#70 – BASICS: DEVELOP A RISK MANAGEMENT FRAMEWORK – ROD FARRAR

Rod FarrarOne of the key issues facing many organisations revolves around what a risk management framework looks like.  ISO 31000 highlights the elements of a risk management framework as shown below:

AAA1

 

 

 

  • Understanding the organisation and its context
  • Establishing risk management policy
  • Accountability
  • Integration into organisational processes
  • Resources
  • Establishing internal communication and reporting mechanisms

However there are a number of elements that have not been covered within the Standard.  A more thorough framework jigsaw is;

AAA2

SENIOR MANAGEMENT MANDATE: COMMITMENT AND LEADERSHIP
To ensure the ongoing effectiveness of a Risk Management Framework, it is critical that there is active and ongoing support, mandate and commitment of the program by senior managers during development and implementation and that the support does not diminish in any way as the Framework matures.  Senior leaders must demonstrate leadership or the Framework will fail.

INTEGRATION WITH STRATEGIC AND BUSINESS PLANNING
A key requirement in all strategic and business planning is the integration of the risk management discipline with the planning process.  For any organisation to be attuned to its environment, it needs to ensure that once strategies are developed the risks of achieving those strategies are identified, reviewed and, where possible, appropriate measures developed to minimise the likelihood of the events occurring and/or consequences if these events were to occur.

ESTABLISHMENT OF ORGANIZATIONAL RISK CONTEXT
Establishing the organisational context involves developing risk criteria, impact areas and, most importantly, the risk appetite for the organisation.

The risk appetite is defined as the amount of risk an organisation is willing to take given its capacity to bear risk and our philosophy on risk taking.

INTEGRATION WITH OTHER ORGANIZATIONAL PROGRAMS
To be truly integrated within the management systems in an organisation, the Risk Management Framework needs to be aligned with a range of other programs.

These include: compliance, internal audit, performance management, assurance, business continuity planning and disaster recovery planning.

When alignment is achieved, the performance of the organisation will improve exponentially.

RESPONSIBILITY, ACCOUNTABILITY AND AUTHORITY
The assignment of roles and responsibilities is a vital part of the effectiveness of any Risk Management Framework.

Personnel also need to have the authority to discharge these responsibilities.

The most important aspect of the Framework, however, is the assignment and acceptance of accountability for ownership and acceptance of risk.

RISK DOCUMENTATION
Documenting the Risk Management Framework within an organisation is a vital enabler in ensuring its effectiveness.

When implementing the Risk Management Framework, it is essential that the Framework is effectively recorded and what we are going to do, why we are doing it and how we are doing it are articulated.

RISK GOVERNANCE
For a Risk Management Framework to be effective there needs to be a well defined risk governance structure.

The governance structure includes the risk management organisation (e.g. various risk committees) aimed at ensuring that the risk management program is effective.

TRAINING AND COMPETENCE
One of the most important requirements for the effective implementation of a Risk Management Framework will be the provision of training.

A ‘one size fits all’ approach to risk management training is inappropriate.

Training needs to be tailored to ensure that those with roles and responsibilities obtain the skill necessary for them to undertake those roles.

REPORTING
The reporting of risk and risk management issues will be an important aspect of ensuring that the Risk Management Framework contributes to the effectiveness of the organisation’s performance through risk informed decision making.

Reports should only contain information that is going to be used for decision making and should not be “reporting for reporting sake”.

RESOURCING
It is important that the organisational commitment to the Risk Management Framework is supported by the resources necessary to ensure its effectiveness.

Resources include personnel to implement and maintain the Framework as well as the provision of training and the treatment of identified risks.

RISK COMMUNICATION AND RELATIONSHIP MANAGEMENT
Communication of risk matters and consultation, engagement and relationship management with the stakeholder community is essential to supporting sound risk management decisions.

A fundamental requirement for practising integrated risk management is the development of plans, processes and products through ongoing consultation and communication with the organisation’s stakeholders, both internal and external.

MONITOR, REVIEW, AND MEASUREMENT
One of the key principles of implementation and continuous improvement of a mature Risk Management Framework is the ability to continually monitor and review the framework for effectiveness and to measure performance.

It is for this reason that the processes and procedures to be implemented contain an element of assessment and evaluation.

(C) Paladin.  Used with permission.

Bio:

Paladin Risk Management Services is the brainchild of Rod Farrar, who founded the company in 2007 as a result of his passion and skill for managing risk. Rod’s extensive experience in assisting organisations to mitigate and eliminate professional risks they may encounter is at the core of Paladin Risk Management Services.

The core service offering is risk management training workshops.

The Risk Management Diploma is a broad based program aimed at risk management and business continuity professionals or those aspiring to fill roles in these industries. After the four day course, attendants have six months to complete the assessment activities, at which point they will be awarded the Diploma.

The Paladin Risk Management Academy Advanced Diploma of Governance Risk and Compliance is fully accredited by the Australian Skills Quality Authority (ASQA). The four day course is the only offering in Australia which covers governance, risk, compliance and business resilience.

If you have any burning questions on risk management, Rod Farrar is always ready for a friendly chat.  Contact him at rod@paladinrisk.com.au or 0400 666 142.

Leave a Reply

Your email address will not be published. Required fields are marked *