Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

64 Introduction to risk management

Barclays ensures that it has the functional capacity to manage the risk in new and existing busi-

nesses. At a strategic level, our risk management objectives are:

To identify the Group’s material risks and ensure that business proﬁ le and plans are •

consistent with risk appetite.

To optimise risk/return decisions by taking them as closely as possible to the business, •

while establishing strong and independent review and challenge structures.

To ensure that business growth plans are properly supported by effective risk infra- •

structure.

To manage risk proﬁ

le to ensure that speciﬁ c

ﬁ nancial deliverables remain possible •

under a range of adverse business conditions.

To help executives improve the control and co-ordination of risk taking across the •

business.

Annual Report and Review 2008

Part 2

Risk strategy

Learning outcomes for Part 2

list the main parts of a risk management policy and describe the importance of each •

part;

explain the key components of the risk architecture, strategy and protocols (RASP) for •

an organization and how these ﬁ t

together;

outline the range of risk documentation and records that could be required and describe •

the function of each different type;

describe the nature, contents and use of a risk register and provide examples of the use •

of risk registers;

outline the key roles and responsibilities for risk management in relation to job roles •

and key departments, including the role of CRO;

describe a suitable risk architecture for a range of organizations, including the impor- •

tance of risk committees and risk communication;

describe the key features of a risk-aware culture ( • LILAC) and how the key components

can be measured;

66 Risk strategy

describe the components of evaluating risk maturity of an organization (4Ns) and the •

beneﬁ ts associated with greater risk maturity;

outline the importance of risk training and risk communication, including the use of •

risk management information systems (RMIS).

Part 2 Further reading

British Standard BS 31100 (2008) Risk management – Code of practice, www.standardsuk.com.

Health and Safety Executive (2005) A review of safety culture and safety climate literature for the

development of the safety culture, inspection toolkit Research Report 367, www.hse.gov.uk.

Institute of Risk Management A Risk Management Standard (2002), www.theirm.org.

Risk management policy

Risk architecture, strategy and protocols

This part provides information on the risk architecture, strategy and protocols (RASP) for an

organization. The most important component of the RASP is the risk management policy. The

RM policy will set out the overall strategy of the organization towards risk management, deﬁ ne

risk management roles and responsibilities and set out the protocols that should be followed.

Table 7.1 sets out key features of the risk architecture, strategy and protocols in more detail.

The risk architecture, strategy and protocols create the risk framework that supports the risk

management process. British Standard BS 31100 provides notes on the risk management

framework that state that it should include the objectives, mandate and commitment to

manage risk (strategy), and the organizational arrangements that include plans, relationships,

accountabilities, resources, processes and activities (architecture), and that the framework

should be embedded within the organization’s overall strategic and operational policies and

practices (protocols).

Most large organizations will document their risk protocols as a set of risk management guide-

lines. The range of guidelines that are required will vary according to the size and complexity

of the organization. The types of documentation that will need to be kept are as follows:

risk management administration records; •

risk response and improvement plans; •

event reports and recommendations; •

risk performance and monitoring reports. •

One of the standard documents produced by organizations as part of their risk management

initiatives is the risk register. Risk registers can be produced for a variety of operational, project

and strategic purposes. The likely format of the risk register is discussed in Chapter 8 and the

basic format is illustrated in Table 8.1.

68 Risk strategy

Table 7.1 Risk management framework

Risk management architecture

Committee structure and terms of reference

•

Roles and responsibilities •

Internal reporting requirements •

External reporting controls •

Risk management assurance arrangements •

Risk management strategy

Risk management philosophy

•

Arrangements for embedding risk management •

Risk appetite and attitude to risk •

Benchmark tests for signiﬁ cance •

Speciﬁ c risk statements/policies •

Risk assessment techniques •

Risk priorities for the present year •

Risk management protocols

Tools and techniques

•

Risk classiﬁ cation system •

Risk assessment procedures •

Risk control rules and procedures •

Responding to incidents, issues and events •

Documentation and record keeping •

Training and communications •

Audit procedures and protocols •

Reporting/disclosures/certiﬁ cation •

The working relationship between risk management and internal audit is critically important.

Risk management expertise rests in the assessment of risk and the identiﬁ cation of existing

and additional controls. Internal audit has its expertise in the evaluation of controls and the

testing of their efﬁ ciency and effectiveness. Successful implementation of a risk management

initiative will require close co-operation and understanding between risk management and

internal audit. The RASP should set out the details of how this close co-operation will be

achieved in practice.

The risk architecture deﬁ nes how information on risk is communicated throughout the organ-

ization. The risk strategy deﬁ nes the overall objectives that the organization is trying to achieve

with respect to risk management. The risk protocols are the systems, standards and proce-

dures that are put in place in order to fulﬁ l the deﬁ ned risk strategy.

Risk management policy 69

Risk management policy for a council

The council is aware that some risks will always exist and will never be eliminated; it

recognizes that it has a responsibility to manage risks (both positive and negative) and

supports a structured, systematic and focused approach to managing them by approval

of the risk management strategy.

In this way the council will:

demonstrate effective corporate governance;

•

better achieve its corporate objectives; •

enhance the value of services it provides to the community. •

The objectives of the council’s risk management strategy are to:

integrate risk management into the culture of the council;

•

manage risk in accordance with best practice; •

anticipate and respond to changing social and legislative requirements; •

prevent injury, damage and losses, and reduce the cost of risk; •

raise awareness of risk with all involved with delivery of council services. •

These objectives will be achieved by:

establishing clear roles, responsibilities and reporting lines;

•

providing opportunities for shared learning on risk management; •

offering a framework to direct resources to identiﬁ ed priority risk areas; •

reinforcing the importance of risk management as part of every task; •

increasing awareness of employees by offering training; •

incorporating risk management into business planning; •

incorporating risk considerations into partnerships and projects; •

monitoring risk management arrangements on an ongoing basis. •

Risk management policy

The risk management policy sets out the risk strategy, and an illustration of suitable contents

for a risk management policy is set out in Table 7.2. The risk management policy should facil-

itate successful implementation of risk management in the organization. The policy should

conﬁ rm the protocols for undertaking the activities, as set out in the risk guidelines for the

organization. The risk guidelines may be produced as a separate set of documents, so that they

can be more easily updated.

70 Risk strategy

Table 7.2 Risk management policy

A risk management policy should include the following sections:

Risk management and internal control objectives

•

Statement of the attitude of the organization to risk (risk strategy) •

Description of the control environment •

Level and nature of risk that is acceptable •

Risk management organization and arrangements (risk architecture) •

Arrangements for communicating risk information •

Standard procedures for risk recognition and rating (risk assessment) •

List of documentation for analysing and reporting risk (risk protocols) •

Risk mitigation requirements and control mechanisms •

Allocation of risk management roles and responsibilities •

Criteria for monitoring and benchmarking risks •

Allocation of appropriate resources •

Risk priorities and performance targets •

Risk management calendar of the coming year •

The risk management policy should set out the strategy that the organization is seeking to

achieve with respect to risk management, together with the systems and procedures that will

be put in place to monitor performance, as well as the means for reporting and communicat-

ing on risk management. It will, in effect, deﬁ ne the context within which risk management

activities take place.

A range of risk management guidelines will need to be produced, and a typical set of guide-

lines is listed in Table 7.3. The risk guidelines provide more information on how the risk

protocols should be interpreted and how they should be delivered. The detailed risk guide-

lines will set out:

risk assessment procedures; •

risk control objectives; •

risk resourcing arrangements; •

reaction planning requirements; •

risk assurance systems. •

Risk management policy 71

Table 7.3 Risk management protocols

1. Risk assessment procedures

Turnbull procedures

•

Response to signiﬁ cant risks •

Projects and CapEx approvals •

Procedures for strategy and budgets •

2. Risk control objectives

Brand management guidelines

•

Health and safety at work •

Environmental protection •

Contract risk management •

3. Risk resourcing arrangements

Opportunity management

•

Project resource allocation •

Insurance programme •

Captive insurance company •

4. Reaction planning requirements

Loss and claims management

•

Disaster and recovery planning •

Cost containment procedures •

Risk management record keeping •

5. Risk assurance systems

Maintenance of risk register

•

Corporate RM committee •

Terms of reference for audit committee •

Control self-certiﬁ cation arrangements •

The framework or risk architecture that has been set up to achieve adequate management of

risks should also be presented in the risk management policy. It will then be for the individual

companies within the group to operate within the established framework and arrange their

own additional policies, procedures and protocols as necessary. Speciﬁ cally, the risk manage-

ment policy should include details of at least the following:

the board member responsible for risk management; •

language and perception of risk in the organization; •

framework for identifying signiﬁ cant

risks; •

role of the risk manager and internal auditors; •

72 Risk strategy

terms of reference for the risk management committees; •

risk management structure or architecture. •

Many organizations ﬁ

nd that it is necessary to update the risk management policy each year.

This is undertaken for a number of reasons, including the desire to ensure that risk manage-

ment activities and the overall risk management approach is in line with current best practice.

Updating the risk management policy every year also gives the organization the opportunity

to identify the risk priorities for the coming year and ensure that appropriate attention is paid

to the signiﬁ cant

risks.

Issuing the risk management policy every year also ensures that the board pays appropriate

attention to risk management and that the organization understands that it is a dynamic activ-

ity that requires constant management attention.

Risk management architecture

The risk management structure of an organization can be described as the risk architecture.

The risk architecture sets out lines of communication for reporting on risk management issues

and events. It is vital that the risk architecture reinforces the fact that the responsibility for

managing risks remains with the owner of that risk.

So that risk management can be fully embedded into the processes and operations of an organ-

ization, a clear statement of risk management responsibilities is required. Also, as part of the

analysis of each signiﬁ cant risk, risk management responsibilities need to be clearly allocated

to the following aspects of managing that risk:

development of risk strategy and standards; •

implementation of the agreed standards and procedures; •

auditing compliance with the agreed standards. •

The risk architecture can be represented diagrammatically as a means of identifying the com-

mittees with risk management responsibilities and the relationships between those commit-

tees. The importance of the risk architecture of an organization will be discussed later in this

Part and examples of typical risk architectures will be provided.

Risk management strategy

It is important for an organization to have a clearly establish strategy in relation to risk man-

agement. The strategy needs to be based on the overall approach of the organization to risk

Risk management policy 73

and risk management. An important component of that risk strategy will be the arrangements

for ensuring risk management input into strategy, projects and operations.

In order to establish the risk management strategy, important decisions will need to be made

about the risk appetite of the organization. Risk appetite will be discussed in more detail in a

later chapter. The risk appetite will be based on the opportunity investment, control accept-

ance and the hazard tolerance of the organization.

It is important that the risk appetite is within the total risk capacity of the organization. Deci-

sions will need to be taken on how the risk capacity will be calculated. Also, thought will need

to be given to how the total risk exposure of the organization will be recorded and used in

decision-making processes. Measurement of the total risk exposure of an organization is an

important feature of operational risk management, as discussed in a later chapter.

There are important decisions to be made in relation to the risk processes that will be adopted

by the organization, as well as decisions about the design and implementation of the risk man-

agement initiative that will be undertaken in order to fulﬁ l the requirements of the risk strat-

egy.

Risk management protocols

The risk management policy will set out responsibilities for risk as well as the arrangements for

implementing the policy. Risk management protocols will be set out in a series of risk guide-

lines and these are described in a later chapter.

Procedures and protocols for undertaking the assessment of risks to strategy, projects and

operations will need to be established in writing. The organization will also need to produce

guidance on the frequency and nature of risk reports and who is responsible for compiling the

information.

Typically, the risk management protocols will need to be reviewed on an annual basis, so that

they are kept up to date. The risk protocols should also describe the extent of record keeping

that is required. The range of risk management documentation that may be necessary is exten-

sive and Table 7.4 provides an overview of the types of documents that may be appropriate.