Getting the framework right

The purpose of a risk management framework is to facilitate the identification, evaluation and management of both positive (opportunities) and negative risk events (threats), which will have an impact on the objectives of an organisation and its ability to implement its strategy. And this information may be used to inform management and board decision making.

There are a number of risk management frameworks that an organisation may take off the shelf, including the Institute of Risk Management's Risk Management Standard, COSO's Enterprise Wide Risk Management – Integrated Framework, the Australia New Zealand Risk Management Standard, and the UK Office of Government Commerce Risk Management Framework.

Rather than endorsing any particular one of the above, my view is that the key differentiator between those organisations that manage risk well and those that manage it badly is not the framework adopted, but the quality of its implementation. A risk management framework that is particularly well implemented will be a source of competitive advantage in the private sector and will help to ensure that any organisation meets the needs of its stakeholders more comprehensively.

A framework in outline

By way of example, the COSO enterprise risk management framework, in summary, consists of eight interrelated components.

Internal environment sets the basis for how people view and address risks, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate.

Objective setting ensuring that management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite.

Event identification internal and external events, both positive and negative, must be identified and channelled into decision making processes.

Risk assessment risks are analysed, considering likelihood and impact on an inherent and residual basis, to determine how they should be managed.

Risk response management selects risk responses (eg avoid, accept, reduce, share) and develops actions to align risks with the entity's risk appetite.

“For risk management to be fully effective it needs to be embedded in an organisation's processes

Control activities policies and procedures are established and implemented to help ensure the risk response is effectively carried out.

Information and communication relevant information is identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities.

Monitoring the entirety of enterprise risk management is monitored and modified as necessary.

Implementation of a framework

A risk management framework cannot be implemented without the explicit backing of an organisation's governing body. It is crucial to consult both executive and non-executive directors to understand their expectations, (so that it is clear what success looks like), and to seek their support in publicly endorsing the importance of effective risk management to the achievement of business objectives. Even where the board is the catalyst, perhaps feeling that its risk management needs are not being met, it is crucial to create an appetite for change right across the organisation, by drawing attention to issues that have arisen that could have been prevented or mitigated by good risk management. Having embarked on the journey, it is also crucial to achieve quick wins and to publicise them widely in order to retain this commitment.

Establishing the board's risk appetite as an early step in implementing the framework is very important. Otherwise there is a danger that managers, acting in an environment where the permitted level of tolerance is unclear, may take too much or too little risk in seeking to achieve objectives, either of which may result in unwelcome surprises for the board. Helping the board to define the top risk events facing the organisation, and the extent of their tolerance for them, enables it to give clear direction to management about how much risk may be taken to achieve the organisation's strategy and also to provide information to other stakeholders, on the level of risk that will be taken to deliver returns to them. This provides the starting point for the development of strategy and of an operational business plan to implement it, by aligning activity throughout the organisation to the common goal of achieving strategic objectives. While defining risk appetite for different types of risk with a common metric, such as economic capital, may be both desirable and possible for larger organisations, an inability to do this should not deter an organisation from setting an appetite for its principal risks in a less sophisticated manner.

Strong governance is crucial to an effective risk management framework, and, in my experience, a triple line of defence structure provides it.

n The board and top line management are responsible for strategy, performance and risk management.

n Review of policy, performance and strategy is the responsibility of risk management and compliance and board committees in the second line.

n Internal audit are responsible to the audit committee for independent assurance in the third line.

“It is crucial to consult both executive and non-exxecutive directors to understand their expectations

If this split of responsibilities is well communicated and maintained, and authority to take risk is clearly delegated and controlled, the effectiveness of the risk management process should be continuously monitored and challenged.

Identifying the principal risks that an organisation faces effectively is fundamentally important to the successful implementation of strategy, but the risks are correspondingly high too. Embarking on an organisation-wide risk identification exercise without first establishing a common risk language and carefully planning the establishment of a risk register, will at best be inefficient and costly and, at worst, may even convince busy staff that risk management is a bureaucratic task that they have not got time to deal with.

Before seeking to identify risk across the organisation, it is crucial to decide how to capture the information required. Unless an organisation's business is software development, consideration should be given to buying one of the many relatively cheap off-the-shelf software packages, rather than developing in-house or relying on spreadsheets. Having done this, a decision then needs to be made as to what information should be captured for each risk event – a good off the shelf package will provide a template to choose from – and clear definitions need to be established for each component of information.

It is advisable not to make the risk register too large initially – setting a high threshold at which risk events should be captured should ensure that all material risks are identified and addressed, while reducing the danger of failing to see the wood for the trees. These risks can also be taken to the board to review to make sure that there is no disconnect between its top-down and management's bottom-up assessment of risks. Even if this approach is not pursued, it is still sensible to establish a minimum threshold below which risks should not be identified, because otherwise there is a danger of recording risk events that it is simply not cost effective to consider. The temptation to make the risk assessment process itself too complex to start with should be resisted. It is better to be approximately right than precisely wrong. Increased quantification can be developed over time.

Recording current controls in the risk register, and management's and internal audit's assessment of the effectiveness of them, is recommended because management focus is generally on residual (or current) risk, and if current controls are not effective there is a danger that false comfort may be derived. Last but not least, it is important to decide how risks should be categorised. Failure to do so at the initial data collection stage will result in an amorphous mass of risk events that are hard to analyse and report, will damage the credibility of the risk management function, and may lead to risk management and business management becoming parallel rather than integrated processes.

When compiling a risk register it is absolutely crucial not to lose sight of the fact that the reason why the organisation is seeking to identify and assess risk events is because of their potential to have a positive or negative impact on the achievement of its objectives. Therefore, the true measure of the value of a risk register is the ease with which data can be drawn from it to inform decision making. For this reason it is vital that risk event information is presented in a way that meets the need of both risk owners and of the board, where ultimate responsibility for risk management lies. While it may therefore seem obvious to suggest that risk owners and the board should be asked what information they want from the risk register, in my experience this does not always happen.

For risk management to be fully effective it needs to be embedded in an organisation's processes, and all staff need to take responsibility for identifying and managing the risk events which may affect the activities for which they are responsible. A commercial organisation that does not have risk management built into primary value chain processes will not prosper. However, building risk management into processes is not enough on its own. People throughout the organisation need the motivation and the capability to manage risk, and require support. Clear communication of why risk management is crucial to the success of the organisation is a pre-requisite for developing a risk aware culture but is unlikely to be sufficient on its own.

Training on risk management (online and face to face) should be provided at all levels of the organisation, including the board. Motivation to manage risk well should be encouraged through the use of performance management objectives and incentives that take account of good risk management.

Evidence of effectiveness

There are those who believe that a risk management framework can only be truly effective if it is highly quantified, with risk management and capital management truly integrated. However, for the majority of organisations, my measure of effectiveness would be a framework that meets the needs of risk owners, the board and external stakeholders alike by facilitating the effective identification and management of all of the material opportunities and threats that an organisation faces.