Risk Management 101
According to the M_o_R there are four core concepts and a systematic application of principles, an approach and a process to the following tasks of:
The task of Risk Management is to ensure that an organisation makes cost-effective use of a risk management process that includes a series of well defined steps with the aim of improving internal control and supporting better decision-making through a good understanding of individual risk and overall risk exposure that exists at a particular time.
For Risk Management to be effective, risks need to be: Identified, Assessed & Controlled.
Microsoft, who have their own framework “Microsoft Operations Framework (MOF) have a different take on this stating that the process should be as follows:
- Identify - Risk identification allows individuals to identify risks so that the operations staff becomes aware of potential problems. Not only should risk identification be undertaken as early as possible, but it also should be repeated frequently.
- Analyze and prioritize - Risk analysis transforms the estimates or data about specific risks that developed during risk identification into a consistent form that can be used to make decisions around prioritization. Risk prioritization enables operations to commit resources to manage the most important risks.
- Plan and schedule - Risk planning takes the information obtained from risk analysis and uses it to formulate strategies, plans, change requests, and actions. Risk scheduling ensures that these plans are approved and then incorporated into the standard day-to-day processes and infrastructure.
- Track and report - Risk tracking monitors the status of specific risks and the progress in their respective action plans. Risk tracking also includes monitoring the probability, impact, exposure, and other measures of risk for changes that could alter priority or risk plans and ultimately the availability of the service. Risk reporting ensures that the operations staff, service manager, and other stakeholders are aware of the status of top risks and the plans to manage them.
- Control - Risk control is the process of executing risk action plans and their associated status reporting
- Learn - Document what what done, why and how
The Principles of Managing Risk
The M_o_R has eight principles of Risk Management are characterized as being universal, self-validating and empowering, the principles are as follows:
- Aligns with objectives
The amount of risk that an organization is willing to take and the associated amount of risk management that is carried out MUST ALIGN to objectives by determining the organisation’s risk capacity and risk appetite. Suitable risks should be identified, and that appropriate priority for action is given to individual risk and the overall risk associated with the activity.
- Fits the context
The primary outcome from satisfying the principle of designing the risk management approach so that it fits the context is that money is not wasted, either on an over-engineered approach, or an approach that wastes money because it cannot effectively deal with the risks posed by the external and internal environment within the risk capacity and appetite.
- Engages the stakeholders
(understand perceptions, explore causes, impacts, likelihood, and consequence)
Risk Management MUST recognize the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of organizational objectives with the outcome that differences are understood and resolved as far as possible so that time and money is not wasted on misunderstandings that could have been avoided.
- Provides clear guidance
Enables stakeholders to understand how the organization identifies, assesses and controls risks to objectives across multiple perspectives so that stakeholders can compare results with plans and make judgement about whether resources are being deployed optimally.
- Informs decision-making
Given that risks influence every decision, it is essential that risk management help decision makers understand the relative merits, threats and opportunities associated with alternative courses of action so that an informed choice can be made. This is done by linking risk management to decision-making through the use of mechanisms such as risk tolerance, KPIs (Key Performance Indicators), EWIs (Early Warning Indicators).
- Facilitates continual improvements
One approach to support internal control is the use of the M_o_R health check. It is a method for checking the health of current risk management and for identifying areas where its application could be improved. Another approach is to use the Risk Maturity Model (RMM).
- Creates a supportive culture
Creating a supportive culture is important if you wish for people to adopt the necessary management of risk.
- Achieves measurable value
Microsoft’s principles are a little different.
- Risk Is Inherent in Operations
- Proactive Risk Management Is Most Effective
- Treat Risk Identification as Positive
- Assess Risks Continuously
- Integrate Risk Management into Every Role and Function
- Shared Responsibility and Clear Accountability
- Use Risk-Based Scheduling
- Learn from All Experiences
- Keep It Simple