Effective risk management is identifying, assessing and managing potential risk – both negative (a threat) and positive (an opportunity).
Various sources, including financial uncertainty, legal liabilities, management errors, accidents and natural disasters, can cause these risks. As a result, successful organisations ensure the implementation of effective risk management processes for identifying and managing risk.
Risk Management Standards
What Is the Purpose of Risk Management Standards?
Risk Management Standards provide a strategic framework to facilitate identifying, controlling and mitigating risks to help organisations reach their stated aspirations and goals. These standards promote best-practice approaches to risk management.
Industry and government bodies provide regulatory compliance rules that scrutinise the risk management plan, policies and procedures. In many cases, boards of directors or trustees must review and report on the adequacy of the organisation’s risk management process.
What Are the Primary Risk Management Standards?
ISO 31000 and the COSO ERM framework are the two most popular risk management standards.
ISO 31000 is the international standard for Risk Management. It outlines principles, guidelines and a process for risk management that can be used in any organisation. The process consists of a continuous improvement cycle, covering activities such as identifying, analysing, evaluating, treating, monitoring, communicating, and reporting risks.
The COSO Enterprise Risk Management Framework is a comprehensive principle and tool for managing organisational risk. It includes five components: internal environment, objective setting, event identification, risk assessment, risk response, and control activities. The framework is designed to help organisations identify their risks, assess and prioritise them, and develop strategies to address them. The COSO framework is widely accepted as a standard across many industries.
Organisations, including the ISO, have developed risk management standards. These standards help organisations identify risks, assess risks, identify ways to manage risks and implement risk control and mitigation efforts according to the organisational strategy.
ISO 31000, for example, “provides principles, framework and a process for managing risk. It can be used by any organisation regardless of its size, activity or sector.” and is designed to “increase the likelihood of achieving objectives, improve the identification of opportunities and threats, and effectively allocate and use resources for risk treatment.”
The Institute of Risk Management states that the ISO 31000 guidelines provide a statement of risk management principles. The eight principles are:
- Framework and processes should be customised and proportionate.
- Appropriate and timely involvement of stakeholders is necessary.
- A structured and comprehensive approach is required.
- Risk management is an integral part of all organisational activities.
- Risk management anticipates, detects, acknowledges and responds to changes.
- Risk management explicitly considers any limitations of available information.
- Human and cultural factors influence all aspects of risk management.
- Risk management continually improved through learning and experience.
ISO standards and others, such as the IRM guidelines, help organisations implement risk management best practices. These standards aim to manage risk by establishing a common risk management framework and process.
Risk Management Planning
A risk management plan follows the same steps:
Risk Identification
The organisation identifies and defines potential risk types (threats and opportunities) that may negatively or positively influence an operation, project or process.
Risk Analysis
Following risk identification, the organisation should determine the likelihood of it occurring and its impact. The objective of the analysis is to understand each specific instance of identified risk and how it could influence the organisation’s strategic and tactical goals.
Risk Assessment and Evaluation
The risks are then further evaluated after determining the overall likelihood of occurrence and its impact. The organisation can then decide whether the risk is acceptable and, based on its risk appetite, whether it is willing to take it.
Risk Control and Mitigation
During this step, an organisation assesses the risks and develops a plan to manage them using specific risk actions. These plans include risk control and mitigation measures, processes and contingency plans if the risk comes to fruition.
Risk Monitoring
The risk control and mitigation plan must include following up on the risks (and emerging risks) and a plan to continuously monitor and track new and existing risks through a risk register and matrix. The overall risk management process should also be reviewed, and an internal audit (arranged by the audit committee) should be conducted and updated accordingly. Corporate governance should consider creating an annual report.
Risk Management Strategies
After the organisation’s risks are identified and implementation of the risk management planning process, there are several different strategies companies can take regarding different types of risk:
Avoid Risk
While eliminating all risk is rare, risk avoidance attempts to avoid as many risk threats as possible; this prevents the costly and disruptive consequences of a damaging event.
Accept Risk
Sometimes, organisations decide a risk is worth it from a business operations standpoint, accept and retain it, and deal with any potential fallout. Organisations will often maintain a certain level of risk if the anticipated return is higher than the costs of its inherent risk.
Reduce Risk
Organisations can sometimes reduce the amount of effect certain risks can have on a process. Risk reduction can be achieved by adjusting certain aspects of an organisation’s plan or strategy or reducing or changing its scope.
Transfer Risk
Sometimes, the consequences of risk are transferred or distributed among several organisations, including third parties such as suppliers or business partners, or internally with other departments.