Matthew Leitch has posted an interesting article on what integrated risk management actually means on his site, here. This analysis is based on a survey he executed and I participated in. As usual, his methodology as well as the scope of his analysis is well defined and well executed.
I believe his conclusions are well founded based on his results. You really need to read the entire analysis, including the analysis of responses to each of the 10 scenarios he offered. I have a couple of remarks on his analysis.
Good risk management appears to be integrated
Where an aspect of the scenario, most respondents have chosen those scenarios which allowed for an as broad as possible data set to be available for risk management. They also chose to involve an as large as possible group of collaborators in such an exercise. Clearly, good risk management should not be separate from the organization in which it is being executed.
This is completely in line with the experience we’ve built in the Belgian federal public sector. The more, the merrier, it seems, but the more in a well executed process are involved, the better the information which is used in the risk management process.
Risk related policies are indicative of risk appetite
Matthew refers to BS 31100:2011, the British risk management standard, and its definition of risk appetite. This definition shies away from the limits or thresholds for risks and focuses on policy decisions with respect to risk. I feel this to be a very important distinction. Establishing risk thresholds has always felt as a rather retroactive approach. Once the bells and whistles go off, we’ll decide what to do or how to react. By establishing a clear policy framework on risk, most of the thinking on risk has been done. This is not cast in stone, but at least a lot of the required assessments, which do take time, have been executed.
In addition, I believe that the nature of the risk related policies a company adopts is indicative for the risk appetite or risk tolerance of that organization.
Integrated risk management involves a significant initial effort
Reading through the scenarios Matthew offered in his survey, I could not fail to notice that the effort in setting up an integrated risk management system always appears significantly heavier than the effort in going for the less integrated approach. In selling risk management to management, this may be an issue. In order to allow for a full implementation, you will need a strong champion in the organization.
Perception point
One of the main conclusions Matthew draws from his survey is that listing risks is not critical to integrated risk management. I do agree as I am rather allergic to the traditional risk register.
However …
in the context of risk management, every stakeholder has his or her own way of looking at risks related to their day-to-day activities and environment. This unique way is very much determined by factors which are in turn different for each of the participants. No one position will allow for a complete view on all relevant risks.
It’s my experience that developing a Risk Identification Model, a sort of reference or vocabulary of potential risks which as an instrument is alive and can be added to or amended is a good tool for two purposes:
- It allows all participants, when browsing the Risk Identification Model prior to a risk assessment exercise, to gain an understanding of the possible risks that may come up during the exercise. It broadens their scope and will ensure they will at least consider the different elements;
- It allows for identification of transversal issues which can or should be managed across the entire organization or a part of it.
Conclusion
The survey is a very interesting view on integrated risk management. Matthew Leitch has again done a wonderful job. A good read.
Exploring The Black Box 