Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

74 Risk strategy

Table 7.4 Types of RM documentation

Risk administration

Risk management policy (and priorities)

•

Speciﬁ c risk statements (health and safety policy) •

Terms of reference of the risk/audit committees •

Risk protocols and procedures •

Risk awareness training records •

Risk response

Results of risk assessments (risk register)

•

Risk control standards •

Risk improvement recommendations •

Risk assurance reports •

Business continuity plans/disaster recovery plans •

Event reports

Loss/claim reports and recommendations

•

Legal and litigation reports •

Enforcement action/customer complaints •

Incident and near-miss investigations •

Business performance reports/key performance indicators •

Risk performance

Control risk self-assessment (CRSA) returns

•

Audit procedures and protocols •

Internal audit reports •

Unit risk management reports •

External disclosure reports •

Risk management guidelines

Table 7.3 indicates the extent of risk management guidelines that may need to be produced by

an organization. This should not be seen as an exhaustive list and other types of guidelines

may be necessary, depending on the exact nature of the organization and the risk strategy that

it is following.

Preparation of a risk management policy is a good opportunity for an organization to estab-

lish detailed procedures on a range of risk management topics, as well as setting out the risk

Risk management policy 75

management priorities for the following year. For example, many organizations produce an

annual health and safety and/or environmental policy and this should be an integral part of

the risk management documentation.

Many organizations face signiﬁ cant risks that need routine or even constant management

attention. This is particularly true in the case of hazard risks, where the health and safety

policy, business continuity plans and disaster recovery plans (for example) need to be rou-

tinely updated.

For many organizations, the risk guidelines will be established in writing. Other organizations

will operate a more informal means of embedding risk management into management activi-

ties. The risk guidelines will often include details of the risk management structure in place in

the organization. Also, details of the risk strategy and risk protocols will need to be included in

the risk guidelines. The guidelines should also include details of the (internal) control respon-

sibilities of managers.

The structure described in Table 7.3 reinforces the importance of the activities involved in the

risk management process. Each of these activities produces several outputs, and the required

outputs can be discussed in the risk guidelines.

The guidelines need not include a set of risk-control or loss-control standards, but should

describe how risk control decisions will be taken, implemented and audited. In fact, the risk

guidelines for a diverse group of companies cannot include physical control requirements and

standards. Each unit, division or department should set its own standards for risk control,

including health and safety, ﬁ re safety, physical security, information security and environ-

mental protection. This may be appropriate because of the diverse nature of the different units

within the organization.

The risk guidelines should deﬁ ne the means by which embedded risk management is to be

achieved in the organization. The setting of strategy, standards and procedures needs to be

undertaken within the framework of the risk guidelines. The format for the risk guidelines will

depend on the organization and the nature of the risks that it faces. Typically, these guidelines

will contain information on at least the following:

ﬁ nancial and authorization procedures; •

insurance arrangements; •

managers’ control responsibilities; •

project risk management; •

incident reporting and investigation; •

event and reaction planning; •

physical risk control objectives and responsibilities. •

Risk management documentation

Record of risk management activities

Table 7.4 sets out the range of risk management documentation that may need to be kept by

an organization. In order to successfully embed risk management, it is necessary to maintain

a range of risk management records. These records will include details of various risk manage-

ment activities, including:

risk management administration; •

risk response and improvement plans; •

event reports and recommendations; •

risk performance and certiﬁ cation

reports. •

Embedded risk management will be achieved when the cycle of risk management activities is

fully aligned with the planning cycle of the organization. A primary purpose of risk guidelines

is to help managers understand the risk management framework of the organization. This

understanding will ensure that managers pay appropriate attention to risk implications when

making decisions.

The risk guidelines for the organization also provide practical guidance to managers on how

to fulﬁ

l their risk management responsibilities. Keeping necessary records will allow the organ-

ization to demonstrate the successful implementation of the risk guidelines. The risk admin-

istration documentation should extend to (at least) the items listed in Table 7.4.

It is not the intention that the keeping of risk management records should become overly

bureaucratic or burdensome. However, adequate records need to be kept so that the informa-

tion is available for decision making, necessary advice for managers is available and conﬁ rma-

tion can be provided to auditors that necessary controls have been correctly implemented. The

importance of record keeping is highlighted below.

Risk management documentation 77

Importance of records

There are many beneﬁ ts to be gained from implementing records management.

Records management is a key driver in increasing organizational efﬁ ciency and offers

signiﬁ cant business beneﬁ ts. Records management:

reduces the time spent by staff looking for information; •

facilitates the effective sharing of information; •

reduces the unnecessary duplication of information; •

identiﬁ

es how long records need to be kept; •

optimizes the legal admissibility of records to defend malicious litigation; •

supports risk management and business continuity planning. •

In short, records management improves control over information assets, frees up staff

time and other resources, and helps protect individuals and the organization from

various risks. Records management means that too much reliance is not placed on the

memories of a few individuals.

Risk response and improvement plans

The only reason for undertaking a risk assessment is so that current controls can be validated

and the need for any further actions to improve control of risk can be identiﬁ ed. The risk reg-

ister is the means of recording information on current controls and details of intended addi-

tional controls. It is important that the risk register should not become a static document. It

should be treated as a dynamic element and considered to be the risk action plan for a unit or

the organization as a whole.

As well as risk response plans, information will also need to be recorded about the responsibil-

ity for individual controls. If additional controls are required, then the deadline, as well as the

responsibility, for the implementation of those improved controls should be recorded.

A later part of this book considers risk response options in more detail. For hazard risks and

control risks, the risk register is the location for recording details of the signiﬁ cant threats.

Detailed analysis of risk improvement plans will be required. Often, risk improvement plans

will require capital expenditure, and this may need to be approved via the expenditure author-

ization procedures in the organization.

It has become standard practice to produce a risk register for projects, especially for construc-

tion and software projects. Risks to construction and software projects can create a lot of

uncertainty and the risks will usually be control risks. Again, the record of the actions taken to

minimize the uncertainty should be a dynamic one, and further actions should be planned.

78 Risk strategy

Event reports and recommendations

Event reports, analysis and recommendations are related to recording details of the events that

occur and managing the consequences of those events. Details of incident investigations and

analysis of the performance of business operations, together with risk improvement recom-

mendations, are all covered by this type of risk management documentation. Risk improve-

ment recommendations address signiﬁ cant control weaknesses and aim to eliminate the

potential for future material or signiﬁ cant failures.

Recording of events is an important activity, especially in relation to hazard risks. Also, record-

ing and analysing events during a project will be vitally important. Event reports are most rel-

evant to hazard and control risks. Annual evaluation of risk performance will also give rise to

reports that require detailed analysis. Evaluation of risk performance is an important role for

internal audit.

Clinical risk management is a well-developed branch of the risk management discipline. Accu-

rate record keeping is vital in order to identify that appropriate risk mitigation actions have

been put in place, as well as to provide records of any clinical mishaps that occur. The box

below provides an overview of the importance of record keeping in relation to managing clin-

ical risk.

Managing clinical risk

Even if all adverse clinical events could be avoided, the legal cost of malpractice

litigation cannot be eliminated. While very few negligent injuries lead to claims, there

are many negligence claims in cases where there was no injury and no negligence. This

means that, if the right risk management processes and systems are in place, hospitals

and doctors should be able to rebut allegations of negligence in these circumstances

and successfully argue that no compensation payment should be made.

The implementation of risk management activities in hospitals is the immediate

responsibility of hospital management. Nevertheless, doctors have a vital role to play

by developing an understanding of the importance of risk management and helping to

devise a practical approach to recording that procedures have been followed and any

incidents have been recorded.

Risk management documentation 79

Risk performance and certiﬁ cation reports

Risk performance and certiﬁ cation reports include consideration and analysis of preliminary

reports of the results of operations, as well as more formal declarations and certiﬁ ed reports to

stakeholders. In some cases, certiﬁ cation of the results of operations of the organization will

be undertaken as a formal attestation of the results of operations. This approach is required by

the Sarbanes–Oxley Act in relation to ﬁ nancial reporting.

This attestation will often be undertaken by a third party, such as an external auditor. Such an

attestation could also relate to an evaluation of the effectiveness of the control activities. Cer-

tiﬁ cation of performance is considered in more detail in Part 6 of this book.

Management will be interested in receiving details of risk performance. This will be especially

important when the organization is exposed to a portfolio of risks that bring the total risk

exposure close to the limit of the risk appetite and/or risk capacity of the organization. For

example, an organization may have budgeted for a certain level of loss in relation to hazard

risks. If this budget is challenging, then careful monitoring of losses will be required in order

to ensure that the exposure to the speciﬁ c type of hazard risk is not being exceeded.

The hazard tolerance may be limited and so the organization will need to monitor hazard

losses very carefully. For example, a transport company will need to monitor the number of

motor vehicle accidents and the breakdown frequencies related to the vehicles run by the

company.

Designing a risk register

The use of risk registers has become established practice for many risk managers. There are

disadvantages associated with the use of risk registers, including the danger that the informa-

tion recorded in the risk register will not be used in a dynamic way. The risk register could

become a static record of risk status, rather than the risk action plan for the organization.

A risk register is deﬁ ned in the ISO Guide 73 as the ‘document used for recording risk man-

agement process for identiﬁ ed risks’. The guide adds that the purpose of the risk register is

to facilitate ownership and management of each risk. Typically, the risk register will cover

the signiﬁ cant risks facing the organization or the project. It will record the results of the

risk assessment related to the process, operation, location, business unit or project under

consideration.

When a risk assessment is undertaken of strategic options, it is more usual for the risk assess-

ment to be used as part of the decision-making process. Typically, this information will not be

recorded in the format of a risk register, but will be presented to the decision maker as part of

the full range of information available for making that strategic decision.

80 Risk strategy

The purpose of the risk register is to form an agreed record of the signiﬁ cant risks that have

been identiﬁ ed. Also, the risk register will serve as a record of the control activities that are cur-

rently undertaken. It will also be a record of the additional actions that are proposed to improve

the control of the particular risk.

Other information about risks will also be included in the risk register. Although there is no

ﬁ xed format for this document, Table 8.1 provides an outline of a basic format for a risk reg-

ister. It may not be necessary to include all of the risk description information set out in the

table in the risk register, as this could make it a complex and clumsy document.

Table 8.1 Format for a basic risk register

Risk

index

Risk description Current level of risk Controls in place

Likelihood Magnitude Overall

rating

1. Serious trafﬁ c accident

involving the transport

of fuel/explosives.

Anticipate fatalities and

evacuation of 1-km

radius, depending on

substances involved.

Potential for release of

up to 30 tonnes of

liquid fuel into local

environment.

Low High Medium Police emergency

•

plans

Highway Agency

•

plans

Local authority

•

emergency plan

Company emergency

•

response

Liaison with the

•

family of staff

Notiﬁ cation to

•

customers

2. Storm-force winds

affecting transport

routes for up to 6

hours. Anticipate that

most roads in the

vicinity will be closed

or restricted. Journey

times will be extended

and late deliveries

probable.

Medium Medium Medium Police emergency

•

plans

Highway Agency

•

plans

Investigate weather

•

forecast

Liaison with the

•

family of staff

Notiﬁ cation to

•

customers

Risk management documentation 81

Risk registers can be compiled in a number of formats, depending on the type of risk assess-

ment that is being recorded. Table 8.2 provides an example of a partially completed risk regis-

ter for a sports club and Table 8.3 provides an example of a risk register for a hospital.

Table 8.2 Risk register for a sports club

Risk

index

Risk description Existing control

measures

Current

level

Further

actions

planned

Owner

Financial risks

1.1

Insufﬁ

cient funds for

suitable new players

• High •

1.2 Pension fund

inadequate to meet

liabilities

• Medium •

Infrastructure risks

2.1 Loss of highly

respected young

manager

• High •

2.2 Building of the new

stadium is delayed

• Low •

Reputational risks

3.1 Complaints that

merchandise is too

expensive

• Low •

3.2 Club supporters riot

at an away game

• Medium •

Marketplace risks

4.1 New range of

merchandise is

unattractive

• High •

4.2 Fans favour other

activities rather than

club attendance

• Low •

82 Risk strategy

Table 8.3 Risk register for a hospital

Risk

index

Risk description Current level of risk Risk rating

Likelihood Magnitude Overall

rating

1. The roofs on

operating theatres 3

and 4 are leaking

because of poor

condition, resulting in

disruption to the

surgery lists and

non-achievement of

waiting times.

High High High Ingress of water can lead

to loss of theatre facility,

with cancelled

operations, loss of key

activity and threat to

waiting time targets.

With high incidence of

rain, it is likely that

between 1 and 7 days

surgery time will be lost.

Problems in the last 2

years suggest that the

failure will occur twice

per year.

2. Progress towards

achievement of

standards in

children’s care will

remain unsatisfactory

due to failure to

implement action

plan for improved

facilities, resulting in

children receiving

care below the

national standards.

Medium Medium Medium The perception of

patients of the current

environment is good and

the level of care provided

is good.

Robust action needs to

be taken to ensure that

standards do not become

unsatisfactory.

At its most simple, the risk register can be stored as a document held on computer. However,

there are many more sophisticated forms of risk registers, including records of signiﬁ cant risks

held on databases. Where quantiﬁ cation of exposure is required, then a simple risk register

held as a document is unlikely to be sufﬁ cient. This is true of systems for recording operational

risks, where quantiﬁ cation of risk exposure is required.

Risk management documentation 83

Using a risk register

A well-constructed and dynamic risk register is at the heart of a successful risk management

initiative. However, there is a danger that the risk register may become a static document that

records the status of risk management activities at a moment in time. The practical implica-

tions of this are that senior management may consider that attending a risk assessment work-

shop and producing a risk register fulﬁ ls their risk management obligations and no ongoing

actions are required.

It is better to think of the risk register as a risk action plan that records the status of the organ-

ization with respect to risk management, but also provides a record of the critical controls that

are in place, together with the details of any additional controls that need to be introduced. In

producing such a risk action plan, the responsibility for undertaking the actions identiﬁ ed will

be clearly established.

The next part considers the options for the use of a risk management information system

(RMIS) to record the information held in the risk register. Also, the information held in the

risk register may be available on the intranet of the organization and this will help with risk

understanding and communication. In some organizations, the risk register is given the status

of a controlled document to be used by Internal Audit as one of the key reference documents

for undertaking an audit of risk management activities.

Even if this is not the case, the information set out in the risk register should be very carefully

considered and constructed. For example, the risks set out in the register need to be precisely

deﬁ ned so that the cause, source, event, magnitude and impact of any risk event can be clearly

identiﬁ ed. Also, the existing control activities, together with any additional controls that are

proposed, must be described in precise terms and accurately recorded.

Risk control activities should be described in sufﬁ cient detail for the controls to be auditable.

This is especially important when the risk register relates to the routine operations undertaken

by the organization. Risk registers should also be produced for projects and to support strate-

gic decisions.

A project risk register has to be a very dynamic document. An example of a project risk register

is provided in Table 8.4. Details of the risks faced by the project, as recorded in the risk regis-

ter, should be discussed at every project review meeting. As well as risk registers being relevant

to projects, they should also support business decisions. In this case, the precise format of a

risk register may be less formal. When a strategic decision has to be taken at board level, the

risk assessment of that strategy should be attached to the proposal. This risk assessment could

include both the risks of undertaking the strategy and an analysis of the risks associated with

not undertaking the proposed strategy.