I have often been asked to provide insight into the management of shared risks, particularly by those working in Commonwealth Government Departments.
Element 7 of the Commonwealth Risk Management Policy states that: each entity must implement arrangements to understand and contribute to the management of shared risks. It goes onto to define shared risks as: those risks extending beyond a single entity which require shared oversight and management. Accountability and responsibility for the management of shared risks must include any risks that extend across entities and may involve other sectors, community, industry or other jurisdictions.
That might sound simple enough – but is it?
The answer to that question lies in my view that in organisations of today there is no such thing as a risk that isn’t a shared risk. There would be very few organisations where the ownership of the risk, the ownership of the controls and those affected by the consequences would reside in one functional area.
To that end, the way I manage shared risks (i.e. – every risk), is shown in the process below:
Each of these steps is described below.
The Methodology
Step 1 – identify the risk
Identify the event/incident that, if it occurs, will have an impact on the objectives of the organisation
Step 2 – identify the causes
Identify the potential causes of the identified risks. Identifying the causes is one of the most critical steps in any risk identification. If you don’t identify the causes, then how can you ever hope to identify the controls needed to stop it happening?
Step 3 – identify the controls aligned to each of the causes
Identifying the controls directly linked to the causes will highlight where there may be control gaps that need to be filled. It may also highlight opportunities to reduce the number of controls in circumstances when the controls may not be contributing to the management of that (or any other) risk.
Step 4 – identify owners for each of the controls
It is critical to identify the owners of the controls. Without ownership, no-one will have responsibility for maintaining the currency of the control, ensuring its effective implementation, and/or the measurement of effectiveness.
These owners will become part of the stakeholder group for the management of the risk.
Step 5 – detail the consequences should the risk eventuate (including who will be affected)
Understanding the breadth of consequences will provide an understanding of, not only the impact of the risk, but also the stakeholders inside and outside of the organisation that will be affected.
Step 6 – identify the controls aligned to each of the consequences
Identifying the controls linked to the consequences will, once again, highlight where there may be control gaps that need to be filled. It will also highlight other stakeholders that will be responsible/relevant in the response to an incident should the risk eventuate.
Step 7 – identify owners for each of the controls
These owners will become part of the stakeholder group for the management of the risk.
Step 8 – identify other stakeholders
During this step, we identify:
- Organisations or functions that provide:
- Decision making;
- Funding;
- Services related to the risk (including outsourced providers);
- Policy (including regulators).
Organisations/groups that will be impacted, directly or indirectly by the consequences should the risk occur but who do not fit into the categories above. These are secondary stakeholders.
Step 9 – based on the owners identified in steps 4, 5, 7 and 8 – develop a stakeholder map
The stakeholder map is a visual representation of the stakeholders identified through previous steps. They will be stakeholders that will be responsible for trying to prevent the risk, detect any instances of the risk, those that implement corrective controls after the event if it occurs, and those affected by the consequences (secondary stakeholders).
Step 10 – assign ownership to the risk
Once the stakeholder group has been identified, ownership can now be assigned. This can be difficult in some circumstances as the majority of the controls associated with the risk may not sit in the area responsible for the outcomes.
The level of ownership of the risk within the organisation is also a key consideration. My rule of thumb regarding this is that the ownership of the risk must be at or above the ownership of the highest-level control. My rationale for this lies in the fact that, in order to be able to assure that a risk is being managed effectively, the risk owner needs to gain assurance from the control owners as to the effectiveness of the control. A risk owner at a lower level of the organisation will not necessarily have the authority to request assurance from a control owner at a higher level of the organisation and, as such, it becomes impossible to gain a full understanding of the risk and its likelihood.
Step 11 – remainder of process (assign likelihood, consequence, determine risk level, evaluate, treat .etc.).
We will not go through the full process beyond the assigning of ownership, however, before that can be done, all of the steps we have listed above need to be completed.
Example
So, let’s go through this step by step for a risk that is common to many organisations.
Step 1 – identify the risk
The risk we will use for this example is:
Unauthorised access to, release of or misuse of confidential information
Step 2 – identify the causes
In this case, there are a number of causes that may lead to this risk occurring:
Step 3 – identify the controls aligned to each of the causes
We can then identify controls for the identified causes:
Step 4 – identify owners for each of the controls
We then identify the owners for each of these controls:
Step 5 – detail the consequences should the risk eventuate (including who will be affected)
The consequences in this case are as follows:
- Negative impact on reputation;
- Potential legal action;
- Potential interest from the regulator.
Step 6 – identify the controls aligned to each of the consequences
Step 7 – identify owners for each of the controls
In this case the owners are as follows:
Step 8 – identify other stakeholders
In this case, there are a range of other stakeholders that have ‘skin In the game’ that may not own the controls previously listed but fall into the categories previously outlined.
- Organisations or functions that provide decision making; funding; services related to the risk (including outsourced providers); and policy (including regulators).
- Secretary;
- Head Corporate Services (owns IT, procurement and security functions);
- IT contractor;
- Classified waste contractor;
- Procurement Manager; and
- Contract Manager.
- Organisations/groups that will be impacted, directly or indirectly by the consequences should the risk occur but who do not fit into the categories above. These are secondary stakeholders.
- Clients/companies that have had their data released
Step 9 – based on the owners identified in steps 4, 5 and 7 – develop a stakeholder map
Based on the analysis to date, the following is the stakeholder map for this risk:
Step 10 – assign ownership to the risk
In this case, based on the level of the controls, the most appropriate person to be the owner of this risk is the Head Corporate Services.
Conclusion
The simple facts that organisations need to recognise are:
- All risks within the organisation are shared risks; and
- Ownership of those risks needs to rest at or above the level of the person who owns the highest-level control.
We have only looked at a risk internal to an organisation where all the controls are owned within that organisation. Consider the complexity of managing risks where there are controls that are owned by other organisations. To illustrate, here is the stakeholder map for the risk of a collision of two trains:
If the stakeholders are not understood, and the process shown in this blog is not undertaken – an organisation can never hope to effectively manage their (shared) risks.
COPYRIGHT © PALADIN RISK MANAGEMENT SERVICES 2017
Bio:
Rod is an accomplished risk consultant with extensive experience in the delivery of professional consultancy services to Government, corporate and not-for-profit sectors.
Rod’s Risk Management expertise is highly sought after as is the insight he provides in his risk management training and workshop facilitation.
Rod has been recognised by the Risk Management Institution of Australia, as the 2016 Risk Consultant of the Year and one of the first five Certified ChiefRisk Officers in Australasia
To let Paladin Risk Management Services help you to secure your organisation’s future, contact us now. Fill in this form or contact Rod on (+61) 400 666 142 or rod@paladinrisk.com.au