Steps to Building a Risk Management System: Influencing Compliance
As markets continue to evolve, organizations are evolving their definition of compliance. From an operational context, the speed and level of complexity within the market is driving faster product lifecycles, more extensive and complex supply-chains, and a need to remain competitive and compliant. For many, this task cannot be achieved through the methods of old; new benchmarks need to be implemented that have the agility and consistency to respond to market needs and make informed and logical decisions.
Risk Management is fast becoming this new benchmark for this decision-making paradigm. The concept of risk has spanned the entire enterprise, and fits many different aspects of business – financial, health and safety, environmental, Quality and Compliance, and more. What makes Risk so powerful in a changing world is its consistency – Risk is an objective, systematic and repeatable method for identifying hazards and assessing the level of the harm the hazard may incur. Whatever the event or hazard, Risk remains consistent; this is what makes it universal to all operational areas, and why it is a powerful means of analyzing and making better decisions.
Starting Points: How to Define your Risk
The challenge for many companies is not in the decision to manage risk, but in knowing where to start in building a Risk Management program. “What are my risks? Who determines the level of risk? Who needs to know? What actions need to be taken? What processes need Risk Management?” Questions like this and more plague many organizations, and they will spend more time and effort in this phase of their process than any other when building a Risk Management program.
Enterprise Risk Management: Taxonomy of Risk
Taxonomy is an important part of the Enterprise Risk Management System process. Taxonomy is defined as the method by which we categorize and aggregate the risks within the company. The purpose of categorizing risk allows an organization to create a common set of risk types that can be utilized throughout the organization, not just in one operational area. This is the universal nature of Risk Management; it is able to translate itself from all levels of the organization, and is a stable way of benchmarking compliance from all operational areas. Some examples of common taxonomies are listed below – each category represents an area where a potential hazard or threat can exist:
|Business processes||Information management||Program design and delivery|
|Capital infrastructure||Information technology||Project management|
|Conflict of interest||Legal||Reputation|
|Financial management||Organizational transformation and change management||Resource management|
|Governance and strategic direction||Policy development and implementation||Stakeholders and partnerships|
|Human resources management||Privacy / Information stewardship||Values and ethics|
With this taxonomy in place, we can begin to categorize any risks and hazards that we identify as we begin our risk journey.
Start with Hazards: The Hazard Register
Before you begin with any element of risk management, you need to know where the trouble is, or might be. A hazard is defined as any situation that poses a threat to life, health, property or environment – it’s an undesired event. Every company would have these, and the key is to create a determination of what these hazards are.
So, how do most organizations determine this? They simply go out and ask. Go to within the company and survey the operational managers of threats and hazards, gather a team together and create proposed hazards that may affect the organization, or go into the historical data and look at past events and the hazards that caused them. You can also seek external help for standard, common hazards within the industry, but take these with less weight – what may be a hazard for the industry may not necessarily apply to your organization.
Measuring Hazards through Risk Assessment and Risk Scenarios
With a library of hazards within the system, we now need to measure these hazards using Risk. Risk is defined as the potential that a chosen action or activity will lead to an undesired event. It is the conditions in which the hazard may present itself. Risk is essentially the severity or probability that a hazard would occur.
If we have a library of our hazards, we can then use risk calculations to determine the level of risk each of these hazards presents. Having a library of hazards in the system enables you to more effectively assess and rank the risks you are calculating. This is usually done in the form of a Risk Assessment. A Risk Assessment is a formula or set of rules that determine how severe or frequent the hazard will be, and assigns a level to that threat – i.e. Risk Level. A Risk Matrix is the most common method for determining Risk levels, and provides a clear and easy-to-understand view of the risk of the undesired event.
Risk Scenarios Provide the Complete picture of Risk Management
In order to truly be effective, Risk Management needs to be a collaborative process. Most organizations create risk teams to review hazards and conduct Risk Assessments, and the process must go through a review and approval workflow. In a risk scenario, hazards are flagged and Risk Assessments are conducted. Hazards can occur in many areas within the organization – financial, operational, quality, compliance, etc. – and each area must be flagged and assessed, providing a level of risk on many dimensions. The resulting calculations present the overall risk of that hazard.
Building Controls into Risk Scenarios
Now we’ve identified the undesired events (hazards) within the company, and we’ve assessed the potential of that undesired event occurring (risk), so how do we reduce the level of risk to an acceptable level? Controls are defined as the methods for evaluating potential losses and taking action to reduce or eliminate the potential for an undesired event. There are many ways in which organizations implement controls – new procedures, training, checklists, process changes, product strategies, business decisions and more – essentially these are processes that are designed with the reduction of the risk of that hazard in mind. Controls can be related to many hazards, and one control process or event can be related to many hazards, and vice versa. The goal is to reduce or eliminate risk before the undesired event occurs, and controls are put in place for this purpose. Controls can be preventive in nature, in order to prevent the hazard from occurring, or controls can be reactive to recover from a hazard that has already occurred, to mitigate the overall impact or outcome of the event.
Acceptable Levels of Risk: Action Plans for Mitigation and Reduction of Current Risk
We’ve now created a roadmap for our current risk – hazards now have a risk associated with them, and we have controls in place to reduce the risk. But what if the risk level is higher than we’d like it to be? How do we take action to reduce the risk to a level we feel is acceptable?
The goal of Risk Management is not only to identify our risk, but to take steps to mitigate and reduce the risk to a level that is acceptable. This may not be the case in our current risk scenario; controls are in place to mitigate the risk, but what if we want to lower the risk beyond what it is today? Setting an acceptable level of risk is an important part in the Risk Management process.
However, what is considered “acceptable”? Many companies will interpret acceptable levels of risk differently. Most organizations will immediately know what is generally acceptable risk, and generally unacceptable risk. But there is a “gray area” in between those extremes that many companies will try and quantify. There is no such thing as “risk free” - there is always some level of risk in any hazard or event. What we can do to mitigate the risk is determine which levels we can continue to effectively and logically continue business operations, and set that as our lower threshold for risk. This term is usually defined “As Low as Reasonably Practicable” (ALARP), and helps to define the middle area of a company’s risk foundation. This helps to define the various levels of risk within the organization, and then set the mitigation plan to conform to those levels.
Action plans are nothing more than projects; the tasks and deliverables necessary to ensure that actions we take over the course of time will bring those risk levels down to our acceptable level. This could be in process improvement, employee training, operational change management, and many other ways that would impact the risk of the listed hazard.
Risk Scenarios Are Process-Driven
As stated before, Risk Management does not operate in a vacuum – it requires a team to review and collaborate on levels or risk and actions behind them. Risk Management is a continuous process, and requires a level of review and approval risk scenarios. Risk scenarios define risk for your organization, and these scenarios are not static; they change as your operations change and evolve. Any change in your business model, will have an impact on risk scenarios. These changes will affect how your interpret risk at every phase in your operation, so it is critically important that as you change processes, so too will the risk scenario change.
Risk Registers Become a Library of Risks
Taking our hazards and putting risk levels to them, and placing controls to mitigate them is all part of a risk scenario. This is only the first step, however, in a Risk Management System. Once we created a series of risk scenarios within the system, we need to have a place to centrally store these scenarios, so that when we actually encounter these events in our daily operations, we can reference them and take action. The Risk Register is a library of all our risk scenarios, that enables us to review all the risks within the organization and begin to do analysis and trending on the risks within the company. We can reference past risk scenarios to impact potential future risk events, and derive preventive actions towards future risk mitigation.
Risk Dashboard and Risk Reporting: With the Risk Register in place as a comprehensive library of risks, this level of data on Risk Management is a valuable tool for the entire enterprise. Building a library of hazards and risk levels is only one part of the story; in order to really be effective, you need to create a level of visibility into this data to analyze and interpret the data. Risk Reporting is a critical component of Enterprise Risk Management, and uses the data within the risk register to generate reports and metrics surrounding risk.
Not only will you be able to uncover risk from one operational area, Risk reporting enables you to build risk reports that span operational area and uncover trends you may not otherwise see without visibility into this data. Risks from one area can easily be transferred to others – seeing the implications and proactively mitigating risk is all part of Risk reporting. Furthermore, you can build entire dashboards of risk ranking and risk scenarios, so that management can see what areas in the organization have the highest risk, or even monitor where risk levels are and make assessments to where to focus attention.
Putting it all Together: Compliance Management and Risk Management Activities
With Enterprise Risk Management built into our system, organizations can plug the risk data into all the processes within any operational areas where the common threats are known. Risk built into the process ensures that normal operations take into account not only the daily operational needs, but also add a new dimension – risk – to the process. As events enter the various compliance systems, you can draw from the Risk Registers and risk scenarios to assign levels of Risk and make better decisions to each event. Once risks are quantified and decisions are made, you can influence change more effectively, and seek to mitigate or prevent risks from occurring (or recurring). Below is an example of how the Enterprise Risk Management System is built within a Compliance Management framework:
Risk Management is not an automatic process. It requires a level of collaboration and communication from all areas of the enterprise to determine the level of risk, and how to control the risks within your company. Many organizations will assemble risk teams from all operational areas to determine hazards and threats, derive risk levels for hazards and put in place appropriate controls to mitigate those risks.
Enterprise Risk Management Systems attempt to build a framework for these risk activities and create a library of existing and potential risks, so that as you conduct operations within the business, you can incorporate risk into these processes to make more informed and better decisions.