Posts

Completion of the assessment and development of risk mitigation strategies help the organization understand their risks and what it can do to bring these risks within the levels of its risk tolerance and appetite. The elements that ensure that these risks stay within the permissible levels are risk governance and system controls. *Controls are what help keep the system in equilibrium or prompt a reaction where things begin to deviate from ‘normal’. Governance provides oversight to ensure that the risk management system is operating properly and that risks are being identified, elevated and managed at the appropriate levels. * ...

Effective risk management requires a series of behaviors and attitudes to exist within an organization that make risk considerations prominent in day-to-day operations. This mindset alone will go a long way to making an organization more risk-led but a functioning risk management system is also required to develop, support and guide that mindset. The specific system adopted by an organization will be influenced by a number of factors: the industry may have a series of regulatory requirements; the country in which it is headquartered will have applicable laws to follow; there will be cultural aspects which will differ from organization to organization; and individual sectors and industries have preferred approaches to risk management. That makes it difficult to prescribe what a risk management system will look like and even a review of the existing standards and common references can still leave the reader without a clear template to follow. ...

*Integrating a risk management system into your department or organization will be a major endeavor and while there are significant benefits to making this change, the degree of effort required should not be underestimated. Moreover, the overall workload of the organization and other major initiatives that might also be underway are major considerations when planning ERM implementation. This article will refer to ERM systems but the same principles will apply if the implementation is for a less expansive risk management system. Importantly, as a supporting function and not an operational activity, risk management must be shaped to fit the organization. It should not try to shape the organization to fit it. Implementing a risk management system requires thorough planning, a careful combination of change and project management and a high degree of cultural sensitivity. * ...

Once an organization’s risks are understood, it is important that appropriate action is taken to address these risks to ensure that the organization’s objectives are protected or enhanced. Some risks are severe enough to require immediate action. Others can be dealt with in the short term whereas some risks require longer-term attention over months or even years. This essay explores the key ideas and terms associated with addressing risks and outlines the steps to take to ensure that the appropriate action is taken once a risk is identified concentrating on five main options: avoid, tolerate, treat, transfer and terminate. ...

Complicated, subtle factors affect how we perceive risk and these can be exacerbated by the way we receive risk information. We refer to the ways we think about and react to risks as risk perception, and the processes for discussing risk as risk communication. Even when people are in the same or very similar situations, they may perceive the risks very differently. Similarly, different people listening to the same risk information will react to it differently depending on several factors that affect their perspective. The overall result of this is “the general frustration experienced by both risk managers and affected parties in conveying and understanding risk information”.[i] ...

When we are conducting a risk assessment, we need a way to assess, grade and order risks to allow us to use this information for decision-making and to prioritize our actions. This article outlines some basic techniques that can be used for risk assessment grading and matrics. These basic examples lay the foundation for more complex sets of metrics that can be adapted for your organization and the specifics of the assessment. An example of the metrics used in the r = tvi construct and the risk calculation tool are included along with links to online tools that you can copy and use in your own assessments. ...

*The risk assessment lies at the core of risk management. Without a clear understanding of the risks faced, none of the other risk management activities can be undertaken. This means that the organization will remain reactive instead of being able to take proactive steps informed by risk-based decision making. However, risk assessments have the potential to become hugely complex, sometimes becoming the only risk management activity that is undertaken, as organizations become exhausted by the assessment process and don’t conduct any of the follow-up activities. Detailed here is a four-phase risk assessment process that can be used for most non-technical assessments. * ...

In the simplest of terms, risk management helps you function in the real world. Organizations are under constant assault from both anticipated and unanticipated events which threaten to derail their plans. Risk management is what helps them understand, prepare for and react to these events. The largest firms will spend thousands of hours and billions of dollars on risk and compliance annually and there are dozens of different standards or methodologies to help guide the risk manager. But what do you do if you are a small organization and there is no money for training or consulting? Or if risk management is the second or third responsibility on your job description – the one you never quite get around to? ...

*Understanding is not the same as having information – it is the process of putting that information into context to work out what it means in a particular situation. We conduct a similar process on a larger scale during the ‘understand’ stage of the risk management process. During this time, we build on our knowledge of an organization to understand the risks it faces. * The term ‘understand’ is both an activity and a stage in our risk management process. As an activity, understanding means relating that information to a situation. Chess is often used as an illustration because I may know the names of the pieces on a chess board and what they can do, but I could still not understand chess. How the pieces interact, the set moves, strategies and how to apply these are all necessary to understand the game. Understanding can be achieved by asking the questions ‘why?’ or ‘so what?’ until you run out of questions. ...

Risk and risk discussions are often hampered by inconsistent terminology and a high degree of subjectivity. To overcome this, we need to understand what we mean when we ask ‘what is risk?’. This article lays out a concept for risk using the ISO definition – the effect of uncertainty on objectives. It breaks individual risks into their three main components: threat, vulnerability and impact for downside risks or opportunity, and exposure and impact for upside risks. These concepts form the basis for all subsequent risk discussions and lay the groundwork for a risk assessment methodology. ...