RISK MANAGEMENT
MANAGEMENT AND PRODUCTIVITY
Bayu Nurwinanto
General terms, “risk management” refers to the architecture (principles,
framework and process) for managing risks effectively, while “managing risk”
refers to applying that architecture to particular risks.
Relationships between the risk management principles, framework and
process |
Clause 3 (Principles)
For risk management to be effective, an organization should at all
levels comply with the principles below.
a) Risk management
creates and protects value.
Risk management contributes to the demonstrable
achievement of objectives and improvement of performance in, for example, human
health and safety, security, legal and regulatory compliance, public
acceptance, environmental protection, product quality, project management,
efficiency in operations, governance and reputation.
b) Risk management is an
integral part of all organizational processes
Risk management is not a stand-alone activity that is
separate from the main activities and processes of the organization. Risk
management is part of the responsibilities of management and an integral part
of all
organizational processes, including strategic planning and all project and
change management processes.
c) Risk management is
part of decision making
Risk management helps decision makers make informed
choices, prioritize actions and distinguish among alternative courses of action.
d) Risk management
explicity addresses uncertainty
Risk management explicitly takes account of
uncertainty, the nature of that uncertainty, and how it can be addressed.
e) Risk management is
systematic, structured and timely
A systematic, timely and structured approach to risk
management contributes to efficiency and to consistent, comparable and reliable
results.
f) Risk Management is based on the best available information
The inputs to the process of managing risk are based
on information sources such as historical data, experience, stakeholder
feedback, observation, forecasts and expert judgement. However, decision makers
should inform themselves of, and should take into account, any limitations of
the data or modelling used or the possibility of divergence among experts.
g) Risk management is
tailored
Risk management is aligned with the organization's
external and internal context and risk profile.
h) Risk management takes human and cultural factors into
account
Risk management recognizes the capabilities,
perceptions and intentions of external and internal people that can facilitate
or hinder achievement of the organization's objectives.
i) Risk management is transparent and inclusive
Appropriate and timely involvement of stakeholders
and, in particular, decision makers at all levels of the organization, ensures that
risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly
represented and to have their views taken into account in determining risk criteria.
j) Risk management is dynamic, iterative and responsive
to change
Risk management continually senses and responds to
change. As external and internal events occur, context and knowledge change,
monitoring and review of risks take place, new risks emerge, some change, and
others disappear.
k) Risk management facilitates continual improvement of
the organization
Organizations should develop and implement strategies
to improve their risk management maturity alongside all other aspects of their
organization.
Clause 4 (Framework)
The success of risk management will depend on the
effectiveness of the management framework providing the foundations and
arrangements that will embed it throughout the organization at all levels. The
framework assists in managing risks effectively through the application of the
risk management process (see Clause 5) at varying levels and within specific
contexts of the organization. The framework ensures that information about risk
derived from the risk management process is adequately reported and used as a
basis for decision making and accountability at all relevant organizational
levels.
This framework is not intended to prescribe a
management system, but rather to assist the organization to integrate risk
management into its overall management system. Therefore, organizations should
adapt the components of the framework to their specific needs.
If an organization's existing management practices and
processes include components of risk management or if the organization has
already adopted a formal risk management process for particular types of risk
or situations, then these should be critically reviewed and assessed against
International Standard, in order to determine their adequacy and effectiveness.
1) Mandate and commitment
The introduction of risk management and ensuring its
ongoing effectiveness require strong and sustained commitment by management of
the organization, as well as strategic and rigorous planning to achieve
commitment at all levels.
2) Design of framework for managing risk
- Understanding of the organization and its context.
- Establishing risk management policy.
- Accountability.
- Integration into organizational processes.
- Resources.
- Establishing internal communication and reporting mechanisms.
- Implementing the framework for managing risk.
- Implementing the risk management process.
In order to ensure that risk management is effective
and continues to support organizational performance.
5) Continual improvement of the framework.
Clause 5 (Process)
The risk management process should be :
- An integral part of management.
- Embedded in the culture and practices, and
- Tailored to the business processes of the organization.
Communication and consultation with external and
internal stakeholders should take place during all stages of the risk
management process. Therefore, plans for communication and consultation
should be developed at an early stage. These should address issues relating to
the risk itself, its causes, its consequences (if known), and the measures
being taken to treat it. Effective external and internal communication and
consultation should take place to ensure that those accountable for
implementing the risk management process and stakeholders understand the basis
on which decisions are made, and the reasons why particular actions are
required.
2) Establishing the context
By establishing the context, the organization
articulates its objectives, defines the external and internal parameters to be
taken into account when managing risk, and sets the scope and risk criteria for
the remaining process. While many of these parameters are similar to those
considered in the design of the risk management framework, when establishing
the context for the risk management process, they need to be considered in
greater detail and particularly how they relate to the scope of the particular
risk management process.
- Establishing the external context.
- Establishing the internal context.
- Establishing the context of the risk management process.
- Defining risk criteria.
Risk assessment is the overall process of risk
identification, risk analysis and risk evaluation.
Risk
identification
The organization should identify sources of risk,
areas of impacts, events (including changes in circumstances) and their causes
and their potential consequences. The aim of this step is to generate a
comprehensive list of risks based on those events that might create, enhance,
prevent, degrade, accelerate or delay the achievement of objectives. It is
important to identify the risks associated with not pursuing an opportunity.
Comprehensive identification is critical, because a risk that is not identified
at this stage will not be included in further analysis.
Risk
analysis
Risk analysis involves developing an understanding of
the risk. Risk analysis provides an input to risk evaluation and to decisions
on whether risks need to be treated, and on the most appropriate risk treatment
strategies and methods. Risk analysis can also provide an input into making
decisions where choices must be made and the options involve different types
and levels of risk.
Risk
Evaluation
The purpose of risk evaluation is to assist in making
decisions, based on the outcomes of risk analysis, about which risks need
treatment and the priority for treatment implementation. Risk evaluation
involves comparing the level of risk found during the analysis process with
risk criteria established when the context was considered. Based on this
comparison, the need for treatment can be considered. Decisions should take account of the wider context of
the risk and include consideration of the tolerance of the risks borne by
parties other than the organization that benefits from the risk. Decisions
should be made in accordance with legal, regulatory and other requirements. In
some circumstances, the risk evaluation can lead to a decision to undertake
further analysis. The risk evaluation can also lead to a decision not to treat
the risk in any way other than maintaining existing controls. This decision
will be influenced by the organization's risk attitude and the risk criteria
that have been established.
Risk
treatment
Risk treatment involves selecting one or more options
for modifying risks, and implementing those options. Once implemented,
treatments provide or modify the controls.
Risk treatment involves a cyclical process of :
- Assessing a risk treatment.
- Deciding whether residual risk levels are tolerable.
- If not tolerable, generating a new risk treatment.
- Assessing the effectiveness of that treatment.
Selecting the most appropriate risk treatment option
involves balancing the costs and efforts of implementation against the benefits
derived, with regard to legal, regulatory, and other requirements such as
social responsibility and the protection of the natural environment. Decisions
should also take into account risks which can warrant risk treatment that is
not justifiable on economic grounds, e.g. severe (high negative consequence)
but rare (low likelihood) risks.
b) Preparing and implementing
risk treatment plans
The purpose of risk treatment plant is to document how
the chosen treatment options will be
implemented the information provided in treatment plans should include :
- The reasons for selection of treatment options, including expected benefits to be gained.
- Those who are accountable for approving the plan and those responsible for implementing the plan.
- Proposed actions.
- Resource requirements including contingencies.
- Performance measures and constraints.
- Reporting and monitoring requirements; and
- Timing and schedule.
c) Monitoring and Review
Both monitoring and review should be a planned part of
the risk management process and involve regular checking or surveillance. It
can be periodic or ad hoc.
d) Recording the risk management process
Risk management activities should be traceable. In the
risk management process, records provide the foundation for improvement in
methods and tools, as well as in the overall process.