Effective risk management
These resources are produced as short videos. The collection includes various aspects of Broadleaf's work and concentrates on giving useful, practical advice.
Do you have a sound risk management framework?
The risk management framework is the foundation for effective risk management. The new ASX Principle 7 requires organisations to implement a sound framework and for boards to carry out annual assessments of the effectiveness of these frameworks. This means that organisations have to move on from sending reports containing 'lists of risks' to Boards, to now provide them with information on their framework and its effectiveness.
This presentation describes a risk management framework and its components and shows how companies can report to a board on the effectiveness of its approach to risk management.
The concept of risk
So often, articles, standards and even regulations concerned with managing risk fail to explain specifically and in plain language exactly what is being managed – in other words the meaning of risk on which the article, standard or regulation is based is not explained. This not only means that their central thesis is fuzzy but typically, results in a lack of rigour in the thinking that follows.
Similarly, there is a failure to specifically articulate what management means, what are the parameters of good risk management and what empirical process of management is being assumed.
This presentation explains risk and its management using simple language and from first principles.
Cracking a dozen myths about risk management
The sole purpose for managing risk is to improve decision-making, to make it more likely that our subsequent actions contribute as much as possible to the achievement of our goals and objectives. It has no other purpose.
However, unfortunately, some in the risk management profession seem determined to make, what are essentially simple concepts and processes, much more complex and opaque.
The following set of presentations discuss a dozen myths that demonstrate how confused and confusing is the way many in our profession explain how we should manage risk. The presentations attempt to crack these myths and explain sensible solutions.
Myth 1 – The integration of risk management into decision making means consulting a pre-existing risk register
Whether decision-making results in a single action or the implementation of many in a plan, there is really no good reason why last year’s risk register should be relevant to the decisions being made now (or in the future). Risks are not inputs to decisions, they are formed by decisions.
Myth 2 - We can have different approaches and language for managing different types of risks
This myth underpins silo thinking that leads to confused and inconsistent decision-making. This is both inefficient and can lead to risks not being discovered, properly understood or correctly treated when required
Myth 3 - The risk management framework is a document (that contains the risk rating system)
Apart from having a dependable process for managing risk, organisations also need to express their intentions that this process will be applied to all decision making. Of course, intentions mean nothing unless backed by organisational capacity – such as competency and relevant resources – and by arrangements that give confidence that the process is being applied correctly and consistently.
Myth 4 - Risk registers are important
Some seem to believe that risk registers possess magic properties: just creating them is sufficient for an organisation to manage risk effectively. However, in reality, they are simply records of discussions that were held at a point in time: just snapshots. At most, risk registers are a means to an end – more effective controls and an acceptable level of risk.
Myth 5 - Risks (actually) occur
We use examples of things that might happen (because there is a source of uncertainty) and what they might lead to in terms of our objectives - to help us understand risk. Risks are therefore just examples, illustrations or hypotheses and it is entirely fortuitous if events occur exactly as we have predicted.
Myth 6 - We need to conduct risk reviews once a year to tell the board or audit committee what our risks are
A reporting requirement is never a good reason for the application of the risk management process. We manage risk to create value, through enhancing the decisions we make.
Reports to oversight bodies should seek to demonstrate the organisation has a sound framework for managing risk - otherwise any other risk information will not have credibility.
Myth 7 - We don’t need to establish the context before each risk assessment, we only need to do it once a year or when we write the RM Plan
Some people think that you only need establish the context once for an organisation or project. This means that they generally waste people’s time in risk assessments that produce output that is unreliable.
Myth 8 - We can just use some one else’s risk rating system (the ‘matrix’)
Risk is the effect of uncertainty on our objectives. Risk criteria are therefore specific to our organisations, its external and internal environment, its objectives and the types of decisions to be made. The presentation describes how risk criteria should be developed rather than borrowed.
Myth 9 - The level of risk is obtained by multiplying the probability of an event by its impact
Some people say that the level of risk is obtained by multiplying the probability of an event by its impact. However, the level of risk is always estimated from a combination of a measure of conseqences and their likelihood. Using the likelihood of the event overestimates the level of risk and prevents you properly representing the effect of controls and obscures the optimal form of risk treatment.
Myth 10 - You need to estimate levels of residual risk, inherent risk and target risk plus MFL, EML, gross risk, potential exposure etc.
We do not need all the different form of measures many organisation put in their risk registers. We only need information that supports decisions. That is, some a measure of control effectiveness, an estimate of the level of risk and a prediction of the potential maximum consequences if controls fail.
Myth 11 - We can do risk treatment at the same time as we identify and analyse risks
Many people try to cram risk treatment into the same session where risks are identified and analysed. This is simply not cost effective and leads to wasted time and poor outcomes. It is better to explore options for risk treatment and develop plans in smaller meetings that just focus on one risk at a time.
Myth 12 - Monitoring and review are the same thing – and they can be carried out by Internal Audit
Monitoring and review are quite different activities. While audits are a form of periodic review, for the organisation’s most significant risks the external and internal sources of uncertainty must be subject to frequent surveillance. Similarly, its most important controls must be continually checked to ensure they remain effective. These are both roles for management.