Implementing the appropriate risk process starts with building a foundation that meets your organization’s objectives, but consistent maintenance of your risk policy can help define the value and significance of your strategy. In this session at RIMS 2021, Joseph Mayo, President of J.W. Mayo Consulting LLC, reveals how to implement a risk management process, along with his best practices from industry experience.
Building a Foundation
The foundation of risk management relies on the risk policy and governance mechanisms. Risk policy needs to define the organization’s risk appetite and tolerance. Once risk policy has been established, the governance framework can begin. The governance framework is a decision-making framework as it relates to risk that ultimately defines an effective risk management organization. To gauge effectiveness, risk events or opportunities need to align with organizational goals and objectives. Once the foundation has been established, the development of the five-step risk management process can begin. Those five steps include identifying, analyzing, evaluating, treating and monitoring risks.
Risk audits can help organizations determine what is and is not an actual risk. Conditions, symptoms, concerns and red herrings can all masquerade as risks when they are not actually a true risk. Expressing the risk in terms of its effects on a business’ objectives will also clarify whether or not it is a true risk.
Analyzing risks helps to develop and understand the risk. Is it really a risk or opportunity? How is it associated with a business objective? Is it within the business’ risk appetite and tolerance? When analyzing risks, you may need to consider expanding the organizational risk appetite and tolerance based on the evaluations from your risk analysis. Documenting the impact in quantitative terms will help determine if you need more information to define a risk or if it’s even a risk at all.
The evaluation stage concerns educating stakeholders with information they need to make decisions. The risk organization can recommend a strategy, whether it be to accept, mitigate, transfer or avoid. This stage can also be key in determining whether or not the organization’s risk appetite and tolerance should be expanded. Key risk indicators (KRIs) can help with the evaluation process, as they provide an early warning of an impending risk event, giving an organization time to react and eliminate a potential impact.
Once recommendations have been approved by stakeholders, treatment plans can begin. Treatment plans are typically developed for risks that are transferred or mitigated. However, market conditions change, which can dramatically alter an organization’s risk appetite and tolerance, and how a business views accepting or avoiding a risk. Not registering these risks can also lead to data loss and monitoring.
The monitoring stage focuses on treatment plans and KRIs. When monitoring, it’s important to pay close attention to secondary and residual risks. Secondary risks arise as the result of implementing risk treatment, and residual risks remain after implementing risk treatment. These risks may not have been present at the time of evaluation, which again may be a time to reconsider their impact.
Remember that these steps need to be properly executed and continually worked on to display the true value of an organization’s risk management strategy. A risk policy needs to clearly describes the organization’s risk appetite and tolerance and the framework it operates within. The governance framework will drive the most effective risk management.