Organisations and their employees takerisks and also managerisksevery day. Of course, it is a part of the business and the service delivery operations. However, often, the management of risks is confined to the treatment of risk symptoms.
The failure to manage risks at the sources and to control unavoidable risks effectively,has led to the recurrence of same risks. Apparently, risk managementunits in many organisations have become elite silos full of white collar professionals who are eager to produce volumes of statistical reports to the senior management irrespective of failure to arrest regeneration of same risks over and over again.
Risk management refers to the architecture created within an organisation incorporating principles, framework and processes on risks. Managing of risks means the application of this architecture to particular risks.
The author has not worked in the Sri Lankan private business sector. However, as a keen observer and as an engineerwho has a professional interest on organisational management, the author is not so convinced that the private sector risk management practices are as comprehensive as should be.No doubt, there may be a few exceptions.Besides, the author has no hesitation to declare that in the Sri Lankan central government, the semi-government and in the local government organisations, the formal risk management is virtually of non-existence. Otherwise, ubiquitous failures of public sector projects, programs and initiatives could not have been witnessed.
Hence, the author has a professional obligation to comment on the proper application of risk management principles and to express his opinions on good faith, based on his practical experience on the risk management field.
The Australians led the risk management field internationally and they produced the standards on Risk Management, AS/NZS 4360, in 1999 and revised it further in 2004. The International Organisation of Standards (ISO) established a working group to develop an international standard on risk management and used the innovative AS/NZS 4360-2004 as the base document. The aim was to expand AS/ANZ 4360 for universal application, encompassing all industry environments.
In 2009, Australian/New Zealand Standard ISO 31000:2009 –Riskmanagement – Principles and guidelines was released. The risk management process described in ISO 31000 was identical to that of AS/NZS 4360. However, ISO 31000 addressed the whole management system that supported the design, implementation, maintenance and improvement of risk management processes.
The scope of this article is to explain the basic features of ISO 31000 and how it can be applied in Sri Lankan private and government organisations to manage risks.
Understanding the terminology
Historically, the word “Risk” had a negative connotation. It was commonly known as‘the probability of losses’. This definition was changed later.
In ISO 31000, the risk is defined as the “effect of uncertainty on objectives”. This means that the ‘Risk” is no longer a negative only concept. The “effect” can either be a positive or a negative. The change of definition has created confusion among the professionals who apply ISO 31000 and the confusion still remains as the risk is and will always be a negative concept for the majority of the public.
This new definition shifts the emphasis from the event itself to the effect of the event.
As an example, if an organisation runs out the annual budget allocation within nine months, the risk is not the event of running out the budget, but how that event impacts on achieving annual and long term objectives of the organisation. This event may create a positive risk, if found, that all annual organisational objectives have already been achieved. Then, this risk would create an opportunity to achieve additional organisational objectives by reallocating funds from lesser important programs. Hence, until a proper analysis is done, risk must not be categorised as a negative only effect.
Risk is implicit in all decisions. While risks are the facts of life, the aim of managing risks should be, to modify risk levels to manageable and acceptable levels, thereafter to get on with the life or the business.
Risk management basis
Many organisations have risk management business units. However, as a process, Risk Management should not be a process assigned to a single business unit. It is a process that must be embedded into all organisational activities, conducted by all units. Executive management should actively support holistic approach on risk management. It embodies the organisation culture and it complements the organisation’s vision and objectives.
Everyone in an organisation has a role to play to make organisation’s risk management process, a success.
ISO 31000 helps administrators to understand the risk management principles, framework and processes. However, each organisation must develop an own risk management model to suit their business processes, in compliance with ISO 31000. ISO 31000 describes the relationship of the principles of risk management, the risk management framework, and the risk management process.
The risk management architecture is developed to ensure that the organisations achieve their corporate objectives effectively by managing identified risks. This is not about preparing a procedural document by the Risk Management Unit to claim mere “compliance”. To make this really work within the organisation, all management units should behave certain way, showing the responsibility and the accountability of the success and failures of all their activities and the units should make informed decisions on each and every activity they perform, focusing on risk management principles. Risk management is everyone’s business and it must be the culture of the organisation.
Every private and public sector business entities have organisational values. They can be tangible or intangible. Organisations thrive hard to protect and possibly enhance their values while performing the business. Risk management process supports this by successful implementation of projects and programs, preserving health and safety of workers, complying legal and regulatory requirements, ensuring environmental sustainability, encouraging responsible governance practices, enhancing reputation and promoting operational effectiveness and efficiency. Also, employees would have secure employment, if and only if the organisation is survived in the business world. On each day, the employees must walk out of the organisation safe to meet loved ones. Hence, safety is paramount for an organisation.
The quality of strategic and operational planning makes an organisation what it is, in the competitive business environment. Each and every strategic and operational planning activity contains risks and thereby risk management activities must be performed. If an organisation claims that it embodies efficient and effective strategic and operational management techniques, the risk management architecture described in ISO 31000 must be an integral part of the management system. This is done by subjecting all management decisions to the risk management compliance test. Thereby, this would eliminate hazards or reduce risk levels to acceptable levels.
Uncertainty is a real life situation. The challenge is to actively seek information from different sources on the recognised uncertainties and follow a systematic, structured and timely process to identify risks and then devise solutions to address negative risks and also be prepared to grab the advantages come along due to positive risks.
Different organisations makevaried responses to the same risks because each organisation’s risk appetite, approach and corporate objectives are different to others. This is why that one organisation cannot copy and paste a risk management plan developed by another organisation even ifthe selected company is from the same industry.
Risk management is a live activity and the organisations must be flexible to change the course of actions to suit dynamic situations. It says that all employees have to be on their toes always. Risk management is not just the generation of procedural and process documentation and claim that the organisation has a risk management system. It contains collective decision makings and practical applications involving people, behaviours and cultural factors. As the implementation of management practices are through people, the success depends on their understanding, genuine willingness to respond to the risk management needs and follow the agreed solutions and practices.
Risk management should always be in all employees’ minds as soon as they set foot to the business premises. Even the wrong body language in front of a customer could be a risk to the image of the organisation.
Many organisations thrive for obtaining and maintaining Quality Standards such as ISO 9001 accreditation. The ISO 9001 accreditation is a symbol of a quality organisation. Proper risk management is also a part of a quality organisation. Hence, the best practice risk management compliments the achieving and maintaining this quality accreditation status.
This is the setting up of an administrative management frame work to ensure success of risk management. This is creating an organisational-wide matrix structure, encompassing all strategic and operational management levels of business units with the holistic focus on“managing risks”. However, it can include establishment of a risk management leadership unit to monitor risk management activities, periodic reviewing of process documents and procedures and for reporting on organisation’s success on risk management targets.
Design of framework: Understanding organisation and its operating environment
The design of framework for managing risks starts by understanding the business processes of the organisation and its context. Understanding the business processes is easy. However, understanding organisation’s context is not a straight forward activity. The understanding of the context means here is that the understanding of the nature and objectives of all the stakeholders.
It is usually divided into external and internal context.
External context includes outside business environment (social, cultural, legal, political, financial, technological, economic etc.), key external drivers which influence the way of doing the business and the relationships and expectations of external stakeholders such as public, customers, promoters, distractors and competitors.
Risk management policy
A policy is a guiding principle that helps an organisation to take binding decisions. Risk management policy explains organisation’s rationale on managing risks. This policy should be in line with organisation’s other policies. Otherwise implementing risk management policy would disrupt implementation of other policies and the consequence would be the partial achievement of overall organisational objectives. In general, organisations draw attention to six risk areas; financial, people, reputation, business, environmental and compliance. This can be expanded depending on the nature of organisational activities.
The policy must give details on accountabilities and responsibilities of senior management to ensure implementation of the risk management policy through appropriate resources allocation. Also it must outline how risk management performance is measured and reported.
This policy, as of with any other policy, should have a sunset clause. The compulsory review and re-enactment of the policy is done on the sunset date.
Accountability, authority and reporting
Risk management framework must clearly identify who are within the organisation have the accountability, authority and responsibility to risk management and management of risks. This is done at two levels.
Higher level staff members are identified with accountability, authority and responsibility to develop, implement and maintenance of risk management framework.
The next level staff are identified for managing risks by developing solutions. They are usually the process and procedure owners within the organisation. The rest of the employees would implement the solutions.
Accountability on reporting on the degree of success of the implementation of risk management measures started from the operational levels and move upwards along the organisational structure reporting lines.
Integration into the core business processes
Senior management of the organisations often say ‘this is the way we do things around here”.
That is the culture of a particular organisation. Technically, the culture promotes achieving of strategic and operational objectives of the organisation. Risk management must be embedded into this culture. This is the alignment and integration of risk management with organisation’s governance process.
This is done by the organisation’s leadership group by settingcontinuous focus on at risk management issues, clear directions & strategies, decision making structures and resource allocations to build capability and capacity.
This integration must happen vertically through each hierarchical level of management layers and also horizontally in each division and groups at each management level, encompassing policies and operations.
Ultimately it would be a matrix of integration. One or more weak link of the matrix should not lead to the total collapse of risk management process, but the process checks should automatically detect these weak links, prompting discussion within the group involved in risk management process to strengthen the weak links.
Establishing internal and external communication and reporting
Decision on risk management issues are to be taken informed and timely manner. Hence, internal and external communication and reporting plans must be prepared and implemented. The internal plans come with details on clear roles and responsibilities of staff involved.
External communication and reporting is generally done by the senior management of the organisation to comply with legal, governance and regulatory requirements. Hence, external communication plans should include how feedback from external stakeholders are routed back into the internal communication system for necessary consideration.
Implementing risk management
Usually, risk management framework is implemented by appointing a risk management champion. This champion must have the competence, expertise and authority to implement it by driving risk management awareness, integration, communication and policy.
The risk management champion must directly report to the senior management, preferably to the chief executive officer during implementation stage. Gradually this role must be converted to on-going management and maintenance of risk management framework, but still reporting to the CEO, at least, quarterly basis. Upon the system set-up is completed with CEO’s approval, the next stage would be to transfer the champion’s management and maintenance roles to key staff members of the risk management integration matrix. Hence, staff would not no longer wait for the champion to make decisions on risk management.
Monitoring and reviewing
This is about the effectiveness of the set framework. However, the appearance of unmanaged risks and consequent undesirable impacts would be an indication of a flawed risk management framework. Hence, an independent committee who are not involved with managing risks must be appointed for the monitoring and reviewing and providing recommendations on necessary changes to the framework.
This is the response to the outcomes of monitoring and reviewing action plan. Executive management has the responsibility to provide resources to implement continuous improvement recommendations.
Risk management process
ISO 31000 provides well-structured process on managing risks which consists of seven steps. Originally, Australia and New Zealand jointly developed this process and the rest of the world adopted it. The steps are, establishment of the context, risk identification, risk analysis, risk evaluation, risk treatment, communication and consultation and monitoring and review.
Establishment of the context
This is the most innovative step of the risk management process. This is all about setting the boundaries on the scope and objectives. To do this, internal and external influences must be clearly identified and understood. Objectives of internal and external stakeholders can be different to each other. Risk management process must deal with risks relevant to all stakeholder objectives. Also, this process outlines what outcomes are acceptable and unacceptable for all. That means the risk appetite and risk tolerances are to be set at justifiable levels. Risk tolerances are acceptable variances from the risk appetite boundaries.
Key stakeholders must be involved when risk appetites and tolerances are determined to avoid conflicts among external and internal stakeholders on interpreting acceptable risks and risk levels.
As a part of the step of “establishing the context”, a risk matrix must be developed. This is done in two stages. The Simple Risk Matrix can be used at senior management level for initial risk screening purposes.
This must be followed by the using of a Detailed Risk Matrixdeveloped for each business unit. As depicted, it is always helpful to assign numerical values to descriptions to determine risk ratings. The contents in each cell of this table are to be debated and agreed by the senior and middle management of the organisation for the relevance, correctness and practicality.
The next three steps of the process; identification, analysis and evaluation can be combined as the risk assessment.It is reiterated that the definition of risk includes both positive and negative effects. The positive risks would be opportunities for organisations. If an organisation identifies those in time, the forward planning initiatives can make use those opportunities to enhance the capability and capacity of the organisation.
Risk identification is to answer the questions “what, how and when might happen?” This must be done in a systematic manner to ensure all possible risks are identified.
Risk analysis is to answer the question “what will happen to the organisation, in particular, to its objectives, due to these risks?” This is where the Risk Matrix would be useful. However, application of the matrix must be done by competent staff members because the level of risk is determined by the selection of the likelihood and the consequence. If wrong categories are selected, it leads to a wrong level of the risk. Hence, the selection of the likelihood and the consequence must be logical, based on proven evidences and historical data. The selection must be reviewed by an independent person before locked in.
Likelihood: The risk analyst must ask questions such as “Last few years, has any one encountered this kind of risk? Have any of our competitors experienced this, previously? “How often the present ground/business conditions would allow this to happen?” This kind of questioning would lead to an informed decision on likelihood. Still the best guess can go wrong but as long as a structured questioning and answering process is followed, the decision making is acceptable.
Consequence: Determination of the consequence is easier when the characteristics of the identified risk is adequately described and if the organisational objectives are clearly understood. However the dilemma would be the tendency of underestimation of consequence by the direct staff responsible for risk treatment and the over estimation of same by the rest of the staff involved in risk management process. This is why the independent verification of risk category selection would be a balanced approach.
The risk evaluation is the final step of risk assessment. The acceptable risk levels, tolerances, etc. described in Step I of the risk management process will be used for evaluation of identified risks. As far as possible, the risk evaluation is done quantitatively and the values are compared with the risk thresholds for the organisation. If the risk values are above the accepted risk thresholds, the corresponding risks must undergo“risk treatment”. Usually, risks are listed in a priority order for treatment purposes.
Risk treatment is about either modification of existing risk control mechanisms or introducing new controls. For negative risks, another term, “hazard” need to be introduced. Negative risks are identified from the harm caused to a person, property or a business objective from hazardous or undesirable situations. Hence, when treating negative risks, relevant hazards must be treated to control the risks. Treatment of hazards is hierarchical.
Treatment of hazards is done in the order; elimination, engineering controls and administrative controls. If practically possible, hazard elimination is the best action. Engineering control may lead to hazard isolation or substitution. This will only lower risks to acceptable levels.Administrative controls are applied only if all other treatments are not possible. When this action is taken, the hazard still remains there and only the human behaviour around the hazard is controlled. Hence, control and supervision measures should be at the best.Within the above hazard treatment hierarchy, risk treatments can be categorised broadly into seven options; preventative controls, corrective controls, directive controls, risk transfer, risk termination andresidual risk acceptance.
Monitoring and review
Anything planned and implemented can go wrong. The same philosophy is applied to risk management activities. Hence, the monitoring of the applied treatments is essential. Continually, corrective actions must be taken if the treatments actions do not deliver the intended outcomes.Sometimes,the complete review of risk management process in place may be required. That may lead to significant adjustments to the risk management framework.
Strategic and operational risk management documentation
Organisations should primarily develop two documents; enterprise risk management policy and procedure to guide risk management process and enterprise risk management form to record and analyse enterprise risks.When implementing enterprise risk management process, a number of operational documents are also produced.
A typical list of such documents include, WHS Policy, WHS Consultation Statement, WHS Management Plan, WHS Committee Constitution, Incident Management Procedure and Reporting Forms, Risk Assessment Form, Safe Work Method Statements, Standard Operating Procedures, Work Place Audit Forms, Hazardous Material Management Plans. It is noted here that in developed countries, the terms the Occupational Health and Safety and the Work Health and Safety (WHS) are used interchangeably.
Thoughts for the future
Risk management is a compulsory activity for any organisation. If this activity is not performed at the highest degree, the organisations would move forward with a false sense of security until they reach a gap between the actual performance parameters and the level of outcome delivery. This promptsthem either to turn back or to jump across the gap, only armed with emergency tactical plans, without any certainty of success. Onlystrategically unprofessional organisational leaderswould allow their organisations to drift into this kind of uncertainty.
(Eng. Janaka Seneviratne is a Chartered Engineer, a Fellow and an International Professional Engineer of the Institution of Engineers, Sri Lanka with 30 years of experience as a professional engineer. The author is contactable via email@example.com.)