Working In Uncertainty

Text for your risk management framework - free to copy

This is a growing collection of 'makeovers' for typical documents produced in support of risk management in a variety of organizations. The idea is to give you text you can copy, modify, and use freely that (1) covers the usual requirements, (2) encourages effective management of risk as an integral part of core management activities such as planning and design, and (3) does not impose Risk Listing.

Free to copy

Each example is based on a real, published document, paraphrased for copyright reasons, then edited to replace the Risk Listing language with more open language and, in many cases, offer language that better describes an integrated approach to risk management.

Throughout these examples, red text indicates Risk Listing language while purple text may require technical changes to the way you manage risk. Text in italics identifies words that are changed by the edits.

You can copy and paste small sections, or copy a whole table to your word processor and delete the text columns you don't want, leaving just the good stuff.

Compliant (usually)

The proposed words on this page are designed to be straightforward and appealing, so you should not need to defend your use of them. In surveys I have found that people usually have sensible preferences when faced with a realistic situation and asked to choose between alternative management techniques. (This contrasts with the often daft things people will say about risk management when asked an abstract question that calls for an abstract answer.)

If there is any challenge at all it is likely to be on the grounds that the words are not a literal interpretation of some authoritative standard or audit checklist. All the suggested words below are designed to be compliant with common requirements for risk management and internal control, but some interpretation may be needed.

If someone queries whether your policy complies with risk management requirements from some authoritative source or items on their audit checklist, use the following tactics:

  • Quote statements about integration: Most risk management standards have at least a sentence and usually much more talking about the vital importance of integrating risk management within core management activities. Find those statements in the document your approach is being judged against and quote them, with emphasis. The document probably does not explain how such integration is to be achieved, leaving you free to do anything sensible in the name of integration.

  • Point out abstract language: Many standards use abstract language to describe what you are supposed to do. Point that out. For example, the document may say that the importance of a 'risk' should be judged by its probability of occurrence and impact if it should occur. This does not actually state you should make a rating of 'probability' and another rating of 'impact' and combine them in some way. Despite the typical interpretation in those terms, what the guidance actually says is quite abstract and could also be followed using a cumulative probability distribution over impact, for example.

  • Point out that examples are just examples: Standards also offer examples, including example templates, which many people interpret as rules even though they are clearly described as examples. Point out the word 'example' and that this means other ways to comply are possible provided they meet the abstract requirements stated.

  • Interpret the phrase 'a risk' appropriately: Since 'a risk' can be just about anything in most standards it is sensible to make full use of this vagueness. If you have a business planning model that does forecasts then make a list of variables from it and call them 'risks'. Or, take your list of objectives and reword them as 'risks'. Or take a list of areas of uncertainty addressed within your various management processes and call them 'risks'.

  • Interpret the phrase 'risk appetite' appropriately: This is another notoriously vague phrase with numerous interpretations. The practical reality of 'risk appetite statements' is that they are attempts to control decision-making under uncertainty using written policies. Usually these are rather optimistic policies that do little to control behaviour, so anything you can offer that promises improvements in decision-making so that reckless choices are less likely is worth mentioning.

  • Focus on the good sense in what you are doing: Even an auditor with a narrow-minded audit checklist is a human being too, with at least a trace of common sense. If what you are doing makes sense, is natural, and clearly is helpful then people will usually see that and start trying to interpret what you are doing into concepts they can approve of and sign off.

Types of document included below

Here are links to the documents below:

Please note that this collection is growing. If you don't see something you are looking for then please email me or register your interest below using the button to say so.

Risk Management Policies

These tend to be rather high level documents (i.e. not very specific) expressing commitment to good management of risk, setting up roles, and giving some clues as to the specific approach to be used. Most use Risk Listing language from time to time and any technical details given tend to assume Risk Listing.

The suggested alternative text below is free of Risk Listing language and specific references to Risk Listing techniques. Instead, they set aspirations for managing risk effectively within core management activities. A direct interpretation of those aspirations leads to some good practices, but Risk Listing could, arguably, be used instead, though it would not be as attractive or as effective.

The suggested words reflect an underlying policy that relates to decision-making of all kinds. It is captured in these simple statements:

Objectives: We will develop and maintain sets1 of objectives2 that adequately represent3 the relevant4 legitimate interests of all stakeholders, including non-financial objectives and objectives related to long term sustainability, not just this year's profit/surplus.

Consideration: We will consider5 all the objectives when carrying out core management activities6, such as planning, monitoring, and design.

Uncertainty: When considering potential objectives, the consequences7 of alternative courses of action8 for achievement against the objectives, and applying decision rules, we will take steps to ensure that we are aware of the limitations of our knowledge and control, and the resulting uncertainty9.

Action: We will adopt appropriate10 courses of action after proper consideration of the possible consequences and uncertainty.

Notes

  1. Sets of objectives are more practical than a single set of objectives, in most cases, because different decisions involve different considerations. There is usually no need to have a set of objectives for each stakeholder.

  2. An objective here means a measure of outcomes used to evaluate them (e.g. year end profit, number of deaths in a year, value of bad debts, severity of reputation damage arising from crises). An objective is not a target or goal, but more a measure of the extent of achievement with an understanding of which direction of change is preferred.

  3. Adequately representing interests involves considering all possible levels of achievement against objectives. For example, a very poor level of achievement against a particular objective might be disastrous, but a very high level of achievement on that objective might not make much differences to the current position. This is just one possibility of many.

  4. This includes, by implication, not including irrelevant interests.

  5. Considering objectives is done by such means as measuring extent of actual achievement of objectives, trying to think of ways to achieve more against the objectives, considering the consequences for achievement against objectives of alternative courses of action, and (possibly) rewarding achievement against objectives.

  6. Core management activities are the fundamental thinking activities of running an organization, such as sense-making, establishing objectives, policy making, diagnosis of problems, business planning, monitoring, and design. Many decisions are made by applying a standard decision rule, and in this case the decision rule should be devised through proper consideration of its consequences.

  7. Consequences of a course of action are not limited to those directly triggered by that course of action. They include changes to the impact of external changes, such as the benefit provided by having backups of data, a security fence, or financial reserves.

  8. Courses of action includes plans; designs for processes, systems, structures, products, and so on; policies; alternative candidate employees or suppliers; and any other alternative in a decision.

  9. This is not limited to uncertainty about the future; there may be uncertainty as to the past or current situation that affects application of a policy, for example.

  10. Appropriate courses of action are those that make sense given the considerations. They might not be the best possible courses of action but diligent efforts to generate better courses of action are expected.

City Council Risk Management Policy

The inspiration for this is Glasgow City Council's Risk Management Policy. The makeover is very simple for a high level document like this, requiring only removal of some Risk Listing language and explicit references to Risk Listing methods, inclusion of language that is more open, and some general points about dealing with risk in key management activities.

Function of text With Risk Listing language
- do not copy
Without Risk Listing language
- please use freely

Title

XYZ City Council: Risk Management Policy Statement XYZ City Council: Risk Management Policy Statement

Commitment to risk management

XYZ City Council is fully committed to management of risks within its control, to keep employees safe, protect assets, maintain and improve its services, and make good use of funds, as part of good corporate governance.

XYZ City Council is fully committed to managing risk within its control, to keep employees safe, protect assets, maintain and improve its services, and make good use of funds, as part of good corporate governance.

Creation of a forum or committee

The Council will take an inclusive approach to managing risk by establishing a Forum representing all areas of XYZ City Council. This Forum will be a focal point for promoting risk management, ensuring that all employees understand their role in managing risk and their personal responsibilities to take ownership of risks, and sharing good practices.

The Council will take an inclusive approach to managing risk by establishing a Forum representing all areas of XYZ City Council. This Forum will be a focal point for promoting risk management, ensuring that all employees understand their role in managing risk and share good practices.

Commitment to integration

We will embed risk management through all the activities of XYZ City Council and make it part of the culture of the Council.

We will manage risk through all the activities of XYZ City Council, including management activities such as planning, monitoring, design, and decision-making.

Commitment to formality

Standards and procedures will be developed across the Council for identifying risks, analysing them, and putting in place appropriate controls.

We will do this through a planned, deliberate approach, that continues to improve and encompasses our formal systems, processes, and structures, and also the behaviours of our people from day to day.

Outline of technical approach

We will continue to develop this risk management policy, which will be underpinned by risk registers to record risks and their management systematically, and will review these risk registers regularly to make sure that risks are managed within our risk appetite.

Planning and monitoring for XYZ City Council as a whole and at various lower levels will be supported by an improving ability to make predictions as to the effect of alternative plans in which uncertainty is explicit, and make plans that respond to uncertainty. This will be achieved by combining experience and expertise with suitable calculations. The forecasts will cover all important outcomes, each with a suitable level of rigour.

Design decisions for our systems, processes, and so on will be supported in a similar way.

Commitment to continuing

Through the above policy, XYZ City Council will continue to promote risk management, allowing us to build on our successes and reduce failures.

Through the above policy, XYZ City Council will continue to promote risk management, allowing us to build on our successes and reduce failures.

Sign off

Mr Important
Chief Executive

Mr Important
Chief Executive

Another risk management policy

This example is inspired by the risk management policy of the British Library. Some of the paragraphs can have no helpful effect so I have eliminated them. In particular, trying to teach people a new and very specific meaning for the word 'risk' is usually a waste of time. I have also removed explicit reference to the lamentable Orange Book.

See how much simpler and more agreeable the policy is without all that Risk Listing rigmarole.

Function of text With Risk Listing language
- do not copy
Without Risk Listing language
- please use freely

Title

Risk Management Policy Risk Management Policy

What the document is

A statement that defines risk and outlines limits of responsibility and other policies on risk management.

 

Definition of 'risk'

Introduction

We define risk as the threat to achieving our strategy, policy, and operational goals posed by external and internal events.

 

Aim of risk management

This definition recognizes that risk can't be fully eliminated but that we can manage our exposure to those risks down to a satisfactory level.

We aim to manage risk better, but do not expect to eliminate it.

Commitment to 'integration'

We aim to integrate effective, proactive risk management, supporting systematic, well-managed risk taking, into our culture.

Management of risk will be embedded through all levels of our organization, supported by training and education.

We will manage risk throughout our management activities and operations and provide training and education to help people do this effectively.

Position relative to internal control

Our internal control framework includes our risk management approach.

Our internal control framework includes our risk management approach.

Compliance with guidance

Our approach will meet the requirements of The Orange Book and also be improved with good practice from other organizations.

Our approach will meet requirements externally imposed and also be improved with good practice from other sources.

Outline of method

We will identify and manage risks that threaten achievement of the strategic goals in our Business Plan or operational goals in Divisional Plans.

Risks will be assessed against criteria approved by the Board. These criteria cover the likelihood of occurrence of the risk and its potential impact. Each risk will be classified as internal or external and assessed for its effect on strategy, reputation, operations, or finances.

At the beginning of a year (for operational services) or the beginning of a programme or project, each senior manager responsible for work with a risk will assess the risks applying to that work using the approved criteria.

They will also identify the acceptable tolerance level for each of their risks and agree it with our Risk Group. As risks are managed this tolerance level will be used to prompt escalation of risk reporting to senior management.

Each risk will be managed using an agreed response, ranging from terminating the risk, through reduction measures, acceptance, and monitoring or transfer.

The manager responsible for each risk will review it. Also, risks will be reviewed:

  • annually by the Board (in the planning cycle);

  • quarterly by the Exec Team (in the business plan monitoring cycle);

  • at each of its meetings by the Board Audit Committee;

  • monthly (but exceptions only) by the Executive Team; and

  • monthly by Divisional Management teams (just their risks).

Local risk registers will be developed as needed based on these policy principles.

In developing our Business Plan, Divisional Plans, and programme/project plans we will explicitly consider uncertainty as to the results of alternative plans under consideration and refine our plans in response to that uncertainty.

The effort to manage uncertainty as to outcomes for strategy, reputation, operations, and finances will be directed by the Board.

This approach will also be applied to monitoring progress and to the design of our system, processes, premises, and other elements of our organization.

Roles

Roles and responsibilities

Each management level is responsible for being risk aware and managing risks.

The main roles are these:

  • The Board will confirm that achieving policy aims will be helped by the risk management approach.

  • The Board Audit Committee will review the risk management process annually and progress of risk management actions every 4 months.

  • The Accounting Officer will ensure that the risk management framework is sufficient and processes operate to ensure it works effectively.

  • Members of the Executive Team will review risks in their areas of responsibility and champion culture change.

  • The Risk Group includes the Heads of Compliance, Estates Risk, IT Security, and Finance Managers of each Division. The Group will maintain the risk register (making changes promptly) and provide advice and risk training for managers.

  • Managers at all levels will ensure that risks of their activities are identified, documented, assessed, and managed as agreed.

  • Internal Audit will independently review the overall internal control framework, including risk management, and report findings to the Finance Office and Board Audit Committee.

Roles and responsibilities

Each management level is responsible for being risk aware and managing risk.

The main roles are these:

  • The Board will confirm that achieving policy aims will be helped by the risk management approach.

  • The Board Audit Committee will review the risk management approach annually and progress of risk management actions every 4 months.

  • The Accounting Officer will ensure that the risk management approach is sufficient and that those features of management that help to manage risk work effectively.

  • Members of the Executive Team will manage in ways that manage risk effectively in their areas of responsibility and will promote the same behaviours to their subordinates.

  • The Risk Group includes the Heads of Compliance, Estates Risk, IT Security, and Finance Managers of each Division. The Group will provide advice and risk training for managers.

  • Managers at all levels will manage in ways that manage risk effectively.

  • Internal Audit will independently review the overall internal control framework, including risk management, and report findings to the Finance Office and Board Audit Committee.

A slightly longer policy

This is inspired by an example risk management policy offered by the Welsh Sports Association for use by sports clubs and other organizations under its wing. It is slightly longer than the other examples of risk management policies and mixes risk management material with internal control material, which is helpful.

Function of text With Risk Listing language
- do not copy
Without Risk Listing language
- please use freely

Title

Risk Management Policy Risk Management Policy

Aims of the document

This document:

  • is part of our internal control and governance framework;

  • outlines our approach to risk management, including the role of the Board and other key roles, important aspects of the risk management process, and reporting procedures; and

  • describes how the Board will evaluate the effectiveness of our internal control procedures.

This document:

  • is part of our internal control and governance framework;

  • outlines our approach to risk management, including the role of the Board and other key roles, important aspects of risk management processes, and reporting procedures; and

  • describes how the Board will evaluate the effectiveness of our internal control procedures.

Guiding principles

Approach to risk management

These principles guide our approach to risk management and internal control:

  • The Board is responsible for overseeing our risk management.

  • The Board will take an open and receptive approach to solving risk problems.

  • Our staff give advice on and implement policies approved by the Board.

  • We recognize and disclose the financial and other implications of risks prudently.

  • All staff will promote good risk management practice within their areas of work.

  • Key risks will be identified by the Board and employees and be closely and regularly monitored.

Approach to risk management

These principles guide our approach to risk management and internal control:

  • The Board is responsible for overseeeing our risk management.

  • The Board will take an open and receptive approach to solving risk problems.

  • Our staff give advice on and implement policies approved by the Board.

  • We recognize and disclose the financial and other implications of risk prudently.

  • All staff will promote good risk management practice within their areas of work.

Roles

Role of the Board

The Board's role is to:

  • Establish our tone and influence our risk management culture by:

    • communicating our approach to risk;

    • deciding which types of risk are acceptable and which are not; and

    • setting expectations and standards for staff concerning conduct and probity.

  • Decide our risk appetite.

  • Approve major decisions affecting our risk profile.

  • Identify risks and monitor management of key risks to reduce the chances of unwelcome surprises.

  • Satisfy itself that non-key risks are being managed, with suitable controls operating effectively.

  • Review our approach to risk management annually and approve changes to it.

Role of key staff

Key staff will:

  • Implement policies on risk management and internal control.

  • Identify and evaluate the key risks we face for consideration by the Board.

  • Supply adequate, timely information to the Board and its sub-committees concerning the status of risks and controls.

  • Annually review the effectiveness of the system of internal control and report findings to the Board.

Role of the Board

The Board's role is to:

  • Guide our risk management behaviours by:

    • communicating our approach to managing risk;

    • deciding how to evaluate risk within decisions; and

    • setting expectations and standards for staff concerning conduct and probity.

  • Approve major decisions affecting our risk profile.

  • Define when and how risk is to be analysed and monitor actions to improve management of risk.

  • Satisfy itself that risk is being managed, with appropriate decision-making and appropriate controls operating effectively.

  • Review our approach to risk management annually and approve changes to it.

Role of key staff

Key staff will:

  • Implement policies on risk management and internal control.

  • Analyse risk, where appropriate, for consideration by the Board.

  • Supply adequate, timely information to the Board and its sub-committees concerning the status of risk.

  • Annually review the effectiveness of the system of internal control and report findings to the Board.

Elements of internal control

Risk management as part of the system of internal control

Our internal control system incorporates risk management. This system includes elements that together promote an effective and efficient operation, enabling us to respond to a variety of financial, operational, and commercial risks. These elements include:

a. Policies and procedures

Policies underpinning internal control are linked to key risks. These policies are set by the Board, implemented, and communicated to staff. Where appropriate, written procedures support the policies.

b. Reporting

Our reporting is designed to monitor key risks and their controls. Decisions to solve problems are made at regular meetings of the Board.

c. Business planning and budgeting

The business planning and budgeting process is used to set objectives, agree action plans, and allocate resources. Progress on meeting the objectives is monitored regularly.

d. Self Assurance Process

We assess whether we are fit to receive public funds by our annual self assurance process, which provides assurance that our structures, plans, policies and procedures are monitored and improved to achieve our objectives and use our funds well.

e. Internal and external audits and advice

External audit informs the Board about the operation of those internal controls reviewed within their annual audit.

External consultants will sometimes be necessary in areas like health, safety, and human resources. This can also increase reliability of our internal control system.

f. Risk management Process

We operate a risk management process as follows:

  • Review of last year’s risk management report.

  • A risk identification exercise for the new year.

  • Assessment and evaluation of identified risks.

  • Management of risks using controls.

  • Recording and monitoring risks using risk registers.

  • Assigning responsibility for risks to suitable individuals.

Risk identification is not just an annual process. Board and staff members should report and update risk registers and perform assessments throughout the year.

Risk management contributes to internal control

Managing risk contributes to internal control. Internal control for us involves elements that together promote an effective and efficient operation. These elements include:

a. Policies and procedures

Policies underpinning internal control are linked to our core activities. These policies are set by the Board, implemented, and communicated to staff. Where appropriate, written procedures support the policies.

b. Reporting

Our reporting is designed to monitor risk and its management.

c. Business planning and budgeting

The business planning and budgeting process is used to set objectives, agree action plans, and allocate resources. Progress on meeting the objectives is monitored regularly.

d. Self Assurance Process

We assess whether we are fit to receive public funds by our annual self assurance process, which provides assurance that our structures, plans, policies and procedures are monitored and improved to achieve our objectives and use our funds well.

e. Internal and external audits and advice

External audit informs the Board about the operation of those internal controls reviewed within their annual audit.

External consultants will sometimes be necessary in areas like health, safety, and human resources. This can also increase reliability of our internal control system.

f. Risk management in core management activities

We manage risk within core management activities as follows:

  • Objectives cover the legitimate interests of all stakeholders.

  • Those objectives are considered within core management activities, such as planning, monitoring, and design.

  • This consideration includes explicit awareness of the limitations of our knowledge and control, and resulting uncertainty.

  • This consideration leads to adopting appropriate courses of action, including designs.

Approach to annual review

Annual review of effectiveness

The Board reviews the effectiveness of our internal control, using information from senior staff, as outlined below.

For each key risk identified the Board will:

  • review our track record on risk management and internal control over the previous year; and

  • consider the risk profile for the coming year and consider whether existing internal control arrangements are likely to be effective.

In reaching a decision the Board will consider the following:

a. Control environment

  • our objectives and targets

  • our organization structure and the quality of our people

  • our culture, approach, and resources for managing risk

  • delegation of authority

  • public reporting.

b. Continuing identification and evaluation of key risks:

  • prompt identification and assessment of key risks

  • prioritization of risks and allocation of resources to areas of high exposure.

c. Information and communication:

  • quality and timeliness of information about key risks

  • time taken to recognize control failures and identify new risks.

d. Monitoring and corrective action:

  • our ability to learn from our problems

  • strength and speed of corrective actions.

The staff member responsible for risk management will provide a report of the review of effectiveness of internal control annually for consideration by the Board.

Annual review of effectiveness

The Board reviews the effectiveness of our internal control, using information from senior staff, as outlined below.

For each business plan objective the Board will:

  • review our track record on risk management and internal control over the previous year; and

  • consider the risk profile for the coming year and consider whether existing internal control arrangements are likely to be effective.

In reaching a decision the Board will consider the following:

a. Control environment

  • our objectives and targets

  • our organization structure and the quality of our people

  • our behaviours, approach, and resources for managing risk

  • delegation of authority

  • public reporting.

b. Continuing management of risk:

  • prompt incorporation of new knowledge into forecasting for business planning, business monitoring, and business design

  • adaptation of our plans, processes, and so on in response.

c. Information and communication:

  • quality and timeliness of information about risk

  • time taken to recognize problems and update forecasts.

d. Monitoring and corrective action:

  • our ability to learn from our problems

  • strength and speed of corrective actions.

The staff member responsible for supporting risk management will provide a report of the review of effectiveness of internal control annually for consideration by the Board.

Risk Listing Procedures

These documents give more procedural detail than policies. It is common to write them as if Risk Listing is the only approach to managing risk and to call it 'risk management'.

In the revised version below this has been changed. In addition, useless guidance has been deleted and some Risk Listing details have been improved.

In an ideal situation there would be no Risk Listing at all, but many organizations will have Risk Listing now and the first step towards replacing it is to make space to recognize other forms of risk management too.

Government office risk listing procedure

The inspiration for this example is a document called Risk Management Policy and Procedures, from the Information Commissioner's Office (UK). It's a nicely written document but, sadly, entirely and uncritically devoted to Risk Listing.

Function of text With Risk Listing language
- do not copy
Without Risk Listing language
- please use freely

Title

Risk Management Policy and Procedures Risk Listing Policy and Procedures

Contents list

Contents

1. Introduction and overview

2. Completing our Risk Register

3. Roles and responsibilities

Annexes

Annex A – Risk probability and impact rating

Annex B – Tool for identifying risks

Annex C – Risk Register template

Contents

1. Introduction and overview

2. Completing our Risk Event List

3. Roles and responsibilities

Annexes

Annex A – Risk Event levels

Annex B – Tool for defining sets of Risk Events

Annex C – Risk Event List template

Aim of the document

1. Introduction and overview

Purpose of this document

1.1 To describe our risk management policy and procedures. This should be read by executive team members and their direct reports, who should explain it to their staff.

1. Introduction and overview

Purpose of this document

1.1 To describe our risk listing policy and procedures. This should be read by executive team members and their direct reports, who should explain it to their staff.

Explaining a 'risk event'

What is 'risk'?

1.2 A 'risk' is an event/cause leading to uncertainty over the outcome of our operations.

For example, planned call waiting time levels are based on predicted complaint numbers. If the risk 'more complaints are made than predicted' occurs then call waiting times will rise unless people move off other work to help.

Risks can be opportunities as well as threats. For example, if the risk 'there are fewer complaints than predicted' occurs then call waiting times could be improved, or staff moved to where they are more needed.

What is a 'Risk Event'?

1.2 A 'Risk Event' defines two future states of the world: one in which the risk event happens and another in which it does not happen. Risk Events are chosen to represent important uncertainty over the outcomes we achieve.

For example, planned call waiting times are based on predicted complaint numbers. If the Risk Event 'more complaints are made than predicted' occurs then call waiting times will rise unless people move off other work to help.

Risk Events can represent futures above or below our expectations, helpful and unhelpful. For example, if the Risk Event 'there are fewer complaints than predicted' occurs then call waiting times could be improved, or staff moved to where they are more needed.

Reasons for Risk Listing

Why we need to manage risks

1.3 Every day we manage risk without saying we are doing 'risk management'. We think about what might go wrong and try to reduce the impact if that happens. However, we cannot rely on an informal approach and we need to provide assurance to various authorities that we are managing risk well. So, we need to formally identify risks and mitigating actions.

Why we need to list Risk Events

1.3 Every day we manage risk in core management activities using approaches that we continue to improve and formalize. However, there are some activities where this is not yet fully mature and there are situations where past decisions still need to be reviewed in case risk was not properly considered. Therefore, we will continue to list Risk Events and related actions post hoc, for the time being.

Who will list Risk Events

Who should think about risks

1.4 The executive team has the main responsibility for identifying risks. Its members should think about existing and new corporate risks and they are well placed to do so.

1.5 The Board, Audit Committee, and other committees also have a role, so the risk register will be taken to them as needed.

1.6 Staff also have a role in identifying risks. The risk register is online and staff should contribute.

Who should think about Risk Events

1.4 The executive team has the main responsibility for defining a useful set of Risk Events. Its members should think about the existing set and about improvements and adaptations in order to get an analysis that reflects their high level view.

1.5 The Board, Audit Committee, and other committees also have an interest, so the Risk Event List will be taken to them as needed.

1.6 Staff can also contribute to creating a useful analysis. The Risk Event List is online and staff should offer suggestions.

When to list and review Risk Events

When to consider risks

1.7 Risks need to be considered as decisions are made. Most importantly, as our goals develop through the planning cycle, executive team members and managers need to reconsider existing risks and look at plans for the next few years and risks that might arise. This needs to be done so that responses are included in business plans.

When to consider Risk Events

1.7 Risk Events should be considered as near to decision-making as reasonably possible. Most importantly, at suitable points in the planning cycle, executive team members and managers need to reconsider the existing set of Risk Events and adapt it to suit the next few years. This needs to be done so that mitigating actions not already included in business plans can be added.

Levels of Risk Event

Project and departmental risks

1.8 Projects can have their own risk registers. If a project risk is high priority it should be included in the top level corporate risk register. The project manager or project steering group should advise the executive team of such risks e.g. through regular highlight reports.

1.9 Managers can identify risks to their departments' aims and responses should be included in business plans for serious risks. Risks thought suitable for the top level corporate risk register should be proposed to the executive team.

Project and departmental Risk Event sets

1.8 Projects can have their own sets of Risk Events and these may give rise to suggested changes to the top level corporate set of Risk Events.

1.9 Managers can have their own sets of Risk Events and these too may give rise to suggested changes to the top level corporate set of Risk Events.

Policies on Risk Event levels

Risk appetite

1.10 'Risk appetite' says how much risk an organization is prepared to take and can vary over time and between work areas. If our risk appetite is clearly stated then staff can consider it when making decisions. The executive should, when considering risk, state the risk appetite as they perceive it.

1.11 The risk register guides risk owners to consider risk appetite as they update a risk entry because they need to consider the final tolerable risk status, after mitigation, and aim to reach it.

Risk targets

1.10 Each Risk Event on our Risk Event List has a target risk level, which is the level that mitigation should aim to achieve or better. This target level will vary over time and should be set and revised by the executive team.

1.11 The Risk Event List has the target risk level stated against each Risk Event, guiding decisions about mitigating actions.

Responses to Risk Events

Options for responding to a risk

1.12 There are alternative ways to respond to a risk.

  • Treat: If we can reduce the risk sensibly with mitigating actions then we should. This is what we do for most risks on the risk register.

  • Transfer: Risks can sometimes be transferred to another organization, e.g. through insurance or transferring out an area of work.

  • Terminate: This refers to not doing work in a specific area in order to mitigate the related risk(s). For example, a project that is very high risk and whose risks cannot be mitigated, might be cancelled.

  • Tolerate: If risk cannot be reduced sufficiently by other means, in a proportionate way, we can decide to tolerate the risk and do nothing more to reduce it.

    If the risk is 'green' after existing mitigating actions then it is usually tolerated.

Options for responding to a Risk Event

1.12 There are alternative responses that can be suggested when a Risk Event level is thought to be too high under existing plans and designs.

  • Mitigate: If we can reduce the risk level sensibly with mitigating actions then we should.

  • Avoid: This refers to not doing work in a specific area in order to avoid risk related to it. For example, a project that is very high risk even after careful planning might be cancelled.

  • Transfer of consequences: Uncertain consequences can sometimes be transferred to another organization, e.g. through insurance.

Risk Event List fields

2. Completing the Risk Register

Completing the register

2.1 The fields of the risk register template are explained below.

RISK AREA: Category of the risk

OWNER: The executive team member responsible for the risk and its mitigation

GOAL: The goal linked to the risk

DESCRIPTION: Description of the risk in terms of an event and its results

INHERENT RISK LEVEL: Risk ratings before existing responses

PROBABILITY:, IMPACT:, OVERALL:

EXISTING RESPONSES: Actions already in place

EXISTING ASSURANCES: Processes that currently ensure a response is working

CURRENT RISK LEVEL: Risk ratings taking into account existing responses

PROBABILITY:, IMPACT:, OVERALL:

ACCEPTABLE: If 'no' then further action is needed

FUTURE RESPONSES: Planned actions not yet happening designed to reduce the level further

OWNER: Managers responsible for each response

DUE: Expected finish dates

FUTURE RISK LEVEL: Risk rating after future responses

PROBABILITY:, IMPACT:, OVERALL:

2. Completing the Risk Event List

Completing the list

2.1 The fields of the Risk Event List template are explained below.

EVENT AREA: Category of the Risk Event

OWNER: The executive team member responsible for any actions arising

GOAL: The goal linked to the Risk Event.

DEFINITION: Definition of the Risk Event

EXISTING RESPONSES: Actions already in place - interpreted widely

EXISTING ASSURANCES: Processes that currently ensure a mitigation is working.

CURRENT RISK LEVEL: Risk Event level taking into account existing responses

P(I>0), P(I>1), P(I>2), P(I>3), P(I>4), OVERALL:

NO FURTHER ACTION: If not ticked then further action is needed.

FUTURE RESPONSES: Planned actions not yet happening designed to reduce the level further

OWNER: Managers responsible for each response

DUE: Expected finish dates

FUTURE RISK LEVEL: Risk Event level after future responses

P(I>0), P(I>1), P(I>2), P(I>3), P(I>4), OVERALL:

How to set Risk Event level

Risk rating

2.2 Risk rating is a summary assessment of a risk's importance. It is based on the probability of the risk occurring and the impact on us if the risk occurs.

We rate risks so they can be prioritized. For example, a high impact, high likelihood risk should get more attention than a high impact, low likelihood risk.

2.3 A colour and a number are used to show the risk rating. Annex A advises on setting probability and impact.

Risk Event level

2.2 The Risk Event level is a summary assessment of a Risk Event's importance. It is based on the probability of the Risk Event having an overall impact on us that is greater than each of five levels (as described in Annex A).

We give more attention to Risk Events with a high level of importance.

2.3 A coloured bar and a number are used to show the Risk Event level.

Assessments needed

2.4 Three risk ratings are needed.

  • Risk rating before existing responses – a rating as if no action is taken.

  • Risk rating after existing responses – a rating taking account of existing responses aimed at reducing the risk.

  • Risk rating after future responses – a rating of the risk level we expect after all the responses planned are done.

2.4 Two Risk Event level assessments are needed.

  • Risk Event level after existing responses – an assessment taking account of existing responses aimed at reducing the Risk Event level.

  • Risk Event level after future responses – an assessment of the level we expect after all the responses planned are done.

Decision rule

2.5 If we think the risk rating is acceptable then there is nothing more we can do and the risk should be tolerated. However, if the risk rating is unacceptable (considering our risk appetite) then we need to plan further responses.

2.5 If we can think of a response that is worthwhile, given our limited resources, then it should be suggested. We should make more effort to think of worthwhile responses where they are more likely to be found (e.g. where the Risk Event level is high and little thought has previously been given to responses).

Summary

Management summary

2.6 The risk register has a one page summary listing the risks, their ratings, and indicating if their ratings after existing responses are improving.

Management summary

2.6 The Risk Event List has a one page summary listing the Risk Events, their levels, and indicating if their levels after existing responses are improving.

Roles

3. Roles and responsibilities

3.1 Executive team

  • Identify risks.

  • Review, in detail, risks and responses.

  • Consider risks during decision-making.

  • State a risk appetite when decision-making.

3.2 Management Board

  • Review the risk register quarterly and check that the risk management process works as intended.

  • Identify additional risks.

3.3 Audit Committee

  • Advise on the strategic process for governance, control, and risk, and the Statement on Internal Control.

  • Identify additional risks.

3.4 Executive team direct reports

  • Identify risks to achieving their unit's business plan and those that might also be overall risks. Advise the executive team of such risks.

  • Identify relevant responses, include them within their unit's business plan, and meet that plan.

  • Be alert for other risks that might arise during the year.

3.5 Risk and Governance Manager

  • Manage the risk management process so that:

    • the risk register is presented to corporate governance groups as required;

    • the risk register is online and staff are urged to contribute;

    • inconsistencies in the risk register are followed up; and

    • the Risk Management Policy stays up to date.

3.6 All staff

  • Raise risks they have identified with their managers.

3. Roles and responsibilities

3.1 Executive team

  • Devise and maintain a list of Risk Events.

  • Review, in detail, the Risk Events and responses to them.

  • Consider risk during decision-making.

3.2 Management Board

  • Review the Risk Event List quarterly and check that risk is managed as intended.

  • Offer suggestions to improve the set of Risk Events.

3.3 Audit Committee

  • Advise on the strategic process for governance, control, and risk, and the Statement on Internal Control.

  • Offer suggestions to improve the set of Risk Events.

3.4 Executive team direct reports

  • Manage risk as they develop and execute their unit's business plan, and make suggestions for improving the set of Risk Events.

  • Identify relevant responses to Risk Events, include worthwhile new responses within their unit's business plan, and meet that plan.

3.5 Risk and Governance Advisor

  • Manage the Risk Event Listing process so that:

    • the Risk Event List is presented to corporate governance groups as required;

    • the Risk Event List is online and staff are urged to contribute;

    • inconsistencies in the Risk Event List are followed up; and

    • the Risk Event Listing Policy stays up to date.

3.6 All staff

  • Share important uncertainty with their managers.

Risk assessment bands

Annex A

Choose a probability band and impact band for each risk and multiply the indices of each to get a number between 1 (1 x 1) and 25 (5 x 5).

Probability bands:

Very low: 0 - 5% (1)
Low: 6 - 20% (2)
Medium: 21 - 50% (3)
High: 51 - 80% (4)
Very high: 81 - 100% (5)

Impact bands:

Very low: Minor impact in one/a few areas. (1)
Low: Minor impact in many areas. (2)
Medium: Major impact in one/a few areas. (3)
High: Major impact in many areas. (4)
Very high: Major impact for our whole organization. (5)

Annex A

For each impact level, choose a probability band and let the spreadsheet template work out the overall level.

Impact levels:

0. Worse than none at all.
1. A minor impact in many areas, or worse.
2. Major impact in one/a few areas, or worse.
3. Major impact in many areas, or worse.
4. Major impact for our whole organization.

Probability bands:

Very low: 0 - 5%
Low: 6 - 20%
Medium: 21 - 50%
High: 51 - 80%
Very high: 81 - 100%

Core process summary

Annex B: Tool for identifying risks

1. Identify personal/unit/organizational goals, objectives, and targets.

2. Consider what might prevent goals etc from being achieved and describe in terms of event/cause and result.

3. Prioritize each risk according to its rated impact and likelihood.

4. Identify responses and include them in business plans if appropriate. Responses should be time limited and specific.

5. Agree risk rating after responses.

Annex B: Tool for defining sets of Risk Events

1. Identify personal/unit/organizational goals, objectives, and targets.

2. Consider the drivers of those results and capture uncertainty about the main drivers using Risk Events.

3. Increase the level of detail where Risk Event levels are high, splitting Risk Events where necessary.

4. Think of new responses and suggest including any that are worthwhile in business plans.

5. Agree Risk Event levels after responses.

Job descriptions

The process of imprisoning an aspiring risk manager in a Risk Listing box can start with some casual words thrown together by someone in HR helping to draft a job advertisement and job description. It's just a few words. Does it matter if they are not technically ideal? Yes, a bit.

Job advertisement - IT risk manager

The inspiration for this is a fairly typical job advertisement for an IT risk manager in a bank. In the original text there is a scattering of Risk Listing language, but also the assumption that risk management is something done by a specialist, not something done by everyone with the help of experts.

Function of text With Risk Listing language
- do not copy
Without Risk Listing language
- please use freely

Title

Job Description Job Description

Summary of role

Description: The IT Risk Manager will have responsibility for identifying and assessing risk linked to the technology and systems infrastructure of our XYZ business unit.

Description: The IT Risk Manager will provide expert help with risk analysis for the technology and systems infrastructure of our XYZ business unit.

A bit more detail

This manager will be responsible for identifying and evaluating potential and recognized risks linked to our technology and related projects, working with business areas to increase their awareness, recommending actions to mitigate exposure and prevent loss, and developing reporting and analytics for senior management. The IT Risk Manager will use internal data to evaluate:

  • XYZ platform functionality

  • effects of system migrations, upgrades, and changes

  • integration of new technology

  • third-party systems

  • the causes, impacts, and correction of system disruptions

This manager will work with business areas to help them analyse and manage risk more effectively, providing insight for particular analyses and suggestions for management actions, and raising skills and awareness of risk. The manager will also develop reports for senior management showing progress in improving risk management across the business and on particular platforms and projects. The IT Risk Manager will use internal data to help evaluate:

  • XYZ platform functionality

  • effects of system migrations, upgrades, and changes

  • integration of new technology

  • third-party systems

  • the causes, impacts, and correction of system disruptions

The job itemised

Responsibilities:

  • Work in partnership with XYZ businesses, including Information Technology Services, Operations, Legal and Compliance, to understand current and planned XYZ systems.

  • Help businesses identify and escalate potential risks.

  • Help evaluate new business technology projects to identify potential risks.

  • Identify issues such as direct financial losses, reputational damage, and regulatory problems arising from system and execution failures, outages, and projects.

  • Create and use metrics for trends and IT risks.

  • Develop risk analysis and reporting for presentation to business and senior managers.

Responsibilities:

  • Work in partnership with XYZ businesses, including Information Technology Services, Operations, Legal and Compliance, to understand current and planned XYZ systems.

  • Help businesses analyse risk.

  • Help evaluate new business technology projects to analyse risk.

  • Identify issues such as direct financial losses, reputational damage, and regulatory problems arising from system and execution failures, outages, and projects.

  • Create and use metrics for trends and IT risk.

  • Develop risk analysis and incorporate risk in reporting for presentation to business and senior managers.

Qualifications

Qualifications:

  • BA or BSc (or equivalent work experience) in finance, accounting, mathematics, or business.

  • 3 - 5 years of risk management or IT risk management experience in our sector, preferably with a business like ours.

  • Good knowledge of technologies used in our industry.

  • Strong problem solving and analytical skills.

  • Ability to design informative and helpful reports and presentations.

  • Desire to build relationships across our business.

  • Ability to work independently and to focus on detail.

  • Good skills with Excel, PowerPoint, Word, and Access.

  • Understanding of regulation related to our business.

Qualifications:

  • BA or BSc (or equivalent work experience) in finance, accounting, mathematics, or business.

  • 3 - 5 years of risk management or IT risk management experience in our sector, preferably with a business like ours.

  • Good knowledge of technologies used in our industry.

  • Strong problem solving and analytical skills.

  • Ability to design informative and helpful reports and presentations.

  • Desire to build relationships across our business.

  • Ability to work independently and to focus on detail.

  • Good skills with Excel, PowerPoint, Word, and Access.

  • Understanding of regulation related to our business.

Puff about the employer

Not relevant to Risk Listing

Not relevant to Risk Listing

Various regulations

From a charity regulation

This extract is inspired by Accounting and Reporting for Charities: Statement of Recommended Practice (revised 2005) applying to charities in the UK. It contains some fairly typical rules that impose Risk Listing, though the underlying intention is just for better governance and reporting.

Function of text With Risk Listing language
- do not copy
Without Risk Listing language
- please use freely

Require public reporting about risk faced

One of many rules setting out the contents of the Trustees' annual report:

"A statement should be provided confirming that the major risks to which the charity is exposed, as identified by the trustees, have been reviewed and systems or procedures have been established to manage those risks."

One of many rules setting out the contents of the Trustees' annual report:

"A statement should be provided confirming that risk involving the charity, as analysed by the trustees, has been reviewed and systems or procedures have been established to manage that risk."

From a proposed corporate governance code

This extract is from Risk Management, Internal Control and the Going Concern Basis of Accounting: Consultation on Draft Guidance to the Directors of Companies applying the UK Corporate Governance Code and associated changes to the Code (from November 2013) that suggested rules to apply to big companies in the UK. The document contains a lot of Risk Listing material and the point below is just one.

Function of text With Risk Listing language
- do not copy
Without Risk Listing language
- please use freely

Considering if the company is a going concern

"C.2.1. The board should carry out a robust assessment of the principal risks facing the company, including those that would threaten its solvency or liquidity. In the annual report the directors should confirm that they have carried out such an assessment and explain how the principal risks are being managed or mitigated. They should indicate which, if any, are material uncertainties in relation to the company's ability to continue to adopt the going concern basis of accounting."

"C.2.1. The board should consider carefully future possibilities for the company, including insolvency and inadequate liquidity, and define factors that are important drivers of the overall uncertainty about its financial position. In the annual report the directors should confirm that they have carried out such a consideration, explain what they do to maintain solvency and adequate liquidity, and state which factors remain the source of significant uncertainty as to the company's ability to continue to adopt the going concern basis of accounting."






Made in England

 

Words © 2014 Matthew Leitch