Operational and strategic plans may fail because events occur or conditions arise for which the organization was unprepared. Similarly, losses may arise if resources are irreversibly committed to one opportunity when a better opportunity presents itself. Risk management processes aim to help management by identifying and analyzing potential threats, vulnerabilities, and opportunities; agreeing on effective strategies; and providing regular updates to confirm risks are being managed effectively.
There are many highly sophisticated tools, models, frameworks, and resources that organizations can adopt. However, since risk management exists to serve the needs of the organization, it is very important that the approach used is tailored to particular requirements based on its goals, culture, internal and external environments, and overall risk maturity. Therefore, any assessment of risk management processes—the first stage in providing risk management assurance—must consider how well those processes support organizational aims.
The principal purpose of risk management is to help an
organization achieve its strategic objectives. It does so by assisting
management in:
• Identifying and assessing the sources and nature of
uncertainties that may impact positively or negatively on organizational
objectives.
• Determining how much risk stakeholders are prepared to
tolerate.
• Establishing and maintaining appropriate responses,
including controls, to keep risk at a tolerable level.
Any assessment of whether risk management processes are
effective must include the extent to which those processes are aligned with
organizational objectives.
Objectives of risk management processes
The purpose of risk management and its processes is not always to eliminate or
even minimize risk. Instead, the primary aim is to understand risk so
that management can make informed decisions. Risk is unavoidable and, to an
important extent, desirable. The key processes relate to reviewing strategic
objectives, and then risk identification, risk analysis, risk response,
monitoring, reporting, and review.
Risk culture
Risk culture refers to the overall attitude and approach an organization takes toward risk. Organizations may be described as being more or less risk mature. As the risk culture becomes more mature, greater importance is attached to understanding risk and considering it in planning and decision-making throughout the organization.
Risk capacity, appetite, and tolerance of organization
Risk capacity refers to how much risk an organization is able to take with respect to its resources and capabilities. Risk appetite is a measure of how much risk an organization is prepared to take, from being risk averse to tolerating higher levels of risk (temporarily or on a long-term basis) in exchange for potential benefits.
Assess the processes related to the elements of the internal environment in
which organizations seek to manage risks and achieve objectives
Risk management processes are set in a framework that must be understood and developed in the context of the organization’s internal environment. The approach and implementation of risk management should be sympathetic to and mesh with the organization’s resources and capabilities, and serve to reveal and manage the risks that exist in the internal environment.
Integrity, ethical values, and other soft controls
Unethical behavior has the potential to create significant reputational and financial risks, while acting with integrity may generate positive opportunities. Organizations need to address business ethics with leadership from the highest levels. Risk management processes themselves must be delivered with integrity and support the organization’s resolve for compliance with its codes for professional conduct and ethical behavior.
Role, authority, responsibility, etc., for risk management
Organizations function effectively when there is a clear division of labor with well-defined roles and lines of authority that usually flow down the various structural tiers. Risk management equally requires an appropriate structure together with the necessary resources and channels of communication. From such arrangements, it gains its authority.
The three lines of defense model makes a sharp distinction among the roles of:
- Operational management.
- Risk management oversight.
- Internal auditing (independent and objective assurance on the effectiveness of internal controls and risk management).
Management’s philosophy and operating style
The organization has a way of doing things that forms a large part of its culture. The “tone at the top” should drive that culture and be reflected by the approach management takes and the style that is adopted across all operational areas.
Organizational culture makes a significant impact on the risk culture
Risk management processes must consider the attitude and style of management generally, and aim to be consistent with the prevailing philosophy while moving the organization toward greater risk maturity.
Legal/organizational structure
The structure of an organization is determined by the way it distributes its responsibilities and resources and the manner in which the various divisions interact.
- Strategic goals, internal capabilities, and its response to the external environment are all determining factors of the structure. As these may change over time, it is sometimes necessary to alter the structure, whether organically or through a more substantial readjustment.
- Risk management processes should recognize the risks and benefits of different organizational structures as well as the current configuration.
- In addition to structure, organizations may use one of a number of legal forms that are available to reflect the needs of the organization in terms of its size, ownership, control, sources of capital, liability for losses, stakeholder interests, and reporting requirements
Documentation of governance-related decision-making
Corporate governance arrangements exist to ensure that the interests of the stakeholders—especially those of the agent (management) and the principal (owner)—remain in balance with transparency and accountability.
- Documentation is used in support of decision-making and as an audit trail that can be accessed and referenced to ensure openness.
- The board (or equivalent) and its subcommittees collectively form the principal mechanisms for oversight and governance. In addition, other external functions may contribute to this process.
- Risk management plays a major role in corporate governance
Capabilities of people and other resources (i.e., capital, time, processes, systems, and technologies
An organization adds value by taking various inputs and transforming them in some fashion. The extent to which this is possible depends upon the capabilities represented by the staff, equipment, systems, processes, etc.An organizational advantage is gained by meeting customer demands or service-user expectations better than the competition. Each of these capabilities should be evaluated in order to identify risks and opportunities.
Management of third-party business relationships
Organizations can extend their capabilities significantly by engaging with third parties to pursue goals of common interest and the mutual benefits of shared resources. Such relationships carry both risk and opportunity. Risk management processes should extend to cover such relationships and consider the internal arrangements for managing risks by those third parties.
Needs and expectations of key internal stakeholders
The key internal stakeholders are staff, managers, and the owners of the organization. They have significant stakes (or interests) that must be taken into account when considering any new initiative or strategy. Stakeholders contribute greatly to the success or failure of an enterprise. At times, the interests of different groups may be in competition. Therefore, management of stakeholder interests needs to be an integral part of strategic and operational planning
Internal policies
To ensure consistent operational activity in a way that serves to deliver strategic objectives, it is necessary to set organizational policies. These provide the rationale and guidelines for procedures and are likely to form part of internal controls. Their operation should be considered by risk management processes to determine whether they are working and having the desired effect.
Assess the processes related to the elements of the external environment in
which organizations seek to manage risks and achieve objectives
Organizations operate in an external environment in which
multiple influences are a continual source of changeable threats and
opportunities. Risk management processes should protect the organization from
surprises by monitoring the external environment for signs of change to be
exploited, resisted, or endured.
Key external factors (drivers and trends) that may impact the objectives of the organization
External factors are often analyzed under the headings of political, environmental, social, technological, economic, and legal (PESTEL). This provides a convenient framework in which to identify risks and opportunities that may have an impact on organizational objectives. It is important to understand the forces that drive change in the external environment and identify the underlying trends.
Needs and expectations of key external stakeholders (e.g., involved, interested, influenced)
There are many external stakeholders (including customers, suppliers, investors, banks, the government, regulators, local communities, and the public at large) who can be powerful allies or strong adversaries to organizational efforts. Identifying them and anticipating their reactions are part of the process of determining risk and enabling management to establish suitable strategies for stakeholder engagement.
Risk management is a part of organizational governance, providing stakeholders with clear information about risks and opportunities. In fostering a better understanding and appreciation of risk (both positive and negative), risk management is able to raise the level of risk maturity and contribute to the greater success of the organization.
Risk management processes are not only required to provide management with insights into the riskiness of the organization’s internal environment, they are also very much part of that same environment, intrinsically linked to the ethical values, culture, structural arrangements, policies and procedures, and capabilities that operate in the organization. The real strength of an embedded, enterprise-wide approach is that risk management processes are working consistently along with routine activities to shine a spotlight on uncertainties that are always present and to help the organization understand them.
As an organization can only be understood in its environmental context, risk management can only truly enable an organization to understand itself by providing a view on current and emerging risks. There are key drivers in play that create an endlessly changing set of conditions.
By analyzing the underlying causes and likely trajectory of these changes, risk management processes are able to help the organization prepare its responses. It has been said that forewarned is forearmed.
By eliminating surprises, organizations are better able to resist, endure, and exploit the threats and opportunities that come along.
By analyzing the underlying causes and likely trajectory of these changes, risk management processes are able to help the organization prepare its responses. It has been said that forewarned is forearmed.
By eliminating surprises, organizations are better able to resist, endure, and exploit the threats and opportunities that come along.