Our client, a major international business, has a mature framework for risk management that is aligned with ISO 31000:2009.
To satisfy national corporate governance requirements, the board adopts an active role in reviewing the company’s policies on risk oversight and management to satisfy itself that the company has developed and implemented a sound system of risk management.
While the board believed the company’s approach to risk management was generally satisfactory, previous audits were regarded as superficial and had not provided it with the degree of assurance it required. As leading experts in this field, Broadleaf was commissioned to conduct an independent review of the current framework, strategy and process for managing risk and to compare these to best practice. The board requested our professional opinion on the current situation and that we give the company advice on any further steps that should be taken now to enhance and improve the foundations for risk management.
After many years of practical experience in evaluating and enhancing risk management, we believe that success depends as much on the manner in which any changes to a framework are developed and implemented as it does on the detail of the tools and written materials generated. This is why we adopted an approach here that sought the views of key internal stakeholders on the current ways of managing risk and then involved them in the development and approval of the enhancement strategy, to ensure they accepted the review and owned its outcomes.
It was also important for us to continually interact with the company risk management team, so that our advice was framed in a manner that supported the improvements they had planned already. We met the team throughout the review to explain and demonstrate practical options for any enhancements or additions we recommended, before we finalised our report.
Our approach involved a structured, interactive review and gap analysis of the existing risk management framework and applications of the process, from both a technical and practical perspective, so as to understand whether the company's current approach reflected good practice, whether it was suitable for the organisation and whether it could be adapted and enhanced to make it more effective if that was necessary.
We used ISO 31000:2009 as a basis for the review, supplemented by our own experience of what represents good practice in organisations of the size and nature of the company. Throughout the initiative we worked closely with members of the company Group Audit and Risk function, transferring knowledge.
Figure 1 shows an outline of the approach we followed, as described below.
The study started with a meeting where the detailed arrangements for the study were agreed, including the schedule of activities and delivery dates, the documents needed for review and those managers we wanted to interview.
Prior to the initial meeting we issued a list of background documentation we needed for the review and opened up a secure Internet portal for the uploading of the documents. The list included:
- Relevant policy statements, framework descriptions, internal standards and procedures, with a particular focus on decision support and controls assurance
- Internal standards, procedures or guidelines that deal with particular applications of risk management. For example in the areas of safety, procurement, security, operations, maintenance, BCM, compliance and project management
- The current strategic plan and objectives
- Examples of risk management plans and control assurance plans
- Extracts from the risk management information system including risk registers and risk treatment plans
- Methodology for and outputs from any quantitative risk analysis studies (range analyses)
- Copies of recent reports to any risk management steering committees or review groups and the Audit Committee that show risk management performance
- Copies of any existing training and briefing materials that deal with risk management.
We conducted a preliminary review of the materials supplied and, from this, developed an aide memoire of sample questions that would be asked during interviews. This document was supplied to the company so that it could be passed on to those who were to be interviewed to allow them to prepare.
Elicitation, verification and feedback
In our experience it is vital to observe and review how risk management takes place in practice. This is particularly true if there might be any discontinuity of practice across an organisation or inconsistent processes and systems. It is also important to test management’s perceptions of the current approach to risk management to see if it is currently viewed as effective and is likely to satisfy their future needs.
In this case we undertook this observation through a series of structured interviews with senior managers from which we drew conclusions on:
- The suitability of the current framework and tools to manage risk associated with an organisation of its size and complexity, its risk profile and risk attitude (appetite)
- The drivers of that attitude, based on what are recognised as the ‘key success factors’ and growth objectives for the organisation
- The perceived usefulness of the current risk management process and its degree of integration into key decision-making processes;
- The strengths and limitations of the other approaches to risk management specific to particular kinds of risks that co-exist in the organisation
- Whether the tools and methods currently being used are capable of providing a current, correct and comprehensive understanding of its risks and inform it whether the risks are within its risk criteria
- The level of understanding of senior managers about aspects of the risk management culture
- An outline of the perceived risk profile of the organisation and whether this varies from accepted and reported risk profiles.
At the conclusion of the interviews we provided immediate feedback to Audit and Risk staff on:
- Our major findings
- Our conclusions on the level of maturity, the strengths and weaknesses
- Our initial thoughts on where the company could enhance the management of risk and the steps that should be taken.
Analysis and report
Figure 2 shows the generic architecture of a risk management framework. This is a collection of elements that enables the risk management process to be applied to decision-making and risks to be modified as required. The framework has two parts – both of which are particular to an organisation:
- An expression of the organisation’s intentions - how it signals what, why and how risk will be managed. This might be by policies, standards and other management practices
- The capacity it provides to manage risk in keeping with these intentions. This consists of:
- Capability to use them as part of decision making
- Arrangements to confirm that intentions are satisfied
- An ability to continuously adapt, respond to change and improve.
Our interviews concentrated on understanding how the risk management process was applied in practice and, in particular, how managers identified risks and made decisions on whether levels were acceptable. To do this we had to understand if the existing risk criteria accurately reflected the company’s risk attitude. We also looked at the current qualitative risk analysis system and the instructions on its application to see if they were clear, unambiguous and technically valid. The existing consequence criteria and scales were compared with the company’s critical success factors, and we assessed if the likelihood scales were useful and relevant.
Assessments of the effectiveness of existing controls and estimation of potential exposures are also vital components in risk analysis. We therefore compared the current approach to the guidance in the Institute of Internal Auditors/Standards Australia handbook HB 158:2010.
Using all the information gathered we conducted a gap analysis and maturity evaluation using ISO 31000:2009 and what we understand is world’s best practice as a basis for comparison. An example of output is shown in Figure 3. In general, we found the company’s approach to risk management did not contain all the elements of a fully effective risk management framework as described in ISO 31000:2009. It also did not fully satisfy the principles for effective risk management and the attributes of enhanced risk management given in the standard.
Following the maturity scheme shown in Figure 3 we found that, in practice, the company’s approach to risk management fell generally in Stage 2 with some instances in Stage 1 and others in Stage 3.
Figure 3 reflects the way organisations normally advance in risk management as they implement a risk management framework that aligns with Clause 4 of the ISO standard and adopt the principles of effective risk management and the attributes of advanced risk management given there. While the risk management process can be applied in isolation to specific risk types (Stage 1) and risk management can be used purely to generate occasional governance reports (Stage 2), ISO 31000:2009 makes it clear that the management of risks will not be truly effective until it becomes dynamic and is fully integrated into the organisation’s processes for decision making.
In this case we found that while clearly managers in the company did consider risks when they made decisions this was rarely a structured and comprehensive process.
Our report made findings on:
- The framework and how it facilitated the integration of risk management into decision making, including risk management plans and the strategy for their implementation
- How risk management was applied in strategy development and during all forms of planning, for decision-making and change management
- The reliability of each element of the risk management process
- How the overall risk profile of the company was obtained and evaluated through aggregation and roll-up and how risks were treated at a corporate level
- The form and content of governance reporting
- How risk treatments were closed out and the monitoring and review of risks, controls and risk treatments
- The company culture as it pertained to the management of risks in terms of both intent and practice
- The adequacy and effectiveness of the systems and resources available to support the management of risk, including human resources.
We also identified opportunities for improvement to the company’s current approach for risk management including its implementation strategy and the resources and systems available. In all cases, where the current approach varied from best practice, we made practical suggestions about how improvements could be made.
Our report contained a draft enhancement plan where the timings in the plan reflect the necessary critical path to be followed for the implementation of framework enhancements and the activities and actions required to bring risk management at the company to a best practice standard in a reasonable and practical time period.
Senior management input and enhancement planning
It is important that senior managers appreciate and can comment on the findings and conclusions from such reviews as this leads to support for an enhancement plan. It is important that this takes place before any report is made available to the board so that the company can indicate its response.
We therefore presented our findings and recommendations at a short meeting with senior managers. The draft agenda was:
- Fundamentals of risk and best practice risk management
- Overall findings and assessment of the review
- Suggested improvements and enhancement strategies
- Draft enhancement plan.
For the planning component of the session we used the ‘Y model’ (see Figure 5) to elicit feedback and ownership of the current situation, the wanted situation and what needed to change. The management team was encouraged to discuss and compare options and then to finalise the enhancement plan actions and agree timelines. These agreements were recorded and included in our final report.
Report to the Board and Audit Committee
We supported the company in presenting the review findings, conclusions and the agreed enhancement plan to the board and its audit committee. Figure 6 shows an example of the form of summary plan that was presented to the board.
This review arose because the company and its board did not have confidence in the reviews conducted previously by generalist audit companies. Reviewing the approach to risk management in a complex organisation requires special skills and considerable experience. As an important part of the review must involve interviews with senior managers, the credibility of the interviewer is paramount if useful responses are to be obtained and if those are to be interpreted properly.
While it is important to follow a structured approach to the gap analysis and evaluation, the resulting conclusions and recommendations must be both customised and practical. Most importantly, they must reflect credible ways that similar organisation manage risk in the ‘real world’.
Although the request for this review came from the board, it was fully supported by the company's risk management team. They worked closely with Broadleaf to understand our conclusions and recommendations and requested examples of best practice on which they could base their own solutions.
To download a pdf version of this case study, please click here.