This is the first article in a series which will discuss the risk management process as outlined within the Risk management – Principles and guidelines Standard, ISO 31000:2009.
First let’s start off with a simple question: Why is Risk Management important? This may be a simple question but often the response may not be as easy.
Risk Management is important as some risk-taking is inevitable if your business is to achieve its objectives. Those businesses that are more risk aware, appreciate that actively managing not only potential problems but also potential opportunities provides them with a competitive advantage. Taking and managing risk is the very essence of business survival and growth.
So what is the risk management process? Put simply it is a process that systematically applies management policies, procedures, and practices to a set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyse, evaluate, treat, monitor, and review risk.*
To recognise a risk it is important to know what a risk is. While some risks may apply to everyone, some will be specific to your business and to identify and deal with them you need to establish a base to work from. This base is the context from where your risk analysis begins.*
According to ISO 31000, to establish the context means: “to define the external and internal parameters that organisations must consider when they manage risk. “ *
ISO 31000 expects that you consider your organisation’s context when you:
- define the scope of your risk management program,
- formulate your risk management policy and
- establish your risk criteria. *
Setting the context involves taking into account your business goals and capabilities as well as external factors, such as the changing legal environment and shifting social standards. In other words, you need to set the context to identify where your risks come from.
This is important because:
- risk management occurs within the context of endeavouring to achieve goals and objectives,
- failure to achieve the objectives is one set of risks that need to be managed, and
- the goals and strategies assist to define whether a risk is acceptable or unacceptable.
This context sets the scope for your businesses’ risk management process.
So what do we need to look at when we are setting our context?
First your business will need to undertake a self-analysis which could include:
- Defining roles & responsibilities;
- Defining its goals and objectives;
- Defining the risk assessment methodologies;
- Defining the way performance is evaluated in the management of risks;
- Identifying and specifying the decisions that have to be made; and
- Defining the Governance and reporting process to be undertaken.
Secondly, your business will need an understanding of both the internal and external context in which it operates to enable it to better understand where its risks will come from.
The Internal Context takes into account all the internal considerations and factors that influence how you manage risk and try to achieve your business objectives. These could be things like, your products, services, competition, financial, technology, customer segments and internal stakeholders.
The External Context takes into account all the external considerations and factors, these could include, external stakeholders, political climate, legal & regulatory constraints, environmental and cultural factors.
Any changes to either the internal and/or external context will be a trigger for your business to review its risks in light of those changes.
The importance of setting the correct context in which to start identifying business risks cannot be understated. The better and more thorough this is done the better and more thorough the resulting risks analysis will be, as setting the wrong context is in itself a risk.
* footnote: Praxiom Research Group Limited http://www.praxiom.com/ Phone (780) 461-4514 9619 100A Street, Edmonton, Alberta, Canada