risk management guide - internodesalters/risk management guide.pdf · riskmanagementguide chapter...
TRANSCRIPT
Risk Management Guide
Chapter 1: Introduction to the Risk management Guide
Chapter 2: Establishing Context and Identifying Risks
Chapter 3: Evaluate Existing Controls
Chapter 4: Risk Analysis and Evaluation
Chapter 5: Risk Treatment
Disclaimer
This guide, and the tools and templates available from www.disasterresilience.com will
support your planning processes and strengthen your resilience. Using familiar software
(Microsoft Word, Access, Excel and PowerPoint), we focus on quality processes within a
risk management framework. These approaches serve as best practice models. They
should not be used as "templates for duplication" with global word changes. You should
evaluate the significance of any requirements specific to your context - then tailor your
approach accordingly.
R I S K M A N A G E M E N T G U I D E L I N E S - I N T R O D U C T I O N
Introduction to the Risk
Management Guidelines
Framework
T hese guidelines provide advice on implementing a risk management approach
aligned with the International Risk Management Principles and Guidelines – ISO 31000.
Figure 1 Risk Management (ISO 31000)
Chapter
R I S K M A N A G E M E N T G U I D E L I N E S - I N T R O D U C T I O N
Icons
T hese guidelines are structured around two icons:
1. The folder icon flags advice on what needs to bedone and how to do it. This will generally be as text – andabout a process - with an accompanying diagram.
2. The keyboard icon flags advice on how to recordthe outputs from “what needs to be done and how to do it”.
This text will be specific to the data entry requirements – with an accompanyingscreenshot (in this case, of the Excel Spreadsheet tool).
Figure 2 Excel Spreadsheet Screenshot - full screen.
I C O N K E Y
Workbook advice
Tool advice
T
R I S K M A N A G E M E N T G U I D
R I S K S
Establishing
Identifying
Communication and Consultation
T he oil of the machine; the grist for the mill, the underpinning foundation
central and significant role of effective communication and consultation can not beunderstated.
Risks are about the conditions and circumstances which give rise to uncertainty about thefuture. Those conditions and circumstanceswhich many and varied pTherefore a first and fundamental step is to identify “stakeholdewith an interest).
R I S K M A N A G E M E N T G U I D E L I N E S – E S T A B L I S H C O N T E X T A N
Establishing Context and
ing Risks
Communication and Consultation - Stakeholders
he oil of the machine; the grist for the mill, the underpinning foundation
central and significant role of effective communication and consultation can not be
Risks are about the conditions and circumstances which give rise to uncertainty about thefuture. Those conditions and circumstances – and their management –which many and varied people have an interest. Some more directly than others.Therefore a first and fundamental step is to identify “stakeholders” (defined as anyone
Second, not all stakeholdershave the same level of “hold”that is, “care” or “interest”.
Therefore it is important todifferentiate stakeholdeof several techniquesthe matrix provided)for mapping stakeholders.
E S T A B L I S H C O N T E X T A N D I D E N T I F Y
he oil of the machine; the grist for the mill, the underpinning foundation – the
central and significant role of effective communication and consultation can not be
Risks are about the conditions and circumstances which give rise to uncertainty about the– are things about
more directly than others.s” (defined as anyone
, not all stakeholdershave the same level of “hold” –that is, “care” or “interest”.
Therefore it is important todifferentiate stakeholders. Anyof several techniques (such asthe matrix provided) are usefulfor mapping stakeholders.
Chapter
R I S K M A N A G E M E N T G U I D E L I N E S – E S T A B L I S H C O N T E X T A N D
I D E N T I F Y R I S K S
Communication and Consultation - Stakeholders (continued)
A useful way of generating a list of “who has an interest – and what level of
interest do they have” is to generate a process map called a “SIPOC” which is short forSuppliers – Inputs – Process – Outputs – Customers. This process map should be startedon the right hand side – identifying customers on the basis of who has an interest andwhat will be required to address that interest. This type of mapping also enhances abroader understanding of context. Details on how to facilitate a SIPOC mapping processare available at Attachment A
Communication and Consultation - Stakeholders
The output from the stakeholder identification and differentiation process is a list
of stakeholders which should be entered into the “originator” section of the ExcelSpreadsheet by clicking on “Add New Originator”.
Figure 3 Establish Context and Identify Risks
R I S K M A N A G E M E N T G U I D E L I N E S – E S T A B L I S H C O N T E X T A N D
I D E N T I F Y R I S K S
Communication and Consultation – Risk Statements
Particular attention to detail should be exercised when generating a “risk statement”.
A risk statement must derive from context. It is formulated in direct association with atask, goal, objective or value criterion of your business or organisation – often directlylinked to of your business or corporate plan.
When writing a risk statement, to strengthen clarity and meaning:
1. Write a complete sentence, consisting of a cause and effect.
2. Identify the cause as far upstream - in the chain of cause and effect - as is practicalto manage. State the cause as a set of conditions, or as a “trigger” event.
3. State the effect upon the task, goal, objective, or value criterion underconsideration.
4. Link the two clauses by a phrase such as “leads to”; or “causing’; or “results in”.
Example: "Having an outdated, unexercised business continuity plan leads tounacceptable vulnerability across the business"
Communication and Consultation – Risk Statements
Risk Statements are entered in individual rows under the “Risk Statement” column inFigure 3: Establish Context and Identify Risks (above).
R I S K M A N A G E M E N T G U I D E L I N E S – E S T A B L I S H C O N T E X T A N D
I D E N T I F Y R I S K S
Communication and Consultation – Consequence Criteria
Each of your risk statements will have – or not have – an association with your
(tailored) risk assessment criteria. Your risk assessment criteria measure what you careabout – and how much you care. They need to reflect the context of the organisation –not simply be cut and pasted from a template of another organisations set of values.Considerable care should be taken to ensure that appropriate criteria – reflecting yourposition - are developed.
Figure 4 Establishing assessment criteria is a social process
Communication and Consultation – Consequence Criteria
Where a value criterion (such as “Outcome; Output; Community; Governance; People) istriggered – by an effect generating a possible consequence, a specific level of possibleconsequence should be attributed to the risk statement by selecting the appropriate dropdown “threshold” in the “Consequence” column[as shown on the right hand side ofFigure 3: Establish Context and Identify Risks (above)].
The threshold choices are 1 – Insignificant; 2 – Minor; 3 – Moderate; 4 – Major; or 5 –Critical for each effected value criterion. To support the clarity of your attribution, the“ ” symbol – which leads to both the detailed description of thresholds and indicators –should be clicked on. This advice – on the value criteria and their thresholds - can also bereached from the “Consequence and Likelihood” TAB at the bottom of the screen.
R I S K M A N A G E M E N T G U I D E L I N E S – E S T A B L I S H C O N T E X T A N D
I D E N T I F Y R I S K S
Figure 5 Risk Assessment Criteria
R I S K M A N A G E M E N T G U I D E L I N E S - E V A L U A T E E X I S T I N G
C O N T R O L S
Evaluate Existing Controls
What we do now to manage this risk
A “control” is an “existing process, system, policy, device, structure, practice or
other action that acts to minimize negative risk or enhance positive opportunities”.
The identification of current controls is also a fundamental and critical step. Risk levelscan not be determined until we can attribute a level of likelihood to the consequence –and the effectiveness of existing controls is key to advising our judgment on how likely aspecific consequence is to arise. Once controls have been listed, each should be given an“effectiveness score” using performance indicators such as those outlined in Figure 6below.
Performance Indicator1. Risk reduction
This control prevents a significant proportion of losses posed by this risk.
2. Continuity of effects
The effects of the application of this control will be long term or ongoing.
3. Timing
The beneficial effects of this control are likely to be quickly realized.
4. Administrative efficiency
We have the expertise and this control is easily administered.
5. Cost-effectiveness
This control is cost-effective.
6. Synergy, leverage and compatibilityThis control is likely to lead to further risk reducing actions by others. It is highlycompatibility with other controls that exist or are likely to be adopted
7. Risk creation
Implementation of this control does not introduce new risks.Figure 6 Considerations when assessing the effectiveness of existing controls
Chapter
R I S K M A N A G E M E N T G U I D
C O N T R O L S
What we do now to manage this risk
T he controls which
criterion should be listed individually against the specific consequence criteria (for the riskstatement under consideration). This will require copying in rows (to correspond with thenumber of controls). This will then enable scoring for effectiveness to be attributedagainst each control.
To support the clarity of your attributionto both the detailed description of perforshould be clicked on. This advice can also be reached from the “Effectiveness andAdequacy” TAB at the bottom of the screen
R I S K M A N A G E M E N T G U I D E L I N E S - E V A L U A T E E X I S T I N G
What we do now to manage this risk
he controls which have an impact on the consequence of each particular value
criterion should be listed individually against the specific consequence criteria (for the riskstatement under consideration). This will require copying in rows (to correspond with the
ontrols). This will then enable scoring for effectiveness to be attributed
To support the clarity of your attribution of effectiveness, the “ ” symbolto both the detailed description of performance levels and performance indicatorsshould be clicked on. This advice can also be reached from the “Effectiveness andAdequacy” TAB at the bottom of the screen.
Figure 7 Control Effectiveness Advice TAB (Excel Spreadsheet)
E V A L U A T E E X I S T I N G
have an impact on the consequence of each particular value
criterion should be listed individually against the specific consequence criteria (for the riskstatement under consideration). This will require copying in rows (to correspond with the
ontrols). This will then enable scoring for effectiveness to be attributed
” symbol – which leadsmance levels and performance indicators –
should be clicked on. This advice can also be reached from the “Effectiveness and
R I S K M A N A G E M E N T G U I D E L I N E S - E V A L U A T E E X I S T I N G
C O N T R O L S
Figure 8 Screenshot - Existing Controls Evaluated
Once the level of control is determined, the Adequacy Matrix provides an important toolto assess whether the control is likely to be appropriate or whether actions to improve thelevel or quality of the control are required. The adequacy of the existing control will beautomatically calculated based on the matrix below – which recognises that adequacy is afunction of effectiveness and consequence.
Figure 9 Adequacy Matrix
R I S K M A N A G E M E N T G U I D E L I N E S - E V A L U A T E E X I S T I N G C O N T R O L S
Risk Analysis and
Evaluation
Given the adequacy of current controls, determine the likelihood ofthe consequence
Alevel of likelihood should be premised. It is important to focus on the likelihood
of the consequence – NOT on the likelihood of the “trigger event”. The attribution oflevel should be against the criteria listed in Figure 10 below.
Lik
elih
ood
Cri
teri
a
A Almost certain to occur in most circumstances
B Likely to occur frequently
C Possible and likely to occur at some time
D Unlikely to occur but could happen
E May occur but only in rare and exceptional circumstances
Figure 10 Likelihood Criteria
Chapter
R I S K M A N A G E M E N T G U I D E L I N E S - E V A L U A T E E X I S T I N G
C O N T R O L S
Given the adequacy of current controls, determine the likelihood ofthe consequence
The consequence level will be automatically populated from the “Establish Context
and Identify Risks” stage.
The level of likelihood which you premise will automatically generate a level of risk(against the consequence criteria and the agreed risk appetite).
Figure 11 Premise the likelihood of the specified consequence
R I S K M A N A G E M E N T G U I D E L I N E S - E V A L U A T E E X I S T I N G
C O N T R O L S
The Excel tool is designed using an early version (2003) to maximize access.
A constraint of this early version is a limitation in formulae for choices of colour –therefore, if you change the likelihood attribution, you will need to click on the“running man icon” to refresh the risk level colour.
Figure 12 Risk Levels - suggested prioritisation for action
The general advice we suggest about whether a level of risk requires treatment is providedin Figure 12 above. However, to enable the exercise of management discretion, the“Accept Risk” (Yes or NO” and the “Future Risk Target” levels of the tool are notpopulated automatically.
Figure 13 Risk Acceptance and Future Risk Target Levels are management discretions
R I S K M A N A G E M E N T G U I D E L I N E S - E V A L U A T E E X I S T I N G C O N T R O L S
Risk Treatment
What we will do; within what budget, by when and by whom.
The treatment of risk is very much about the standard governance qualities of any plan.
This calls for a selection of high leverage cost effective controls to be considered – using theperformance indicators outlined below and introduced in Chapter 3, Figure six.
Performance Indicator1. Risk reduction
This control prevents a significant proportion of losses posed by this risk.
2. Continuity of effects
The effects of the application of this control will be long term or ongoing.
3. Timing
The beneficial effects of this control are likely to be quickly realized.
4. Administrative efficiencyWe have the expertise and this control is easily administered.5. Cost-effectiveness
This control is cost-effective.
6. Synergy, leverage and compatibility
This control is likely to lead to further risk reducing actions by others. It is highlycompatibility with other controls that exist or are likely to be adopted
7. Risk creation
Implementation of this control does not introduce new risks.
Figure 14 Risk Treatment Selection Criteria
Chapter
What we will do; within what budget, by when and by whom.
The criteria can be accessed from the “ ” symbol – which leads to performance levels and
performance indicators. This advice can also be reached from the “Treatment Selection TAB at thebottom of the screen.
Figure 15 Criteria - available from the Treatment Selection TAB
Figure 16 Screenshot for recording and tracking Treatment
Attachment A:
Three steps to developing a sound SIPOC diagram
Purpose: The purpose of a SIPOC Diagram is to define and document the key elements of an activity. This includesCustomers/Requirements, Outputs, Process Steps/Requirements, Inputs and Suppliers.
Materials: SIPOC overview handout, whiteboard, worksheets, flipcharts, PowerPoint (not preferred as it can take awayfrom engagement and participation), Posters, PostIts™ (or my favourite, coloured sticky arrows – which are then placed ona large, blank, laminated SIPOC chart)
Time: Varies. Plan for at least two hours based on the complexity of the process, the knowledge of the participants of theprocess, and their previous experience creating SIPOCs.
Step ONE: Get everyone on the same “purpose”pageNote 1 to facilitator: Do this step even if working with a knowledgeable group by reviewing the elements critical toconducting a successful SIPOC session.Use this review as a means of setting a positive tone and developing a “conversational” style of facilitating the session.
The five critical elements to a good SIPOC are:1. Provide participants a brief overview of the SIPOC structure and how it important to manage its use in terms of range ofpurposes.Apply the Covey principle “begin with the end in mind”– SIPOCs are flexible tools and can be focused on achieving a rangeof purposes – such as project planning, or vulnerability mapping or organisational restructuring. So be mindful – ask howwill you USE this SIPOC?
2. The challenge for service industries (as distinct from making widgets) is to think beyond the process column (wheremany SIPOCs start). The challenge for individuals is to think outside of their square.
3. When recording on the SIPOC use only as much detail as needed to understand/communicate effectively.
4. Record the agreed purpose of this SIPOC session – make the agreed purpose the label of the “car park”. The “car park”is an area of white space, such as butcher’s paper or a whiteboard on wheels, which is structured to capture – as theyrelate to the SIPOC element being mapped at the time - (1) assumptions (2) constraints (3) risks and (4) decision criteria
5. This is not an academic exercise - define how things really get done, not how we might want them to be.
Step TWO: Establish the FrameworkNote 2 to facilitator: Groups sometimes prefer to be more “organic” than systematic. Be flexible and accommodate as longas the entire SIPOC form is completed with enough detail to understand the process. Be flexible and use plain language.Write it down, and then ask open-ended, clarifying questions to get it right. Place the “thing” or “issue” on the SIPOC at aplace of best agreed fit. Challenge the status quo, test the understanding of the process, and encourage dialogue.
Note 3 to facilitator: A challenge from here on out in this process is to keep the group at a high level of detail - not allowthem to get too granular. The detail can come later in the process flow diagram mapping or you can go back and breakeach key process step into sub-steps and SIPOC them. (It depends on the purpose of the SIPOC and the complexity of theprocess.)
Use the SIPOC framework (on the wall chart, computer, whiteboard, worksheet, or flipchart).
1. Seek permission and agreement from the group to start “backwards from the right” - from the Customer column.
Identify customers (some will be stakeholders with specified needs to be met which are contractual, or legallyobligatory - others stakeholders may have a more indirect and general interest, needing only to be appropriatelyinformed).
“Back into” the customer requirements column by now clearly stating the requirement(s) of each stakeholder.
(This two set customer column should be reviewed whenever something changes – so that the ripple effects can bemapped and managed.)
2. List the outputs from the process which will deliver the requirements of the customer – and collectively, achieve therequired outcome of the activity.
3. Structure a process which will deliver the outputs effectively and efficiently.
Clearly identify the START of your process (cue, prompt, trigger that requires you to act).
Clearly identify the END of your process (how do you know you are done?).
List the 3-5 (NO MORE THAN 7) key steps in the process being mapped.
Incorporate feedback loops – how will you, your customer, your supplier communicate?
(Record: Process name; Process owner; Process performance measures/metrics – structured to inform improvementopportunities; any known operational definitions of key process elements; any known assumptions/constraints andimmediately apparent risks - record in “car park)
Note 4 to facilitator: Remind the group that the assumptions and operational definitions are ongoing lists and may be addedto as needed during the session. The idea is to make sure everyone is working on the same sheet of paper and means thesame thing when using a term and those assumptions are made visible, discussed, and validated or challenged asappropriate.
4. List the inputs into each step of the process
List the requirements of each input (your view – the person doing the work)
List the supplier of each input of the process
5. List or highlight the Critical-to-Quality (CTQ) elements for the process
Step THREE: Check your work• Review the completed SIPOC.• Verify all key components are completed/addressed.• Determine Next Steps/Action Plan.• Make sure all assumptions are visible, discussed, validated, and documented.• Document operational definitions of terms, symbols, acronyms, equipment, standards, etc.• Do not forget to identify your information/communication loops and feedback mechanisms.• Document source specifications, standard operating procedures, and/or references for your process.• Review where you need to have Service Level Agreements (SLAs) – between you and supplier, you and customer.