a basis for categorising some risk types and planning to deal with risks.

However, as witnessed by the need for a subsequent standard dealing with disruption-related risk (AS/NZS 5050:2010 Business continuity), this is still a developing area and there remains debate about how the standards will change over time. 

The existing standards give insufficient emphasis to undertaking proactive action prior to risks emerging.  Further, while useful tools have emerged as a result of ISO 31000-2009, the reports generated using it all too often end up collecting dust. 

Peter Quinton
October 2014

No comments: