A Risk Management Standard

A Risk Management Standard

---

Published by AIRMIC, ALARM, IRM: 2002

---

Introduction
This Risk Management Standard is the
should be viewed not just in the context of
result of work by a team drawn from the
the activity itself but in relation to the
major risk management organisations in
many and varied stakeholders who can be
the UK - The Institute of Risk
affected.
Management (IRM),The Association of
There are many ways of achieving the
Insurance and Risk Managers (AIRMIC)
objectives of risk management and it
and ALARM The National Forum for
Risk Management in the Public Sector.
would be impossible to try to set them all
out in a single document.Therefore it was
In addition, the team sought the views and
never intended to produce a prescriptive
opinions of a wide range of other
standard which would have led to a box
professional bodies with interests in risk
ticking approach nor to establish a
management, during an extensive period
certifiable process. By meeting the various
of consultation.
component parts of this standard, albeit in
Risk management is a rapidly developing
different ways, organisations will be in a
discipline and there are many and varied
position to report that they are in
views and descriptions of what risk
compliance.The standard represents best
management involves, how it should be
practice against which organisations can
conducted and what it is for. Some form
measure themselves.
of standard is needed to ensure that there is
The standard has wherever possible used
an agreed:
the terminology for risk set out by the
• terminology related to the words used
International Organization for
• process by which risk management can be
Standardization (ISO) in its recent
carried out
document ISO/IEC Guide 73 Risk
Management - Vocabulary - Guidelines for
• organisation structure for risk management
use in standards.
• objective for risk management
In view of the rapid developments in this
Importantly, the standard recognises that
area the authors would appreciate feedback
risk has both an upside and a downside.
from organisations as they put the standard
Risk management is not just something for
into use (addresses to be found on the
corporations or public organisations, but
back cover of this Guide). It is intended
for any activity whether short or long
that regular modifications will be made to
term.The benefits and opportunities
the standard in the light of best practice.
A Risk Management Standard © AIRMIC, ALARM, IRM: 2002
1

---

1. Risk
Risk can be defined as the combination of
negative aspects of risk.Therefore this
the probability of an event and its
standard considers risk from both
consequences (ISO/IEC Guide 73).
perspectives.
In all types of undertaking, there is the
In the safety field, it is generally recognised
potential for events and consequences that
that consequences are only negative and
constitute opportunities for benefit (upside)
therefore the management of safety risk is
or threats to success (downside).
focused on prevention and mitigation of
harm.
Risk Management is increasingly recognised
as being concerned with both positive and
2. Risk Management
Risk management is a central part of any
It must be integrated into the culture of
organisation’s strategic management. It is
the organisation with an effective policy
the process whereby organisations
and a programme led by the most senior
methodically address the risks attaching to
management. It must translate the
their activities with the goal of achieving
strategy into tactical and operational
sustained benefit within each activity and
objectives, assigning responsibility
across the portfolio of all activities.
throughout the organisation with each
The focus of good risk management is the
manager and employee responsible for the
identification and treatment of these risks.
management of risk as part of their job
Its objective is to add maximum
description. It supports accountability,
sustainable value to all the activities of the
performance measurement and reward,
organisation. It marshals the
thus promoting operational efficiency at
understanding of the potential upside and
all levels.
downside of all those factors which can
affect the organisation. It increases the
2.1 External and Internal Factors
probability of success, and reduces both
The risks facing an organisation and its
the probability of failure and the
operations can result from factors both
uncertainty of achieving the organisation’s
external and internal to the organisation.
overall objectives.
Risk management should be a continuous
The diagram overleaf summarises examples
and developing process which runs
of key risks in these areas and shows that
throughout the organisation’s strategy and
some specific risks can have both external
the implementation of that strategy. It
and internal drivers and therefore overlap
should address methodically all the risks
the two areas.They can be categorised
surrounding the organisation’s activities past,
further into types of risk such as strategic,
present and in particular, future.
financial, operational, hazard, etc.
2
A Risk Management Standard

---

2.1 Examples of the Drivers of Key Risks
© AIRMIC, ALARM, IRM: 2002
3

---

2.2 The Risk Management Process
The Organisation’s
Strategic Objectives
Risk Assessment
Risk Analysis
Risk Identification
Risk Description
Risk Estimation
Risk Evaluation
Formal
Audit
Risk Reporting
Modification
Threats and Opportunities
Decision
Risk Treatment
Residual Risk Reporting
Monitoring
Risk management protects and adds value to the organisation and its stakeholders through
supporting the organisation’s objectives by:
• providing a framework for an
use/allocation of capital and resources
organisation that enables future activity
within the organisation
to take place in a consistent and
• reducing volatility in the non essential
controlled manner
areas of the business
• improving decision making, planning
• protecting and enhancing assets and
and prioritisation by comprehensive and
company image
structured understanding of business
activity, volatility and project
• developing and supporting people and
opportunity/threat
the organisation’s knowledge base
• contributing to more efficient
• optimising operational efficiency
4
A Risk Management Standard

---

3. Risk Assessment
Risk Assessment is defined by the ISO/
analysis and risk evaluation.
IEC Guide 73 as the overall process of risk
(See appendix)
4. Risk Analysis
4.1 Risk Identification
• Financial - These concern the effective
Risk identification sets out to identify an
management and control of the finances of
organisation’s exposure to uncertainty.This
the organisation and the effects of external
requires an intimate knowledge of the
factors such as availability of credit, foreign
organisation, the market in which it operates,
exchange rates, interest rate movement and
the legal, social, political and cultural
other market exposures.
environment in which it exists, as well as the
• Knowledge management - These concern
development of a sound understanding of its
the effective management and control of the
strategic and operational objectives,
knowledge resources, the production,
including factors critical to its success and the
protection and communication thereof.
threats and opportunities related to the
External factors might include the
achievement of these objectives.
unauthorised use or abuse of intellectual
Risk identification should be approached
property, area power failures, and
in a methodical way to ensure that all
competitive technology. Internal factors might
significant activities within the organisation
be system malfunction or loss of key staff.
have been identified and all the risks
• Compliance - These concern such issues as
flowing from these activities defined.
health & safety, environmental, trade
All associated volatility related to these
activities should be identified and
descriptions, consumer protection, data
categorised.
protection, employment practices and
regulatory issues.
Business activities and decisions can be
Whilst risk identification can be carried
classified in a range of ways, examples of
out by outside consultants, an in-house
which include:
approach with well communicated,
• Strategic - These concern the long-term
consistent and co-ordinated processes and
strategic objectives of the organisation.They
tools (see Appendix, page 14) is likely to be
can be affected by such areas as capital
more effective. In-house ‘ownership’ of
the risk management process is essential.
availability, sovereign and political risks,
legal and regulatory changes, reputation
4.2 Risk Description
and changes in the physical environment.
The objective of risk description is to
• Operational - These concern the day-to-
display the identified risks in a structured
day issues that the organisation is
format, for example, by using a table.The
confronted with as it strives to deliver its
risk description table overleaf can be used
strategic objectives.
to facilitate the description and assessment
© AIRMIC, ALARM, IRM: 2002
5

---

of risks.The use of a well designed structure
detail. Identification of the risks associated
is necessary to ensure a comprehensive risk
with business activities and decision making
identification, description and assessment
may be categorised as strategic, project/
process. By considering the consequence and
tactical, operational. It is important to
probability of each of the risks set out in the
incorporate risk management at the
table, it should be possible to prioritise the
conceptual stage of projects as well as
key risks that need to be analysed in more
throughout the life of a specific project.
4.2.1 Table - Risk Description
1. Name of Risk
2. Scope of Risk
Qualitative description of the events, their size, type,
number and dependencies
3. Nature of Risk
Eg. strategic, operational, financial, knowledge or compliance
4. Stakeholders
Stakeholders and their expectations
5. Quantification of Risk
Significance and Probability
6. Risk Tolerance/
Loss potential and financial impact of risk
Appetite
Value at risk
Probability and size of potential losses/gains
Objective(s) for control of the risk and desired level of
performance
7. Risk Treatment &
Primary means by which the risk is currently managed
Control Mechanisms
Levels of confidence in existing control
Identification of protocols for monitoring and review
8. Potential Action for
Recommendations to reduce risk
Improvement
9. Strategy and Policy
Identification of function responsible for developing strategy
Developments
and policy
4.3 Risk Estimation
Examples are given in the tables overleaf.
Risk estimation can be quantitative, semi-
Different organisations will find that
quantitative or qualitative in terms of the
different measures of consequence and
probability of occurrence and the possible
probability will suit their needs best.
consequence.
For example many organisations find that
For example, consequences both in terms
assessing consequence and probability as high,
of threats (downside risks) and
medium or low is quite adequate for their
opportunities (upside risks) may be high,
needs and can be presented as a 3 x 3 matrix.
medium or low (see table 4.3.1). Probability
may be high, medium or low but requires
Other organisations find that assessing
different definitions in respect of threats and
consequence and probability using a 5 x 5
opportunities (see tables 4.3.2 and 4.3.3).
matrix gives them a better evaluation.
6
A Risk Management Standard

---

Table 4.3.1 Consequences - Both Threats and Opportunities
High
Financial impact on the organisation is likely to exceed £x
Significant impact on the organisation’s strategy or operational activities
Significant stakeholder concern
Medium
Financial impact on the organisation likely to be between £x and £y
Moderate impact on the organisation’s strategy or operational activities
Moderate stakeholder concern
Low
Financial impact on the organisation likely to be less that £y
Low impact on the organisation’s strategy or operational activities
Low stakeholder concern
Table 4.3.2 Probability of Occurrence - Threats
Estimation
Description
Indicators
High
Likely to occur each year
Potential of it occurring several times
(Probable)
or more than 25% chance
within the time period (for example -
of occurrence.
ten years).
Has occurred recently.
Medium
Likely to occur in a ten
Could occur more than once within the
(Possible)
year time period or less
time period (for example - ten years).
than 25% chance of
Could be difficult to control due to
occurrence.
some external influences.
Is there a history of occurrence?
Low
Not likely to occur in a
Has not occurred.
(Remote)
ten year period or less than
Unlikely to occur.
2% chance of occurrence.
© AIRMIC, ALARM, IRM: 2002
7

---

Table 4.3.3 Probability of Occurrence - Opportunities
Estimation
Description
Indicators
High
Favourable outcome is
Clear opportunity which can be relied
(Probable)
likely to be achieved in
on with reasonable certainty, to be
one year or better than
achieved in the short term based on
75% chance of occurrence.
current management processes.
Medium
Reasonable prospects of
Opportunities which may be achievable
(Possible)
favourable results in one
but which require careful management.
year of 25% to 75% chance
Opportunities which may arise over and
of occurrence.
above the plan.
Low
Some chance of favourable
Possible opportunity which has yet to be
(Remote)
outcome in the medium
fully investigated by management.
term or less than 25%
Opportunity for which the likelihood of
chance of occurrence.
success is low on the basis of management
resources currently being applied.
4.4 Risk Analysis methods and
treatment efforts.This ranks each identified
techniques
risk so as to give a view of the relative
importance.
A range of techniques can be used to
analyse risks.These can be specific to
This process allows the risk to be mapped
upside or downside risk or be capable of
to the business area affected, describes the
dealing with both. (See Appendix, page 14,
primary control procedures in place and
for examples).
indicates areas where the level of risk
control investment might be increased,
4.5 Risk Profile
decreased or reapportioned.
The result of the risk analysis process can
Accountability helps to ensure that
be used to produce a risk profile which
‘ownership’ of the risk is recognised and
gives a significance rating to each risk and
the appropriate management resource
provides a tool for prioritising risk
allocated.
5. Risk Evaluation
When the risk analysis process has been
economic and environmental factors,
completed, it is necessary to compare the
concerns of stakeholders, etc. Risk
estimated risks against risk criteria which
evaluation therefore, is used to make
the organisation has established.The risk
decisions about the significance of risks to
criteria may include associated costs and
the organisation and whether each specific
benefits, legal requirements, socio-
risk should be accepted or treated.
8
A Risk Management Standard

---

Document Outline

• Front cover
• Introduction
• 1. Risk
• 2. Risk Management
• Diagram: Examples of the Drivers of Key Risks
• Diagram: The Risk Management Process
• 3. Risk Assessment
• 4. Risk Analysis
• 5. Risk Evaluation
• 6. Risk Reporting and Communication
• 7. Risk Treatment
• 8. Monitoring and Review of the Risk Management Process
• 9. The Structure and Administration of Risk Management
• 10. Appendix
• Back cover

---