Effective risk management requires a series of behaviors and attitudes to exist within an organization that make risk considerations prominent in day-to-day operations. This mindset alone will go a long way to making an organization more risk-led but a functioning risk management system is also required to develop, support and guide that mindset.
The specific system adopted by an organization will be influenced by a number of factors: the industry may have a series of regulatory requirements; the country in which it is headquartered will have applicable laws to follow; there will be cultural aspects which will differ from organization to organization; and individual sectors and industries have preferred approaches to risk management. That makes it difficult to prescribe what a risk management system will look like and even a review of the existing standards and common references can still leave the reader without a clear template to follow.
This flexibility is vital if standards are to be applied to a wide range of organizations but the flip side is frustration when someone is looking for a template to follow. While this article won’t provide a hard and fast ‘perfect’ template for a risk management system, it does offer a basic framework that can be used as a start point when designing your risk management system, The risk manager can then review the appropriate regulations and standards for their sector and location and apply these where necessary.
Note that designing your risk management system is part of the overall implementation process. Read both this article and the integration guide before you begin the actual design process.
What do you mean by system?
I have adapted the New Oxford American Dictionary definition to define a system as ‘set of connected things or parts forming a complex whole which is designed to provide a service, business function or specific output’. For simplicity, I consider systems as composed of three main elements:
- People – the people who manage and conduct activities within the system
- Paperwork – the policies, procedures and guidelines explaining how the system operates
- Purchases – any equipment, software and tools required to support the system
Similar to a three-legged stool, each one of these elements must be present to make the system work although the emphasis on each ‘leg’ can change depending on the circumstances.
This is a simplified structure but it has always seemed to be an easy way to break down something complicated. Again, the overall objective of these materials is to simplify and demystify risk and risk management but if you have a more refined definition or structure, particularly anything that is in common use in your industry or organization, you should use that where appropriate.
A framework for a risk management system
Developing a risk management system may seem daunting but remember, keep it simple! You are not expected to develop a multi-million dollar risk management program with dozens of staff and hundreds of documents overnight. More importantly, most organizations don’t need a big, ‘heavy’ system. What you do need is the right people with the right training, provided with the necessary guidance and procedures, supported by suitable tools and equipment.
The exact details of what each element looks like will depend upon 1) the organization’s culture and needs, 2) the sector or industry, 3) location and, 4) existing processes which might determine how the system is designed. However, the three Ps – people, procedures and purchases – can provide a sufficiently robust basis for your risk management system. These are explained in more detail below and placed into a framework that you can use to develop your own risk management system.
Note that the article on implementing your risk management system outlines the steps you will take to determine the best ‘fit’ for your organization. Getting the right mix of components is a collaborative process so your original design will be adapted along the way to ensure maximum compatibility.)
People can be considered as having one of three relationships with the organization’s risks:
- Oversight – this group does not become involved in the day-to-day management of risks but will be responsible for ensuring that the risk management system is operating effectively, that risks are being reported and addressed at the correct level and that the overall system is being conducted properly. This activity is managed by the organization’s risk governance teams (e.g. risk committees) and aided by internal and external auditors. (See the article on Governance and Oversight for more detail on this.)
- Manager – Risk managers are the risk SMEs who support risk owners as they identify, assess and develop strategies to address their risks. Risk managers are also responsible for ensuring that the appropriate reporting takes place and they are the link between the risk owners and the relevant risk committee. Risk managers are also responsible for the development, operation and maintenance of the risk management system.
- Owner – The risk owner is the individual who has direct responsibility for a particular risk or portfolio of risks. Risk owners are responsible for identifying, assessing and developing strategies to address the risks in their areas of responsibility. For lower level risks, the risk owner might simply report a risk and manage it at their level whereas other owners will be responsible for a large portfolio of associated risks. For example, the facilities manager might be responsible for a group of infrastructure risks.
In many organizations, people – particularly senior staff – will have multiple risk roles which will switch, depending on the situation. For example, the CFO may be the risk champion for a company and she has initiated the risk management program making her the senior risk manager. She also chairs the company’s Group Risk Committee where she has an oversight role as Chief Risk Officer (CRO). On a day-to-day basis, she is also the owner of the organization’s financial and market risks.
This element is slightly wider than policies and procedures and encompasses all documentation that guides the risk management system. The exact document set that is developed will depend on the organization and the terms may differ slightly but the following documents are likely to form the core for the risk management system.
A risk management policy
This is the top-level document that establishes the risk management program, identifies the program owner (e.g. the CRO) and the program manager (e.g the risk manager). The policy will also describe how the risk management system interacts with other programs within the organization and should identify where overlaps and dependencies exists. Normally, the policy will include a statement defining the organization’s approach to risk management and a general description of its risk appetite and tolerance which are then explained in more detail in subsequent documents. The policy will also define the legislation, standards or guidelines that are applicable along with an outline of the risk management structure within the organization. The risk management policy should provide direction but not detailed instructions and is effectively the charter for the risk management system.
A set of risk management standards
Legislation, industry standards and less formal guidelines explain the mechanics of the risk management system. These standards define terminology, set out minimum expectations and provide theoretical guidance for procedures and processes. Legislation is often nation-based so the organization may have to note where differences in legislation have an impact on the risk management system. Standards, particularly those from ISO and other international professional bodies, can be applied globally so it is recommended that you use a global standard as the basis for your system and then integrate any specific local legislation that applies. Where no standard legislation exists, the organization can use internally-developed or third-party guidelines to explain how elements of the risk management system are to be applied.
Some common standards and references are listed below as these will crop up in ‘risk’ conversations from time to time. Each has its own strength and weaknesses and you should use the material most appropriate for your organization.
- ISO 3001 ‘Risk Management Principles and Guidelines
- The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
- Enterprise Risk Management (ERM) frameworkA Risk Management Standard – IRM/Alarm/AIRMIC 2002
- ISO/IEC 31010:2009 – Risk Management – Risk Assessment Techniques
Industry-specific references could include regulations such as the US Sarbanes-Oxley financial legislation 2002 or even the 1981 UN Convention on the Law of the Sea which controls pollution at sea.
Note that Riskademy materials are designed to integrate with some of these systems so once you are comfortable with the basic concepts explained in the Riskademy materials, take a look at some of these standards. I wouldn’t recommend jumping into any of these standards right away – even after more than 15 years in the field, I still find some of these documents unnecessarily complicated (which is why I started Riskademy to be honest).
A risk management procedure
The risk management procedure will explain how the system is managed in detail. It should cover the following areas:
- The risk management hierarchy
- Roles and responsibilities
- Risk appetite and risk tolerance statement and assessment process
- The risk assessment process
- Risk categories and escalation thresholds
- The risk reporting process
- Strategies for addressing risk
- Risk monitoring and controls
- System maintenance
- Tools and templates (see below)
The document should be as widely applicable as possible meaning that minimum adaptation is required in the majority of cases. Annexes or local addenda can then be developed to address any requirements specified in local legislation or to meet specific local conditions. This not only helps with standardization but significantly eases the document management workload.
The standard and procedure should provide the following templates to facilitate the operation of the risk management system.
- Risk assessment template
- Risk register template
- Risk strategy development template
- Risk reporting template
- Risk workshop guides
- Meeting agenda and minute templates
Additional templates can be added to make using the system easier and to meet the organization’s specific requirements.
This covers all the equipment, hardware and software solely for the risk management system but does not include tools used by risk owners to manage their individual risks. (Otherwise this could extend into fire and gas alarms used for facilities monitoring.) Unlike safety and security systems, pure risk management systems require relatively little in the way of equipment so the tools required are more likely to be software based. Often, these are risk management platforms that that speed up and simplify the data management aspect of the risk assessment and reporting activities but this could include subscriptions to market intelligence reports. Training, educational materials and instruction could also be classed as a purchase.
Putting his into practice – Keep it simple
All of this might seem overwhelming and the kind of major project you can’t imagine tackling but a risk management system doesn’t need to be complicated or expensive. Keep things simple and begin with a basic system that incorporates key elements above. Once the basic system is integrated into your organization, you can build on this foundation as specific needs and requirements become more apparent.
As an example of what a simple system might look like to start with, let’s see how Bob approached this.
After the success of the risk assessment, Bob was tasked with development of a risk management system for XYZ Co. When he started planning, he knew that Xavier, the CEO, would want a robust system but one with a light touch. That was how everything was done in XYZ Co. ‘Keep it simple’, Bob thought to himself. He has also looked at the Riskademy article on integrating your risk management system and has done some of the preparatory work and consultation recommended there in preparation for designing the system.
From a staffing perspective, no additional staff would be hired for this so it would have to be people’s secondary responsibility. Bob and the HSE supervisor in Janwick would be the main risk managers for XYZ Co. As the main driver of the initiative, the CEO would be the risk champion.
Bob has been busy reading up on risk management and has also taken a look at the ISO 31000 standard. He thinks this might be a bit heavy to start with but he has ISO 31000 in mind as the standard that he wants to link all the procedures back to eventually. For now, he is starting with the framework he has found online at Riskademy.
The budget for ‘fancy gadgets’ as Xavier put it, is limited but the CEO did agree that some formal training might be necessary and there will be funding for this. Bob’s new enthusiasm for risk management has made him investigate professional qualifications but that’s not something for this year. He also wants to look at simple IT platforms that would help with the risk assessment process as knows he will have to make this as easy as possible if he wants people to keep the risk register up to date. Again, he has put that aside as something for next year.
With all of this in mind, Bob sketches out a simple mind-map of the system.
This might look like a quick scribble but your initial outline of the risk management system doesn’t need to be much more than this.
- Keep things simple and begin with the three Ps.
- Use the considerations in this article.
- Think about what each of these elements looks like in your organization, your industry and the locations where you operate.
You will have the bare bones of a risk management system before you know it.
When you compare this to a formal system, such as ISO 31000 or the COSO framework, it might not look as though there is much overlap. However, the core elements of formal systems are all represented here. All we have done is boil things down to the key components and tried to write things in a straightforward, accessible manner.
The success of a risk management program depends upon the organization’s mindset but, in order to be effective, there also needs to be a system to support this. This could be a major program and some of you may become – or are already – managers of significant departments, sizable teams and enviable budgets. But this can just as easily be a modest program, run by an individual and woven into the organization’s day-to-day activities. Your risk management system will have to be something that works for your organization and these differ from sector to sector, location to location. However, the the basic components will remain the same and an effective mix of people, paperwork and purchases will ensure that you have the right people, with the right skills, supported by clear guidance, armed with the proper tools. All of these combined will give you an effective risk management system and a platform for a risk-led organization.
As a reminder, this article is closely linked to the system integration article so make sure you read that before you start on your system design.