The Essential Risk Management Guide

Posted on by Nathan

An introduction to the fundamentals of Risk Management & Risk Management software, best practices, and resources, all in one place.

Table of Contents:

Chapter 1: What is Risk Management

What do the standards and governance codes say about risk management:

  • According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. Risk management refers to a “coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.”
  • The COSO “Risk Management-Integrated Framework” defines RM as a “… process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
  • The Institute of Internal Auditors (IIA) framework defines internal auditing as: ‘An independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
  • ISO 22301 provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It helps organisations protect against, prepare for, respond to, and recover when disruptive incidents arise.
  • PFMA, MFMA, King IV: Legislation such as PFMA and the MFMA together with corporate governance codes such as King IV expect an institution to implement a risk management plan. The King IV code on corporate governance (copyright Institute of Directors Southern Africa) applies to all entities, regardless of their nature, size or form of incorporation. The Code is implemented on an “apply and explain” basis. The following principles relating to risk governance are embodied in the Code:
    • Strategy, Performance and Reporting: Principle 4: The governing body should appreciate that the organisation’s core purpose, its risk and opportunities, strategy, business model, performance and sustainable development are all inseparable elements of the value creation process.
    • Risk Governance: Principle 11: The governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives.

Now, more than ever, under these trying economic conditions, an organisation needs to operate as a lean-mean machine and key to this, is robust risk management which should be embedded throughout the organisation. Divisional objectives including lower-level objectives must support and be in sync with the overall objectives of the organisation. The risks associated with each of these objectives need to be identified, managed and monitored on an ongoing basis. Every effort should be made to minimise the risks that you wish to reduce / avoid whilst being able to take appropriate risks for reward (opportunity risk) provided that the risks are within the risk appetite and tolerance levels of the organisation.

Rogue behaviour is unacceptable in today’s business environment and can destroy an organisation overnight. Gerry Grimstone, had a message for senior executives. “You can’t easily blame a board member for not knowing something,” Grimstone said. “But you can blame a board member for creating a culture where he or she doesn’t know something.” Grimstone also discussed the “tone from the top”; a need for an organisational culture where assumptions are challenged and ethical risk management practices are acclaimed, not neglected.

It’s quite simple! Lack of disclosure and an ineffective risk management information and reporting system equals negligence. Boards are explicitly given a choice between either having effective risk management in practice or disclosing their ineffectiveness in risk management to the public. If they do neither, it is considered fraud or negligence, as not knowing about a risk is no longer a defense.

At every level of our organisation, we as board members, exco members, managers and employees need to ask ourselves: Do we know what our objectives are? Are we managing the significant risks that threaten our objectives and do we recognize the opportunities and act on them within our risk appetite? Do we want to be part of the solution or are we apathetic and part of the problem?

In summary, effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Further Reading:

Chapter 2: The need for Risk Management

As a result of organisational failures in the past, stakeholders do not want to be caught unawares by risk events. Stakeholders require assurance that management has taken the necessary steps to protect their interests. Corporate governance thus places the accountability for risk management in the hands of the Accounting Authority / Officer and the Board. Stakeholders expect internal control and other risk mitigation mechanisms to be based on a thorough assessment of institutional wide risks.

Some of the benefits derived from the risk management activities include:

  • More effective strategic and operational planning with alignment of objectives and risks across the organisation
  • Greater confidence in decision making and achievement of operational and strategic objectives
  • Greater stakeholder confidence by demonstrating transparency and sustainable capability
  • Early warning system and visibility and reporting of significant risks to avoid surprises
  • Proactive management of risk rather than reactive after the event which costs time, money and reputation
  • Cost effective internal controls and control strategy
  • Evidence of a structured / formalised approach in decision making
  • Regulatory compliance and director protection

Further Reading:

Chapter 3: What do the standards say?

According to ISO 31000, risk is the “effect of uncertainty on objectives” and an effect is a positive or negative deviation from what is expected. Risk management refers to a “coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives.”

The COSO “Risk Management-Integrated Framework” published in 2004 defines RM as a “…process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Legislation such as PFMA and the MFMA together with corporate governance codes such as King IV expect an institution to implement a risk management plan. The King IV code on corporate governance (copyright Institute of Directors Southern Africa) applies to all entities, regardless of their nature, size or form of incorporation. The Code is implemented on an “apply and explain” basis. The following principles relating to risk governance are embodied in the Code:

  • Strategy, Performance and Reporting: Principle 4: The governing body should appreciate that the organisation’s core purpose, its risk and opportunities, strategy, business model, performance and sustainable development are all inseparable elements of the value creation process.
  • Risk Governance: Principle 11: The governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives.

Recommended Practices

  • The governing body should assume responsibility for the governance of risk by setting the direction for how risk should be approached and addressed in the organisation. Risk governance should encompass both:
    • a. the opportunities and associated risks to be considered when developing strategy; and
    • b. the potential positive and negative effects of the same risks on the achievement of organisational objectives.
  • The governing body should treat risk as integral to the way it makes decisions and executes its duties.
  • The governing body should approve policy that articulates and gives effect to its set direction on risk.
  • The governing body should evaluate and agree the nature and extent of the risks that the organisation should be willing to take in pursuit of its strategic objectives. It should approve in particular:
    • a. the organisation’s risk appetite, namely its propensity to take appropriate levels of risk; and
    • b. the limit of the potential loss that the organisation has the capacity to tolerate
  • The governing body should delegate to management the responsibility to implement and execute effective risk management.
  • The governing body should exercise ongoing oversight of risk management and, in particular, oversee that it result in the following:
    • a. An assessment of risks and opportunities emanating from the triple context in which the organisation operates and the capitals that the organisation uses and affects
    • b. An assessment of the potential upside, or opportunity, presented by risks with potentially negative effects on achieving organisational objectives
    • c. An assessment of the organisation’s dependence on resources and relationships as represented by the various forms of capital
    • d. The design and implementation of appropriate risk responses
    • e. The establishment and implementation of business continuity arrangements that allow the organisation to operate under conditions of volatility, and to withstand and recover from acute shocks.
    • f. The integration and embedding of risk management in the business activities and culture of the organisation
  • The governing body should consider the need to receive periodic independent assurance on the effectiveness of risk management.
  • The nature and extent of the risks and opportunities the organisation is willing to take should be disclosed without compromising sensitive information.
  • In addition, the following be disclosed in relation to risk:
    • a. An overview of the arrangement for governing and managing risk
    • b.Key areas of focus during the reporting period, including objectives, the key risks that the organisation faces, as well as undue, unexpected or unusual risks and risks taken outside of the risk tolerance levels
    • c. Actions taken to monitor the effectiveness of risk management and how the outcomes were addressed
    • d. Planned areas of future focus

Further Reading:

Chapter 4: What is Risk Assessment?

What do the standards say about risk assessment?

  • As per ISO 31000, section 6.4, risk assessment is the overall process of risk identification, risk analysis and risk evaluation.

cosoerm

  • As per the COSO ERM framework, risk assessment follows event identification and precedes risk response. … Risk assessment is all about measuring and prioritizing risks so that risk levels are managed within defined tolerance thresholds without being over-controlled or forgoing desirable opportunities.

So risk assessment is defined slightly different by the standards with ISO3100 covering a broader range of activities and COSO being more focused; however the overall risk management process is similar in terms of identifying risks, rating / assessing risks, responding to risks (treatment) with ongoing monitoring and review together with reporting and communication.

Performing a risk assessment

Taking the more focused view on risk assessment, once risks have been identified at the various levels of the organisation (associated with the achievement of objectives), it is important to prioritise these risks. Prioritising risks involves rating the impact (severity) and likelihood of the risk. Risks are rated qualitatively based on risk appetite and tolerance thresholds, which ideally, should be specific to individual areas / business units. The following is a typical example of qualitative risk appetite and tolerance model which can be used as a guideline when rating the impact of a risk:

qualitativeriskappertite

Where possible, risks should also be rated quantitatively. Quantitative risk appetite thresholds should be defined per area / business unit per category of risk so that it is possible to set higher impact thresholds for risks that you wish to take (opportunity related risks) and lower impact thresholds for risks that you wish to avoid. For example, thresholds should be set at every level of the business (business unit) by type of risk (i.e. risks associated with opportunity versus negative / risks to be avoided):

qualitativeriskappertiteperrisk

Steps to effective risk assessment:

Step 1: Understand the definition of risk appetite and tolerance and how it relates to your organisation.

Step 2: (a) Formulate and rate risks based on your qualitative risk appetite model / statement. Define risk appetite model/s that take into account materiality at group, divisional and business unit level (b) set up your quantitative risk appetite thresholds at key levels (business units) of your organisation.

Step 3: Report qualitatively as well as quantitatively on your risks, taking into account the significance (importance) of objectives at the different levels (business units) of your organisation.

You can find further information on risk appetite and tolerance at: https://api.barnowl.co.za/insights/a-3-step-approach-to-implementing-risk-appetite-and-tolerance/

In summary, effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Chapter 5: Why the need for Risk Management Software?

Risk management software facilitates the embedding of risk management within an organisation as set out in the ISO31000 and COSO standards. It is not possible to embed risk management without specialised risk management software. Sadly, many organisations still pay lip service to risk management and think that risk management is about listing and monitoring their top 20 risks in an Excel document, which they discuss with the board and / or exco from time to time. Somehow, however, many of these organisations still manage to come up with a ‘nice’ glossy annual report with a chapter on how well they are performing risk management in line with the standards to appease their shareholders and prospective investors.

In order to claim that your organisation is serious about risk management, the following are a few points worth noting:

  • Objectives need to identified and cascaded downwards to every level of your organisation with key performance indicator monitoring (with targets and thresholds allocated to owner/s),
  • Risks that should be avoided or taken in order to achieve objectives need to be identified, assessed regularly and monitored at every level of the organisation,
  • Risk appetite and tolerance levels need to be setup at every level of the organisation by type of risk so that responsible owners of risk, know what their delegated authority is in terms of taking or avoiding risk,
  • Risks need to be monitored on an ongoing basis or better still on a real-time basis, taking into account the adequacy and effectiveness of linked controls, related (linked) risks, key risk indicators (with targets and thresholds) as well as associated near misses / loss events,
  • Controls need to be put in place at every level of the organisation to mitigate the risks and monitored on an ongoing basis by the various lines of defence or better still on a real-time basis, utilising continuous monitoring software.
  • Action plans with due dates and owner/s, drive ownership and accountability for the management of risk at every level of the organisation,
  • Interactive, up-to-date business intelligence reporting off a dynamically updated risk universe together with ‘real-time’ alerts, enables an organisation to respond proactively to possible value destructors whilst taking advantage of value creators,
  • In addition, risk management software facilitates predicative risk analysis and scenario modelling, thereby future-proofing an organisation as far as possible.

In Summary:

In summary, it is impossible to perform effective risk management without risk management software. Having said this, however, as with any system it is a case of garbage-in, garbage-out, so commitment to the risk management process is fundamental to effective risk management.

Effective risk management enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation.

Further Reading:

Chapter 6: What Risk Management software will do for my organisation

An organisation cannot manage risk effectively without the use of specialised risk software which drives accountability and ownership for risk in a coordinated manner across the organisation. Therefore, if your organisation is serious about risk management you need specialised risk management software which will:

  • Facilitate and embed risk management in your organisation turning RM into a ‘living’ activity which is integrated within the business and its operations
  • Facilitate a culture of risk and control within your organisation driving accountability for risk management at all levels of the organisation enabled by the ‘live’ updating and monitoring of action plans
  • Facilitate an integrated approach rather than a silo-driven approach to risk management by linking related risks across the organisation and monitoring the knock-on effect of risks, key risk indicators, incidents, controls, causes etc.
  • Improve the quality and consistency of data captured giving you one version of the truth, audit trails etc.
  • Provide an up to date dashboard of your risk universe including consolidated and trend reporting at any level of the organisation all at the click of a button
  • Ensure Director / Accounting officer protection through a formalised system-driven approach to risk management and compliance

Why can’t we just use Excel?

  • Multiple ‘versions of the truth’ with little or no version control with 100s of spreadsheets floating around the organisation,
    Data is not well structured (inconsistent columns and naming conventions, free text versus drop-downs etc.) limiting the ability to report on data,
  • Limited data validation (free text versus drop down boxes),
  • The quality and completeness of data is compromised,
  • Information is not consolidated into a single repository,
  • Security access to data is non-existent in most cases,
  • Excel is silo based and ignores interdependencies of risk across business units and users etc.,
  • Excel spreadsheets can’t easily be shared / worked on at the same time,
  • It’s not possible to perform aggregated reporting without exhaustive manual intervention,
  • It’s almost impossible to generate trend reporting,
  • Excel is a static system as opposed to a ‘living’ system which provides the ability to send out automated email notifications, reminders, escalations etc. based on system triggers,
  • Complex spreadsheets are ‘lost’ when the owner leaves the organisation and are re-invented again by the new person, wasting time, money and effort.

And now imagine if you combine the best of both worlds:

A well designed software solution combines the best of both worlds, allowing users to work in a flexible way but also in a structured and consistent way which facilitates data quality, accuracy and completeness enabling consolidated reporting of one version of the truth. One of the key benefits of a system is to be able to provide intelligent reporting at the click of a button which informs the business on as real-time basis as possible. Pulling Excel documents together with disparate information is time consuming, prone to error and frankly a waste of time of expensive resources.

In the design of any system there are many conflicting trade-offs between flexibility, complexity, ease of use, structured versus unstructured data, reportability etc. Choose a system which balances flexibility without being overly complex ensuring ease of use and fit for purpose rather than impossible to configure and maintain.

Further Reading:

Chapter 7: Steps to the successful implementation of risk management software

Software implementation:

  • Ensure you have an existing risk management policy, risk framework and methodology
  • Identify the risk champions and risk owners at the various levels of your organisation. Limit the number of users to start with
  • Sanitise and import your existing Excel-based risk registers into the system
  • Confirm the kinds of risk management reports you would like out of the system: heat maps, trend analysis etc.
  • Get buy-in from the top and educate your users as to the value of RM and the reason for a system

Now you are ready to use the software:

  • Inform users that whilst the system is non-intrusive there will be automated follow-up of action plans and automated risk & control self-assessments
  • Embed and expand the usage of the system over time
  • Add value to the organisation with insightful reporting
  • Demonstrate the effective mitigation of risks and monitoring of controls
  • Follow up on remedial action plans

Further Reading:

Chapter 8: Considerations and key questions when buying risk management software

  • Does the software support best practice standards (COSO, ISO31000) and is there seamless integration with compliance and audit if required
  • Does the solution provide a simple, cost effective, user friendly and non-intrusive interface for the normal business user? E.g. action plans, checklists, risk & control self-assessments etc.
  • Is the system flexible, configurable and parameter driven in order to support your risk methodology
  • Ensure that the software offers flexible reporting capability without any programmer intervention
  • Apart from the standard features, what differentiators / value add does the software offer
  • What is the setup process and estimated timelines; it should be easy to get up and and going with the software
  • Is the system fully documented, user manuals, online help, FAQs (Frequently Asked Questions)
  • Is there local support and how responsive are the software owners and developers to your changing requirements
  • Are there any hidden fees or costs (e.g. hosting, support, additional implementation, other required 3rd party software licenses, online action plan users etc?)
  • Ensure that there are regular upgrades to the software ensuring that it is aligned with best practice risk management standards as well as kept up to date with the latest technology platforms and that the upgrade process is simple and never overwrites existing custom fields / custom settings.
  • Request client references / testimonials

Don’t:

  • just buy basic software which may meet your current requirements today but won’t meet your future requirements

Further Reading:

Chapter 9: Key feature comparison checklist

Important features BarnOwl Software B Software C
Is the system a fully integrated GRC software solution offering additional modules such as compliance, incident management and audit
Full system functionality supporting the COSO, ISO31000 standards including functionality to maintain objectives, risks, controls (including multi-rating of controls per assurance provider), contributing factors, KRIs, incident management, action plans, voting, risk & control self-assessments, surveys, questionnaires
Simple and flexible take-on / import functionality
Flexible and parameter-driven to ensure configuration for your risk methodology (ratings etc.)
Ability to maintain a central library of common objectives, risks, controls, KRIs etc.
User-defined fields available anywhere in the system and ability to report on user-defined fields
Linking of objectives to risks and risks to other risks, KRIs etc. enabling dynamic re-assessment and automated notifications to ‘risk owners’ of a changing risk environment
Highly flexible and customisable report generation without any programmer intervention
Combined assurance reporting
Graphical slice and dice reporting: e.g. risk heat map, heat map movement, trends, risk ranking, causal analysis, etc.
Automated risk & control self-assessments without any licensing or cost implications
Online questionnaires and surveys without any licensing or cost implications
Online action plans with email notifications to all auditees without any licensing or cost implications
Offline and online synchronisation enabling workshops to be conducted offline
Ease of use including a ‘Lite’ offering allowing easy adoption and buy-in for the system by the business users.
User / Group security restricting unit and risk owner access
Ability and willingness of the vendor to respond to software enhancement requests
Online help, FAQs, up-to-date system documentation
End user support process, support portal
Regular and seamless software upgrades
Regular user groups, refresher training etc.
Client references and track record of the vendor

Further Reading:

About BarnOwl Risk Management:

The BarnOwl risk management module facilitates a structured and systematic approach to risk management by providing an effective way of prioritising and managing risk and opportunity across the organisation in pursuit of business objectives and strategy. BarnOwl provides a unified view of risk and gives management and staff at every level the ability to identify, assess, manage, monitor and report on risks. BarnOwl provides an early warning system, drives ownership for risk mitigation, and delivers risk intelligence reporting assisting with business growth and sustainability. The BarnOwl risk management module supports and embeds best practices frameworks such as COSO, ISO31000 and The National Treasury Framework.

To learn more about BarnOwl’s Risk Management Software, please click here.

Leave a Reply

Your email address will not be published. Required fields are marked *