A Risk Management Standard

Published by AIRMIC, ALARM, IRM: 2002

This Risk Management Standard is theresult of work by a team drawn from themajor risk management organisations inthe UK - The Institute of RiskManagement (IRM),The Association ofInsurance and Risk Managers (AIRMIC)and ALARM The National Forum forRisk Management in the Public Sector.

In addition, the team sought the views andopinions of a wide range of otherprofessional bodies with interests in riskmanagement, during an extensive periodof consultation.

Risk management is a rapidly developingdiscipline and there are many and variedviews and descriptions of what riskmanagement involves, how it should beconducted and what it is for. Some formof standard is needed to ensure that there isan agreed:

• terminology related to the words used• process by which risk management can be

carried out• organisation structure for risk management• objective for risk managementImportantly, the standard recognises thatrisk has both an upside and a downside.

Risk management is not just something forcorporations or public organisations, butfor any activity whether short or longterm.The benefits and opportunities

should be viewed not just in the context ofthe activity itself but in relation to themany and varied stakeholders who can beaffected.

There are many ways of achieving theobjectives of risk management and itwould be impossible to try to set them allout in a single document.Therefore it wasnever intended to produce a prescriptivestandard which would have led to a boxticking approach nor to establish acertifiable process. By meeting the variouscomponent parts of this standard, albeit indifferent ways, organisations will be in aposition to report that they are incompliance.The standard represents bestpractice against which organisations canmeasure themselves.

The standard has wherever possible usedthe terminology for risk set out by theInternational Organization forStandardization (ISO) in its recentdocument ISO/IEC Guide 73 RiskManagement - Vocabulary - Guidelines foruse in standards.

In view of the rapid developments in thisarea the authors would appreciate feedbackfrom organisations as they put the standardinto use (addresses to be found on theback cover of this Guide). It is intendedthat regular modifications will be made tothe standard in the light of best practice.

A Risk Management Standard © AIRMIC, ALARM, IRM: 2002 1

Introduction

Risk management is a central part of anyorganisation’s strategic management. It isthe process whereby organisationsmethodically address the risks attaching totheir activities with the goal of achievingsustained benefit within each activity andacross the portfolio of all activities.

The focus of good risk management is theidentification and treatment of these risks.Its objective is to add maximumsustainable value to all the activities of theorganisation. It marshals the understanding of the potential upside anddownside of all those factors which canaffect the organisation. It increases theprobability of success, and reduces boththe probability of failure and theuncertainty of achieving the organisation’soverall objectives.

Risk management should be a continuousand developing process which runsthroughout the organisation’s strategy andthe implementation of that strategy. Itshould address methodically all the riskssurrounding the organisation’s activities past,present and in particular, future.

It must be integrated into the culture ofthe organisation with an effective policyand a programme led by the most seniormanagement. It must translate the strategy into tactical and operationalobjectives, assigning responsibilitythroughout the organisation with eachmanager and employee responsible for themanagement of risk as part of their jobdescription. It supports accountability,performance measurement and reward,thus promoting operational efficiency at all levels.

2.1 External and Internal Factors

The risks facing an organisation and itsoperations can result from factors bothexternal and internal to the organisation.

The diagram overleaf summarises examplesof key risks in these areas and shows thatsome specific risks can have both externaland internal drivers and therefore overlapthe two areas.They can be categorisedfurther into types of risk such as strategic,financial, operational, hazard, etc.

A Risk Management Standard

Risk can be defined as the combination ofthe probability of an event and itsconsequences (ISO/IEC Guide 73).

In all types of undertaking, there is thepotential for events and consequences thatconstitute opportunities for benefit (upside)or threats to success (downside).

Risk Management is increasingly recognisedas being concerned with both positive and

negative aspects of risk.Therefore thisstandard considers risk from bothperspectives.

In the safety field, it is generally recognisedthat consequences are only negative andtherefore the management of safety risk isfocused on prevention and mitigation ofharm.

2

1. Risk

2. Risk Management

© AIRMIC, ALARM, IRM: 2002 3

2.1 Examples of the Drivers of Key Risks

• providing a framework for anorganisation that enables future activityto take place in a consistent andcontrolled manner

• improving decision making, planningand prioritisation by comprehensive andstructured understanding of businessactivity, volatility and projectopportunity/threat

• contributing to more efficient

use/allocation of capital and resourceswithin the organisation

• reducing volatility in the non essentialareas of the business

• protecting and enhancing assets andcompany image

• developing and supporting people andthe organisation’s knowledge base

• optimising operational efficiency

2.2 The Risk Management Process

Risk management protects and adds value to the organisation and its stakeholders throughsupporting the organisation’s objectives by:

Modific

atio

n

FormalAudit

The Organisation’sStrategic Objectives

Risk Assessment

Risk AnalysisRisk IdentificationRisk DescriptionRisk Estimation

Risk Evaluation

Risk ReportingThreats and Opportunities

Decision

Risk Treatment

Residual Risk Reporting

Monitoring

A Risk Management Standard4

4.1 Risk Identification

Risk identification sets out to identify anorganisation’s exposure to uncertainty.Thisrequires an intimate knowledge of theorganisation, the market in which it operates,the legal, social, political and culturalenvironment in which it exists, as well as thedevelopment of a sound understanding of itsstrategic and operational objectives,including factors critical to its success and thethreats and opportunities related to theachievement of these objectives.

Risk identification should be approachedin a methodical way to ensure that allsignificant activities within the organisationhave been identified and all the risksflowing from these activities defined.All associated volatility related to theseactivities should be identified andcategorised.

Business activities and decisions can beclassified in a range of ways, examples ofwhich include:

• Strategic - These concern the long-termstrategic objectives of the organisation.Theycan be affected by such areas as capitalavailability, sovereign and political risks,legal and regulatory changes, reputationand changes in the physical environment.

• Operational - These concern the day-to-day issues that the organisation isconfronted with as it strives to deliver itsstrategic objectives.

• Financial - These concern the effectivemanagement and control of the finances ofthe organisation and the effects of externalfactors such as availability of credit, foreignexchange rates, interest rate movement andother market exposures.

• Knowledge management - These concernthe effective management and control of theknowledge resources, the production,protection and communication thereof.External factors might include theunauthorised use or abuse of intellectualproperty, area power failures, andcompetitive technology. Internal factors mightbe system malfunction or loss of key staff.

• Compliance - These concern such issues ashealth & safety, environmental, tradedescriptions, consumer protection, dataprotection, employment practices andregulatory issues.

Whilst risk identification can be carriedout by outside consultants, an in-houseapproach with well communicated,consistent and co-ordinated processes andtools (see Appendix, page 14) is likely to bemore effective. In-house ‘ownership’ ofthe risk management process is essential.

4.2 Risk Description

The objective of risk description is todisplay the identified risks in a structuredformat, for example, by using a table.Therisk description table overleaf can be usedto facilitate the description and assessment

Risk Assessment is defined by the ISO/IEC Guide 73 as the overall process of risk

analysis and risk evaluation.(See appendix)

© AIRMIC, ALARM, IRM: 2002 5

4. Risk Analysis

3. Risk Assessment

4.3 Risk Estimation

Risk estimation can be quantitative, semi-quantitative or qualitative in terms of theprobability of occurrence and the possibleconsequence.

For example, consequences both in terms of threats (downside risks) and opportunities (upside risks) may be high,medium or low (see table 4.3.1). Probabilitymay be high, medium or low but requiresdifferent definitions in respect of threats andopportunities (see tables 4.3.2 and 4.3.3).

of risks.The use of a well designed structureis necessary to ensure a comprehensive riskidentification, description and assessmentprocess. By considering the consequence andprobability of each of the risks set out in thetable, it should be possible to prioritise thekey risks that need to be analysed in more

detail. Identification of the risks associatedwith business activities and decision makingmay be categorised as strategic, project/tactical, operational. It is important toincorporate risk management at theconceptual stage of projects as well asthroughout the life of a specific project.

Examples are given in the tables overleaf.Different organisations will find thatdifferent measures of consequence andprobability will suit their needs best.

For example many organisations find thatassessing consequence and probability as high,medium or low is quite adequate for theirneeds and can be presented as a 3 x 3 matrix.

Other organisations find that assessingconsequence and probability using a 5 x 5matrix gives them a better evaluation.

4.2.1 Table - Risk Description

1. Name of Risk

2. Scope of Risk

3. Nature of Risk

4. Stakeholders

5. Quantification of Risk

6. Risk Tolerance/Appetite

7. Risk Treatment &Control Mechanisms

8. Potential Action forImprovement

9. Strategy and PolicyDevelopments

Qualitative description of the events, their size, type,number and dependencies

Eg. strategic, operational, financial, knowledge or compliance

Stakeholders and their expectations

Significance and Probability

Loss potential and financial impact of riskValue at riskProbability and size of potential losses/gainsObjective(s) for control of the risk and desired level ofperformance

Primary means by which the risk is currently managedLevels of confidence in existing controlIdentification of protocols for monitoring and review

Recommendations to reduce risk

Identification of function responsible for developing strategyand policy

A Risk Management Standard6

Estimation

High(Probable)

Medium(Possible)

Low(Remote)

Table 4.3.1 Consequences - Both Threats and Opportunities

Table 4.3.2 Probability of Occurrence - Threats

Description

Likely to occur each yearor more than 25% chanceof occurrence.

Likely to occur in a tenyear time period or lessthan 25% chance ofoccurrence.

Not likely to occur in aten year period or less than2% chance of occurrence.

Indicators

Potential of it occurring several timeswithin the time period (for example -ten years).Has occurred recently.

Could occur more than once within thetime period (for example - ten years).Could be difficult to control due tosome external influences.Is there a history of occurrence?

Has not occurred.Unlikely to occur.

© AIRMIC, ALARM, IRM: 2002 7

High Financial impact on the organisation is likely to exceed £x

Significant impact on the organisation’s strategy or operational activities

Significant stakeholder concern

Medium Financial impact on the organisation likely to be between £x and £y

Moderate impact on the organisation’s strategy or operational activities

Moderate stakeholder concern

Low Financial impact on the organisation likely to be less that £y

Low impact on the organisation’s strategy or operational activities

Low stakeholder concern

4.4 Risk Analysis methods and

techniques

A range of techniques can be used toanalyse risks.These can be specific toupside or downside risk or be capable ofdealing with both. (See Appendix, page 14,for examples).

4.5 Risk Profile

The result of the risk analysis process canbe used to produce a risk profile whichgives a significance rating to each risk andprovides a tool for prioritising risk

treatment efforts.This ranks each identifiedrisk so as to give a view of the relativeimportance.

This process allows the risk to be mappedto the business area affected, describes theprimary control procedures in place andindicates areas where the level of riskcontrol investment might be increased,decreased or reapportioned.

Accountability helps to ensure that‘ownership’ of the risk is recognised andthe appropriate management resourceallocated.

Estimation

High(Probable)

Medium(Possible)

Low(Remote)

Table 4.3.3 Probability of Occurrence - Opportunities

Description

Favourable outcome islikely to be achieved inone year or better than75% chance of occurrence.

Reasonable prospects offavourable results in oneyear of 25% to 75% chanceof occurrence.

Some chance of favourableoutcome in the mediumterm or less than 25%chance of occurrence.

Indicators

Clear opportunity which can be reliedon with reasonable certainty, to beachieved in the short term based oncurrent management processes.

Opportunities which may be achievablebut which require careful management.Opportunities which may arise over andabove the plan.

Possible opportunity which has yet to befully investigated by management.Opportunity for which the likelihood ofsuccess is low on the basis of managementresources currently being applied.

When the risk analysis process has beencompleted, it is necessary to compare theestimated risks against risk criteria whichthe organisation has established.The riskcriteria may include associated costs andbenefits, legal requirements, socio-

economic and environmental factors,concerns of stakeholders, etc. Riskevaluation therefore, is used to makedecisions about the significance of risks tothe organisation and whether each specificrisk should be accepted or treated.

A Risk Management Standard8

5. Risk Evaluation

6.1 Internal Reporting

Different levels within an organisation needdifferent information from the riskmanagement process.

The Board of Directors should:

• know about the most significant risksfacing the organisation

• know the possible effects on shareholdervalue of deviations to expectedperformance ranges

• ensure appropriate levels of awarenessthroughout the organisation

• know how the organisation will manage acrisis

• know the importance of stakeholderconfidence in the organisation

• know how to manage communicationswith the investment community whereapplicable

• be assured that the risk managementprocess is working effectively

• publish a clear risk management policycovering risk management philosophy andresponsibilities

Business Units should:

• be aware of risks which fall into their areaof responsibility, the possible impacts thesemay have on other areas and theconsequences other areas may have onthem

• have performance indicators which allowthem to monitor the key business andfinancial activities, progress towardsobjectives and identify developmentswhich require intervention (e.g. forecastsand budgets)

• have systems which communicate variances in budgets and forecasts atappropriate frequency to allow action to betaken

• report systematically and promptly tosenior management any perceived newrisks or failures of existing controlmeasures

Individuals should:

• understand their accountability forindividual risks

• understand how they can enablecontinuous improvement of riskmanagement response

• understand that risk management and risk awareness are a key part of theorganisation’s culture

• report systematically and promptly tosenior management any perceived newrisks or failures of existing controlmeasures

6.2 External Reporting

A company needs to report to its

stakeholders on a regular basis setting out

its risk management policies and the

effectiveness in achieving its objectives.

Increasingly stakeholders look to

organisations to provide evidence of

effective management of the organisation’s

non-financial performance in such areas as

community affairs, human rights,

employment practices, health and safety

and the environment.

© AIRMIC, ALARM, IRM: 2002 9

6. Risk Reporting and Communication

Good corporate governance requires thatcompanies adopt a methodical approach torisk management which:

• protects the interests of their stakeholders

• ensures that the Board of Directorsdischarges its duties to direct strategy, buildvalue and monitor performance of theorganisation

• ensures that management controls are inplace and are performing adequately

The arrangements for the formal reportingof risk management should be clearly statedand be available to the stakeholders.

The formal reporting should address:

• the control methods - particularlymanagement responsibilities for riskmanagement

• the processes used to identify risks andhow they are addressed by the riskmanagement systems

• the primary control systems in place tomanage significant risks

• the monitoring and review system in placeAny significant deficiencies uncovered bythe system, or in the system itself, shouldbe reported together with the steps takento deal with them.

A Risk Management Standard10

Risk treatment is the process of selectingand implementing measures to modify therisk. Risk treatment includes as its majorelement, risk control/mitigation, butextends further to, for example, riskavoidance, risk transfer, risk financing, etc.

NOTE: In this standard, risk financingrefers to the mechanisms (eg insuranceprogrammes) for funding the financialconsequences of risk. Risk financing is notgenerally considered to be the provision offunds to meet the cost of implementing risktreatment (as defined by ISO/IEC Guide73; see page 17).

Any system of risk treatment shouldprovide as a minimum:

• effective and efficient operation of theorganisation

• effective internal controls

• compliance with laws and regulations.

The risk analysis process assists the effectiveand efficient operation of the organisationby identifying those risks which requireattention by management.They will needto prioritise risk control actions in terms oftheir potential to benefit the organisation.

Effectiveness of internal control is thedegree to which the risk will either beeliminated or reduced by the proposedcontrol measures.

Cost effectiveness of internal control relatesto the cost of implementing the controlcompared to the risk reduction benefitsexpected.

The proposed controls need to bemeasured in terms of potential economiceffect if no action is taken versus the costof the proposed action(s) and invariablyrequire more detailed information andassumptions than are immediatelyavailable.

7. Risk Treatment

Effective risk management requires areporting and review structure to ensurethat risks are effectively identified andassessed and that appropriate controls andresponses are in place. Regular audits ofpolicy and standards compliance should becarried out and standards performancereviewed to identify opportunities forimprovement. It should be rememberedthat organisations are dynamic and operatein dynamic environments. Changes in theorganisation and the environment in whichit operates must be identified andappropriate modifications made to systems.

The monitoring process should provideassurance that there are appropriate controls inplace for the organisation’s activities and thatthe procedures are understood and followed.

Changes in the organisation and theenvironment in which it operates must beidentified and appropriate changes made tosystems.

Any monitoring and review process shouldalso determine whether:

• the measures adopted resulted in what wasintended

• the procedures adopted and informationgathered for undertaking the assessmentwere appropriate

• improved knowledge would have helped to reach better decisions and identify what lessons could be learned for future assessments and management ofrisks

Firstly, the cost of implementation has tobe established.This has to be calculatedwith some accuracy since it quicklybecomes the baseline against which costeffectiveness is measured.The loss to beexpected if no action is taken must alsobe estimated and by comparing theresults, management can decide whetheror not to implement the risk controlmeasures.

Compliance with laws and regulations isnot an option.An organisation mustunderstand the applicable laws and mustimplement a system of controls to achieve

compliance.There is only occasionallysome flexibility where the cost of reducinga risk may be totally disproportionate tothat risk.

One method of obtaining financialprotection against the impact of risks isthrough risk financing which includesinsurance. However, it should berecognised that some losses or elements of aloss will be uninsurable eg the uninsuredcosts associated with work-related health,safety or environmental incidents, whichmay include damage to employee moraleand the organisation’s reputation.

© AIRMIC, ALARM, IRM: 2002 11

8. Monitoring and Review of the RiskManagement Process

9.1 Risk Management Policy

An organisation’s risk management policyshould set out its approach to and appetitefor risk and its approach to riskmanagement.The policy should also setout responsibilities for risk managementthroughout the organisation.

Furthermore, it should refer to any legalrequirements for policy statements eg. forHealth and Safety.

Attaching to the risk management processis an integrated set of tools and techniquesfor use in the various stages of the businessprocess.To work effectively, the riskmanagement process requires:

• commitment from the chief executive andexecutive management of the organisation

• assignment of responsibilities within theorganisation

• allocation of appropriate resources fortraining and the development of anenhanced risk awareness by allstakeholders.

9.2 Role of the Board

The Board has responsibility fordetermining the strategic direction of theorganisation and for creating theenvironment and the structures for riskmanagement to operate effectively.

This may be through an executive group, anon-executive committee, an auditcommittee or such other function that suitsthe organisation’s way of operating and iscapable of acting as a ‘sponsor’ for riskmanagement.

The Board should, as a minimum,consider, in evaluating its system of internalcontrol:

• the nature and extent of downside risksacceptable for the company to bear withinits particular business

• the likelihood of such risks becoming areality

• how unacceptable risks should be managed

• the company’s ability to minimise theprobability and impact on the business

• the costs and benefits of the risk andcontrol activity undertaken

• the effectiveness of the risk managementprocess

• the risk implications of board decisions

9.3 Role of the Business Units

This includes the following:

• the business units have primaryresponsibility for managing risk on a day-to-day basis

• business unit management is responsiblefor promoting risk awareness within theiroperations; they should introduce riskmanagement objectives into their business

• risk management should be a regularmanagement-meeting item to allowconsideration of exposures and toreprioritise work in the light of effectiverisk analysis

• business unit management should ensurethat risk management is incorporated atthe conceptual stage of projects as well asthroughout a project

A Risk Management Standard12

9. The Structure and Administration ofRisk Management

9.4 Role of the Risk Management

Function

Depending on the size of the organisationthe risk management function may rangefrom a single risk champion, a part timerisk manager, to a full scale riskmanagement department.The role of theRisk Management function should includethe following:

• setting policy and strategy for riskmanagement

• primary champion of risk management atstrategic and operational level

• building a risk aware culture within theorganisation including appropriateeducation

• establishing internal risk policy andstructures for business units

• designing and reviewing processes for riskmanagement

• co-ordinating the various functionalactivities which advise on risk managementissues within the organisation

• developing risk response processes,including contingency and businesscontinuity programmes

• preparing reports on risk for the boardand the stakeholders

9.5 Role of Internal Audit

The role of Internal Audit is likely to differfrom one organisation to another. Inpractice, Internal Audit’s role may includesome or all of the following:

• focusing the internal audit work on thesignificant risks, as identified bymanagement, and auditing the risk

management processes across anorganisation

• providing assurance on the managementof risk

• providing active support and involvementin the risk management process

• facilitating risk identification/assessmentand educating line staff in riskmanagement and internal control

• co-ordinating risk reporting to the board,audit committee, etc

In determining the most appropriate rolefor a particular organisation, Internal Auditshould ensure that the professionalrequirements for independence andobjectivity are not breached.

9.6 Resources and

Implementation

The resources required to implement theorganisation’s risk management policyshould be clearly established at each level ofmanagement and within each business unit.

In addition to other operational functionsthey may have, those involved in riskmanagement should have their roles in co-ordinating risk management policy/strategyclearly defined.The same clear definition isalso required for those involved in the auditand review of internal controls andfacilitating the risk management process.

Risk management should be embeddedwithin the organisation through thestrategy and budget processes. It should behighlighted in induction and all othertraining and development as well as withinoperational processes e.g. product/servicedevelopment projects.

© AIRMIC, ALARM, IRM: 2002 13

• Brainstorming• Questionnaires• Business studies which look at each

business process and describe both theinternal processes and external factorswhich can influence those processes

• Industry benchmarking• Scenario analysis• Risk assessment workshops• Incident investigation • Auditing and inspection• HAZOP (Hazard & Operability

Studies)

Upside risk

• Market survey• Prospecting• Test marketing• Research and Development• Business impact analysis

Both

• Dependency modelling• SWOT analysis (Strengths,Weaknesses,

Opportunities,Threats)• Event tree analysis• Business continuity planning• BPEST (Business, Political, Economic,

Social,Technological) analysis• Real Option Modelling• Decision taking under conditions of risk

and uncertainty• Statistical inference• Measures of central tendency and

dispersion• PESTLE (Political Economic Social

Technical Legal Environmental)

Downside risk

• Threat analysis • Fault tree analysis• FMEA (Failure Mode & Effect Analysis)

Risk Identification Techniques -

examples

Risk Analysis Methods and

Techniques - examples

A Risk Management Standard14

10. Appendix

On the following pages are extracts from the document PD ISO/IEC Guide 73: 2002reproduced with the permission of British Standards Institution under licence number2002SK/0313. British Standards can be obtained from BSI Customer Services,389 Chiswick High Road, London W4 4AL. (Tel + 44 (0) 20 8996 9001)

The Association of

Insurance and Risk Managers

Telephone 020 7480 7610

6 Lloyd’s Avenue, London EC3N 3AXFacsimile 020 7702 3752Email enquiries@airmic.co.ukwww.airmic.com

This publication is available from the above organisations for download from their respective websites free of charge.

Please contact the individual associations if you wish to purchase more copies of this Risk Management Standard in printed form

ALARM The National Forum for

Risk Management in the Public Sector

Telephone 01395 223399

Queens Drive, ExmouthDevon, EX8 2AYFacsimile 01395 223304Email admin@alarm.uk.comwww.alarm-uk.com

The Institute of Risk Management

Telephone 020 7709 98086 Lloyd’s Avenue, London EC3N 3AXFacsimile 020 7709 0716Email enquiries@theIRM.orgwww.theirm.org