Introduction to the ISO Risk Management Framework

The importance of risk management is recognized by the publication in 2009 of an International Standards guide, ISO 31000 Risk Management—Principles and Guidelines, developed by a work group of international experts from more than 30 countries. The same working group also revised ISO Guide 73 (2002) in 2009, and it provides definitions for risk management.

This chapter is based on the ISO risk management framework rather than attempting a comprehensive historical review and development of a state-of-the-art ERM framework. The ISO framework is current best practice for risk management frameworks. It incorporates best practice from COSO, PMI (Project Management Institute), the Australian and New Zealand Standard (AS/NZS 4360:2004) and other leading international risk management standards.

While ISO 31000 leaves some latitude to the organization for the specific framework and associated risk management process, it is expected that the generic ISO framework would be followed and the organization’s ERM framework would be easily recognized as an ISO 31000 framework. This is necessary in order to realize the benefits of common understanding based on standard terminology and processes.

The overarching concept of the ISO ERM framework is that the risk management in an organization is fully integrated into the management and direction of the organization, risk management is just one aspect of management and is just one more tool available to managers besides tools for: operations, finance, planning, human resources, and so forth. Risk according to ISO’s general definition is “effects of uncertainty on objectives.” It is expected that any decision will involve a routine and appropriate consideration of the associated risks and their possible treatment along with consideration of impacts on objectives, which are not uncertain. Risk management is not an add-on step but rather is fully integrated and embedded in all decision processes.

Uncertainty in risk may involve uncertainty of objectives and their measures, effectiveness of controls, the nature of events and their consequences, stakeholders’ views, or uncertainty of any sort. Risk management seeks to enhance the likelihood of positive consequences and reduce the likelihood of negative consequences as defined by the organization’s objectives.

Any decision by any manager can have either positive or negative effects on the organization’s objectives. The uncertain consequences of a decision, positive and/or negative, are inextricably bound to each other and cannot be separated. Expressions such as “run a risk,” “take a risk,” “faint heart ne’er fair maiden won,” “take a chance,” all describe the uncertainty of a decision outcome. “You pay your money and take your choice.” Then you wait for the future to unfold and add up the positive and negative consequences, to see if according to your objectives, it was a good choice or not.

An “opportunity” is a situation where, on balance of probabilities, the net expectation is a favorable decision outcome A “threat” is a situation when, on balance of probabilities, the net expectation is an unfavorable outcome. Both opportunities and threats have associated risks.

The organization first examines the external and internal context in which it operates. Then the organization reviews its objectives, including any risk-specific objectives. Risk criteria that are used to determine the acceptability or tolerability of a risk, in deciding either to pursue an opportunity or respond to a threat, are based on the objectives.

The ISO framework can accommodate profit-seeking organizations as well as regulators who exist only to protect the public from harm. The later organizations may focus primarily on negative consequences although it is recommended that they consider also positive consequences such as trust of public, cost-effectiveness of controls, and so on. The reason for this flexibility in application is because the risk framework is driven by objectives and those objectives can accommodate any goals, purposes, limitations, zero tolerance criteria, absolute priorities, and so on.

The ISO standard’s risk management process can be applied to the whole organization, to part of the organization, to particular types of risk in isolation, or to a specific asset, project, or activity. The standard recognizes that management of risk is more effective if it is conducted in a consistent manner across an organization as defined by the ERM framework.

Principles of Risk Management and Excellence in Risk Management

The ISO framework is principle-based rather than prescriptive. It provides a general framework for ERM with the expectation that individual countries, industrial sectors, and organizations will craft their own detailed and specific frameworks to their own unique situations. The principles have their own chapter in the ISO standard and are expanded in an annex on excellence in risk management.

The overarching ISO principle is that risk management should have net value to the organization. Risk management should make money, enhance reputation, contribute to public safety, improve sustainability, generally enhance benefits, and reduce harm. It does this by improving the decision makers’ understanding of the effects of uncertainty on objectives, devising risk treatments that are objective-effective, and doing monitoring, review, and improvement of risks and controls.

To illustrate the issue of uncertainty/risk and value, consider a study of dams constructed by the U.S. Bureau of Reclamation. The study compared planning estimates prior to construction with data for the projects once built and in operation. The study found that if in the planning period the Benefit to Cost ratio was 1.0 there was only a 17 percent chance the actual project would break even. A prior Benefit to Cost ratio of 4.0 (benefits exceeding costs by 300 percent) was needed to achieve a 95 percent probability of achieving a Benefit to Cost Ratio of 1.0 or break even. The benefits were systematically overestimated and the costs were systematically underestimated (James and Lee 1971). Effective risk management should reduce these biases and improve the estimates of actual value.

Based on a comprehensive analysis of existing principles for risk management the ISO Working Group identified 10 principles for risk management (after ISO 31000, clause 4):

1. Creates value for objectives of health, reputation, profits, compliance, and so on, less the costs of risk management.
2. Is an integral part of organizational processes including project management, strategic planning, auditing, and all other processes.
3. Is part of decision making through analysis and evaluation to understand risk and determine its acceptability as treated.
4. Explicitly addresses uncertainty and how it can be modified.
5. Is systematic, structured and timely and produces repeatable and verifiable outcomes and decisions.
6. Is based on the best available information including historical data, expert opinion, stakeholder concerns, and so forth, tempered with the quality and availability of the information.
7. Is tailored to the organization, its objectives, its risks, and its capabilities.
8. Takes human and cultural factors into account in addition to technical and other “hard” factors that impact the likelihood of consequences.
9. Is transparent and inclusive so that communication and consultation with stakeholders and others keeps the risk management and risk criteria current and relevant.
10. Is dynamic, iterative and responsive within a “continuous improvement” environment that responds to changes in context, trends, risk factors and other internal and external factors.

These principles provide the basic attributes for an ERM, however, as the organization implements an ERM framework it will exhibit characteristics of “risk maturity” in addition to adherence to the principles. In ISO 3100, Annex A describes the excellence characteristics and evidence for their existence and change in an organization. The excellence characteristics are:

• Continuous improvement in the framework using a formal process.
• Accountability for risks with readily available lists of risk owners.
• Use of the RMP in all decision making with documentation as appropriate.
• Constant communications about risk, risk controls, and other “of possible interest” aspects of RMP.
• High profile for risk management as a core commitment in the organization.

ERM Framework: Concept and Elements

The underlying concept in ISO 31000 for an ERM framework is a quality management approach using the Deming paradigm of Plan-Do-Check-Act (PDCA) (Deming 1986). The quality of decision making in an organization is enhanced through continuous improvement of the risk management framework. The framework is designed, implemented, monitored, and continuously improved following the PDCA approach.

The ERM framework in an organization supports the risk management process for decision making in the organization. The framework also aggregates information on risks, risk management, and performance of risk controls in the organization. The Risk Management Process (RMP) is the key element of the ERM framework. The RMP ensures that risk management and the operation of risk controls will increase good consequences and reduce bad consequences within a continuous improvement cycle.

The framework has to be practical. Managers are usually overworked and one extra responsibility for which they are accountable needs to be manageable if it is to be done effectively. Overly prescriptive approaches, while comprehensive and detailed, may be too onerous and counterproductive. Therefore a principle-based approach is used and adopted to the circumstances. Successful frameworks are usually simple to understand and to implement yet allow for sophistication and subtlety in their application and continuous improvement. As a general rule efforts in risk management should be proportional to the magnitude of the risk and/or the benefits of the risk controls including impacts on stakeholders.

The framework and RMP should use standard terminology and processes. Where possible, ISO Guide 73 terminology should be used and if other terms are used then a link should be made to ISO terminology. For example, if “environmental scan” is used then it should be linked to the ISO term “external context” so the relationship to the framework is clear. Many shortcomings of current risk management are due to the use of nonstandard terminology and the resulting ineffective communication, lack of understanding, and less innovation.

An ERM framework has seven components:

1. Mandate and commitment to the ERM framework.
   1. Agreement in principle to proceed with ERM.
   2. Gap analysis.
   3. Context for framework.
   4. Design of framework.
   5. Implementation plan.
2. Risk management policy
   1. Policies for the ERM framework, its processes and procedures.
   2. Policies for risk management decisions:
      • Risk appetite.
      • Risk criteria.
      • Internal risk reporting.
3. Integration of ERM in the organization.
4. Risk Management Process (RMP).
   1. Context.
   2. Risk assessment (identification, analysis, and evaluation).
   3. Risk treatment.
   4. Monitoring, review, and actions.
   5. Communications and consultation.
5. Communications and reporting.
6. Accountability.
   1. Risk ownership and risk register.
   2. Managers’ performance evaluation.
7. Monitoring, review, and continuous improvement.
   1. Responsibility for maintaining and improving ERM framework.
   2. Approach to risk maturity and continuous improvement of ERM framework.

Exhibit 7.1 illustrates a typical framework for an organization to implemented ERM according to ISO 31000 (Broadleaf 2008). It shows in addition to the main components of an ERM framework, other processes and functions necessary for implementation and continuous improvement. It is expected that each organization will customize the ISO framework to suit their organization’s structure, roles, and responsibilities, with a view to making integration of risk management easier and more effective.

In Exhibit 7.1 the outer set of four boxes is a “Plan-Do-Check-Act” (PDCA) format modified for implementing an ERM framework in an organization, namely: “Commit & Mandate” (Act); “Communicate & Train” (Do); “Structure & Accountability” (Do); and “Review & Improve” (Check and Act). The plan step is not shown directly but it results in the framework design shown in Exhibit 7.1.

The inner set of five boxes in Exhibit 7.1 is the RMP from ISO 31000. It is used for any decision in the organization. RMP has tasks or activities of “Establish context,” “Risk assessment,” “Treat risks,” “Communicate and consult,” and “Monitor and review.” Exhibit 7.1 illustrates the relationship between the ERM framework and the RMP, which is a component of the ERM framework. There is also an administrative activity shown: “Management Information System,” which provides the interface between the organization’s overall risk management framework and the hundreds or thousands of RMPs within the organization. The risk management information system acts to roll up all the risks in the organization for purposes of risk appetite, as well as roll down the framework to the individual risk and control owners for purposes of local risk criteria.

Risk Management Process: Context

The context for the risk management process is a relatively new risk management activity, first introduced in the 2004 New Zealand and Australia Risk Management Standard. It builds on the framework-context for the organization where the organization-wide risk appetite is formulated and the risk management environment of the organization is defined. The context looks at the laws, market, economy, culture, regulations, technology, natural environment, stakeholders’ needs, issues, and concerns, and basically anything that could impact the objectives, risk criteria, or other risk management activities.

The main output of context is the risk criteria to be used to determine the acceptability of the risks. A second output of the context activity may be the specification of the other risk management activities, such as communication and consultation and risk assessment.

The risk criteria is used to evaluate the significance of the risk by comparisons against the risk with existing controls or the risk with proposed treatments. If the comparison leads to the decision that the risk is not acceptable then further risk treatments are considered. In some cases the risk cannot be modified to make it acceptable and in this case the risk criteria is shifted from acceptance mode to tolerability by posing the question “Is there some possible level of risk that while not acceptable can be tolerated?” In the case of negative consequences this may be ALARA (As Low As Reasonably Achievable), BAT (Best Available Technology), and other approaches to determine the tolerability of risks.

The context may be organized into three categories:

1. The external context—anything outside the organization that must be taken into account in risk management, including stakeholders, regulations, contracts, trends in business drivers, local culture and social norms, employment situations, and competition.
2. The internal context—anything inside the organization that must be considered in the RMP, including capabilities, resources, people and their skills, systems and technologies, information flows, decision-making processes (formal and informal), internal stakeholders, policies and strategies within the organization, and other constraints and objectives.
3. The risk management context—any activity in the RMP that requires attention in seeking to find the appropriate level of risk and associated risk treatments, controls, monitoring, and review. This includes responsibility for the risk, scope of the RMP, linkages of the product or service to other products and services in the organization, risk assessment methods to use (may be specified by regulations, industry norms, stakeholder requirements such as business plan formats, etc.), the time available for the RMP, background studies that may be needed, coordination with communication and consultation task as well as the monitoring and review task, and other processes and procedure matters.

The context as with other RMP tasks must be practical and within the value-added parameters of the organization. This may involve the standardization of RMP tasks including boiler plate context and checklists, with brainstorming for additional items. In many cases guidance will be found from best practice, industry norms, conferences, special software tools, and other opportunities for discovering “good” approaches.

Risk Management Process: Risk Assessment

Risk assessment involves three tasks. It is not possible here to do more than describe in very general terms the objectives of each task and possible approaches to these tasks. For instance for business and finance organizations, nongovernment organizations, or for agricultural organizations there are whole books dedicated to methods for the three tasks:

1. Risk identification. Risks associated with any decision must be identified and placed in a risk register or risk log before they can be treated, even if it is later determined that the risk levels with existing controls are acceptable. It should be assumed that not all risks will be identified and like any of the RMP activities there needs to be provision for monitoring and review to add risks to the register. Risk identification may use historical data, often categorized in terms of credit risks, operation risks, market risks, technological risks, human behavior risks, country risks, and other convenient mutually exclusive categories that assist in risk identification. Risk names may help stakeholders relate to the risks and have the potential to improve the effectiveness of controls. In many cases risks will be described in aggregate terms representing hundreds or more subrisks. Risk identification may use brainstorming, “what if” methods, scenario analysis or other methods for helping people identify risks, particularly infrequent risks, “black swan” risk situations (Taleb 2007) and other search techniques. One set of risk identification techniques is tree methods, either leading up to an event (tree roots) or following an initial event (tree branches), sometimes structured in terms of decision trees.
2. Risk analysis. The purpose of risk analysis is to provide the decision maker with sufficient understanding of the risk, that they are satisfied they have the appropriate level of knowledge about the risk to make decisions on risk treatment and acceptance. Risk analysis methods can vary from quantitative mathematical models to qualitative expressions of expert opinions or even organized and structured gut feelings. Risk analysis may be organized into estimates of likelihood of events, estimates of consequences of events, and estimates of the combined effect of likelihood and consequences according to the risk criteria. Risk analysis may be organized into multiple outcomes and their likelihoods in the form of a probability distribution. Risk analysis may include separate determination of risk factors that identify special vulnerabilities or opportunities for success associated with particular markets, people, products, and so forth. Risk factors are usually determined by industry-wide or population-wide studies, such as the tendency for higher credit defaults with lower credit ratings to give a rather obvious example.

   Root cause analysis of risks is both a useful and potentially confounding concept. The basic idea is to carry the analysis to the point where there is a cause of the risk that is fundamental in that if the root cause is treated then the risk consequences and/or likelihood will be modified. For example, accident analysis or debriefing of successful programs can benefit from root cause analysis. Was it the actions of the sales person, the advertising program, the design of the product, or the follow-up service that resulted in the success? Root cause analysis can be confounding, for example, when cause is inappropriately assigned to operators rather than the design of the system and specification of job tasks.

3. Risk evaluation. Each risk, if identified and analyzed, is evaluated by comparing the residual risk after risk treatment (or with existing controls) against the risk criteria. The risk is then accepted as treated or not accepted and subjected to risk treatment. The risks associated with controls and their implementations are also considered in the risk evaluation and the risk analysis. Risk controls may not work as estimated, some controls such as those involving counter parties will have additional risks of failure of the counter parties, or with partners that do not meet their contractual obligations, or the controls fail for any reason.

   If it is not possible to find a risk treatment that is acceptable then the risk is revisited and it is determined if there is any way to make the risk tolerable usually with more extensive controls.

   Risk evaluation methods are numerous and can include multidimensional objectives, risk matrices, voting, subjective ratings, testing by focus groups, statistical analysis models, market testing, and evaluation gaming. Care must be taken that the risk evaluation method and results are accurately communicated to the decision maker and other stakeholders so limitations and uncertainties are known. Note that if the risk analysis is not quantitative then the risk evaluation must be qualitative.

In many situations the risk assessment is not done as three separate tasks but with methods that combine the tasks. In some well-established methods such as HAZOP (HAZard Analysis and OPerability study) (Crawley and Preston 2008) and FMEA (Failure Mode and Effects Analysis) (Wikipedia 2009a) not only are identification, analysis, and evaluation included in the method but also risk treatment since the team doing the analysis of the system usually selects risk controls until the risk criteria are met.

The risk matrix is a combined risk assessment method that is widely used for strategic risks and other risks that require subjective analysis and evaluation. It is used when quantitative methods are not available and a knowledgeable and experienced team that collectively can provide an acceptable and comprehensive understanding of the risk is available to do risk identification, analysis, and evaluation. The team first identifies the risk and places it in the risk register. Then the team produces a subjective rating on a 3–5 point scale for both the likelihood and the consequences of the risk. The two ratings are plotted on the risk matrix using the subjective ratings. Then the team identifies the acceptable risk levels and/or the level of risk by identifying cells in the matrix that have say high, medium, or low risks or alternatively risks that require treatment or not, the result is sometimes called a “heat map” when high medium and low negative risks are shown in red, yellow, and green. Although popular, risk matrix methods should be used with caution because of the following characteristics:

• The matrix helps the team compare one risk to other risks as the question is asked: Should these two risks be in the same risk cell? Often Delphi techniques and other cyclical reevaluation methods are used to ensure consistency.
• The team should clarify if the likelihood is an expected value or an extreme value.
• The team needs to understand what controls are in place in the evaluation, for instance, while not desirable for other reasons, some of the team members may be thinking of “inherent” risks or the risk without any controls, including even human behavior (e.g., operator actions are often the treatment of last chance).
• The team can be swayed by dominant and persuasive personalities, including the facilitator, and checks should be in place including secret ballots, rules for interventions, and so on.
• Often arithmetic is done on the ratings, which is not mathematically sound, for example the rating for likelihood is incorrectly multiplied by the rating for consequences and the product referred to as the level of risk. This is why risk definitions more generally and accurately refer to “level of risk being some combination of likelihood and consequence.”
• Risks descriptions may be interpreted by team members differently. Care must be taken to make sure the risk and risk treatment can be unequivocally related to the risk being considered.

Risk Management Process: Risk Treatment

Treatment, like medical treatments, may be either vitamins to enhance well-being or therapy to reduce undesired consequences. Risk treatment includes the identification of control options, selection of a control option, and implementation of the selected control. The medical analogy, including wellness criteria is useful to appreciate the complexity of the tasks in risk treatment, particularly since there is uncertainty at every step in the process. This is reflected in the ISO standard by the fact that about 8 percent of the standard is dedicated to risk treatment, including preparation of treatment implementation plans, strategies for evaluating treatment options, and the key role for monitoring of treatment implementation and performance of controls.

Risk Management Process: Monitoring and Review

Monitoring and review along with risk communication and consultation are two RMP activities that are applied to the three “line” activities of context, assessment, and treatment. Monitoring and review are key to the continuous improvement of risk management. For example, most approaches to risk maturity examine how monitoring and review leads to actions and then to observable improvements. Every aspect of RMP needs to be monitored and reviewed including:

• Has the risk changed in character due to trends? Are there new risks evolving or emerging?
• Has the context for the risk management changed, as for example after events such as the October 2008 financial crisis?
• Is the risk treatment plan being implemented? As planned?
• Are controls effective?
• What is the appropriate frequency of monitoring?
• Should monitoring be done by internal audit, third party, or self-assessment?
• Based on actual outcomes for objectives was the risk assessment accurate?
• Can monitoring be improved by identifying better key performance indicators?

Risk Management Process: Communication and Consultation

Because risk is uncertainty about effects on objectives there is a strong incentive for communication and consultation. For example, many exercises in strategic planning are “team” exercises, which grapple with uncertainty about future markets, what the competition is doing, technological innovations, the state of the economy, the accuracy of cost estimates, and the probability of war. There must be extensive communications among team members, and consultations with other experts in the organization to ensure the accuracy and effectiveness of activities in the RMP.

There have been extensive studies of risk communication that focus on how risks are perceived, including by team members doing the risk management. People’s perception of risks changes with the frequency of the risk, natural versus man-made risks, the uncertainty of the risk and other factors (Standards Australia 2009). In addition, people are notoriously bad at doing mental arithmetic on likelihoods such that even the simplest methods of ensuring accurate calculations of probabilities and frequencies will reap considerable benefits.

Some recognized prophets in risk management (Kloman 2008) go so far as to argue that if you don’t get risk communication right then you can’t do effective risk management. Consider the risks associated with assets backed by subprime mortgages, which led in part to the October 2008 financial crisis. Might the crisis have been avoided if there had been improved communication and consultation, to explore questions such as “What is the risk associated with this asset? Are there any common root causes? What additional risks are associated with failure of controls? What is best lending practice?”

Like monitoring and reviewing, communication and consultation is a part of all the other tasks in the RMP. As captured in the expression “the more you tell the more you sell” communication improves the effectiveness of risk management for positive consequences as well as negative consequences. Communication and consultation are also key to success in risk assessment, treatment, and evaluation activities. In many risk management processes communication and consultation can account for more than 50 percent of the resources required. Consider, for example, the importance of communication and consultation in winning elections where the outcome is always uncertain.

Risk Management Process: Recording the Risk Management Process

Risk management activities should be recorded. This is standard policy for any important activities in any organization and this task is illustrated in Exhibit 7.1 as a “Management Information System” that links the RMP to the risk management framework. Records created as an integral part of the RMP provide for traceability of decisions, continuous improvement in risk management, data for other management activities, legal and regulatory requirements, and so forth. Systems for record keeping, storage, protection, retrieval, and disposal need to be carefully designed, implemented, monitored, and reviewed.

Rationale for Commitment to ERM

ERM benefits to the organization have been identified as including:

• Proactive rather than reactive management of risk resulting in more successes, fewer setbacks, and more effective operations and controls.
• More effective and structured approach to opportunities and threats by managing the associated risks in effective and efficient ways.
• Better compliance with regulations and other requirements, including employee moral, enhanced health and safety, and crisis management.
• Improved stakeholder trust and confidence in the organization.
• Better corporate governance through improved understanding of risks, their control, and general resilience and robustness of the organization.

If the organization believes in these benefits of risk management for their organization they will appoint a champion to do a gap analysis, conduct a context for the ERM framework, and design an appropriate ERM.

Gap Analysis for ERM

The first step in developing (or revising) an ERM framework is a gap analysis of existing processes against a benchmark such as ISO 31000 to provide a baseline for the design of the framework as well as to confirm the potential benefits.

The gap analysis will consider a checklist of elements of the framework such as in the section above. Each element will be described, including its function and operation. For every element, the gap analysis will evaluate its existence or not, its criticality to the organization, and its effectiveness. The result will be a template for the design of the framework.

The gap analysis is complicated by the existence in organizations of hundreds or more existing risk management activities each with its own unique terminology and processes. These “historical” risk management activities will be for health and safety, environmental protection, process safety, fraud detection, validation checks, “what if” analysis of strategic initiatives, procedures for collecting receivables, validation of stakeholder analysis, among other activities. Existing risk management activities may have gaps when compared to modern risk management frameworks and processes. For the ERM framework to integrate and incorporate existing activities it will be necessary to specify some basic principles, standard terminology, and a method of translating them into a common RMP. This is not easy due to inertia and resistance to change as well as the volatility in many organizational structures and associated roles and responsibilities. Use of dual terminology for an interim period may be necessary.

Context for ERM Framework

The organization must review the context in which it operates, starting with the external context that includes market conditions, competition, technology trends, legislative requirements, weather and climate impacts, country risks, political environment, globalization factors, key drivers of profitability and sustainability, including financing and other resources, external stakeholders’ needs issues and concerns, and any other factors that influence threats or opportunities and their associated risks.

The internal context will include the complexity of the organization in terms of size, number of locations, number of countries, degree of vertical integration, existing regulatory and legal requirements, key internal drivers of the organization, the objectives of the organization, stakeholders and their perceptions, capabilities of the organization, existing strategies and organizational structure of the organization, and any other internal factors that will impact risks or risk management.

The combination of the external and internal context will help to set parameters and objectives for the design of the ERM framework. The context will determine:

• The characteristics of risks faced by the organization and the benefits of risk management.
• The resources needed for risk management including the need for a chief risk officer.
• Combined with the gap analysis, the possible emphasis needed for the various components of the ERM framework and the risk management process.

Design, Decision, and Implementation of the ERM Framework

The elements of the ERM framework will be designed to suit the framework context and follow the elements of frameworks as described in this chapter.

Once designed, the ERM framework, its implementation plan, and process for continuous improvement must be approved by the organization then implemented. Exhibit 7.1 provides an example of one ERM framework design.

Policies for the ERM Framework

The policies should be presented in a short (usually public) document that outlines the context for the organization risk management framework, perhaps including the gap analysis, the organization’s approach to risk management, the standard terminology and risk management processes to be followed, the procedures for continuous improvement of the framework, the accountability for risk and risk management, and how the organization will monitor and review risk management and the performance of controls. These ERM policies for processes and procedures are equivalent to the framework structure illustrated in Exhibit 7.1.

Policies for Risk Management Decisions

The ERM framework should provide overarching policies that are applied in the RMP through risk criteria and risk evaluation.

Review of Policies

Policies can be poorly implemented and their effectiveness degrades over time. A key dimension of an ERM framework is to have policies that are simple to understand, work, and can be reviewed over time to ensure they are sustained and continuously improved. Every day newspapers provide examples of organizations that fail because policies were not followed.

For example, Nick Leeson at Barings Bank (Wikipedia 2009b) was provided with funds in excess of his organization’s policy limits within the month he lost all his funds and bankrupted the organization. Similarly, inquiries into the October 2008 financial disaster will uncover hundreds of these failures of policy implementation leading to the collapse of many organizations.

Simplicity is essential. Many years ago I observed the setting of key performance indicators for transit services in London, England. In an exemplary way the list of key performance indicators were reduced from more than 100 to just 1; that is, “passenger miles per pound.” Everyone could understand the indicator, it could be calculated from existing data, and it drove the organization in the direction of its key objectives—to produce riders and to save money. Moreover it played a key role in setting risk appetite and in structuring risk criteria as managers at all levels could relate the current value of the performance indicator to their own activities and risks.

There is a need for the review of organizational successes and failures using root cause analysis and other methods to determine the role of policies, policy maintenance, and application of policies.

In the initial stages of implementing a framework for ERM much of the risk management activity will concern integration of existing risk management processes. This can provide an opportunity to review policies because they will be integrated into the ERM framework one by one. The review of associated historical data on risk management decisions also provides a unique opportunity to review risk appetite and risk criteria policies. In workshops using evidence on costs of risk management, effectiveness of controls, and so forth, the organization can refine policy but also gain internal credibility about the value of the ERM framework. Typically, once a recommendation comes out of this process people come forward and say “I always thought it should be that way.”

Last but not least the ERM framework should itself be reviewed. Are risks reduced or enhanced by controls? Does risk management produce value through reduction of uncertainty? Are better decisions made and strategic planning improved? Too often, “number of inspections,” “coordinating meetings held,” “risk priority ratings,” and other irrelevant and intermediate process statistics find their way into monitoring and review of risk management frameworks. Indicators that measure objectives are more difficult to develop but are the only meaningful measures of the success of ERM.