IRM’s Professional Standards in Risk Management

PART 1 Consultation: Functional Standards

Setting standards

Building capability

Championing learning and development

Raising the risk profession’s profile

Supporting organisational performance

2

Contents Building excellence in risk management 3 An Enterprise Risk Management (ERM) approach 3 Using the standards in practice 4 IRM’s Professional Standards Framework 5 The standards 8

3

Building excellence in risk management As the professional body for risk management, IRM sits at the heart of the risk profession. We lead on developing standards, building skills, cultivating talent, championing learning and development, and supporting individuals and organisations to improve their performance through building their risk management capability.

High standards of competence and integrity are vital to the success of the risk profession. IRM’s standards underpin our qualifications and professional membership. They will also underpin IRM’s continuing professional development activities, such as training and events. These elements provide individuals with a valuable route to keep their knowledge and skills up to date and build a successful career in risk management. IRM’s standards help employers build their organisational risk capability, giving them a professional benchmark to recruit and retain appropriately trained and qualified people.

An Enterprise Risk Management (ERM) approach All organisations need to take risks at the strategic, tactical and operational levels to deliver their objectives. Anything that makes achieving these objectives uncertain is a risk and needs to be managed. Enterprise Risk Management (ERM) is an integrated approach to managing risks across an organisation. Led by an organisation’s board, it provides clear frameworks and processes and provides a context and structure within which risk and reward are managed and communicated to internal and external stakeholders. Risk management should not be exercised in a silo. It should be embedded in the general management of an organisation and fully integrated with other functions such as finance, strategy, internal control, procurement, continuity planning, HR and compliance. The degree of this integration will vary, depending on an organisation’s size, risk maturity, culture, implementation processes, operating models and external environment.

4

Modern organisations must cope with greater uncertainty in an increasingly volatile and unpredictable world. How mature and well developed an organisation’s approach to ERM is can significantly affect its capability to take strategic risk decisions. If underdeveloped, it can lead to serious reputational and financial damage. Organisations may have risk specialist functions like insurance, health and safety and business continuity. An ERM approach to risk management brings all these aspects together to create an integrated approach that is clearly aligned with an organisation’s governance and business objectives.

Using the standards in practice The standards define what good risk management looks like. They provide an overview of what is expected of a risk professional at each stage of their career. They have been designed to be used by risk professionals, but also to be a valuable tool for employers, HR and training professionals, recruiters and regulators.

Individual risk professionals Risk professionals are responsible for their own professional development. Individuals can use the standards as a benchmark to measure their current competence levels. The standards provide individuals with a useful tool to identify gaps in their knowledge and skills, which may be a barrier to promotion, or improve performance in their current job. They also provide clarity on what will be expected of individuals as they progress through the different career levels.

Employers, HR and training professionals The standards help organisations benchmark their risk management capabilities against the competences they need. It helps them identify any knowledge and skills gaps, corresponding learning and development needs, and to identify any resource needs. The standards should also become a key aspect of any risk management recruitment and selection process, as they help with writing job adverts, searches, interviewing aids, drafting job descriptions and role profiles.

Recruiters The standards provide a valuable tool for recruitment firms and head-hunters. They help identify, benchmark, and advise employers on the placement of appropriately qualified and experienced candidates for specific jobs.

Regulators Regulators can use the standards as a guide to set out what criteria a ‘fit and proper person’ should meet if practising risk management in a regulated sector.

5

IRM’s Professional Standards Framework The Professional Standards Framework has been developed by researching over 30 risk management and associated risk management competency frameworks. We have also consulted extensively with practitioners, academics and employers. The Framework reflects our expectations of the knowledge, skills and behaviours that are required of those working in risk management. The standards have been designed to provide individuals and organisations with an overview of what risk professionals need to do, what they need to know and how they need to do it. The Framework is made up of: Functional standards – these define the knowledge and skills required to do the job. Behavioural standards – these describe the personal qualities and behaviours needed to operate effectively. This document sets out the functional standards. The behavioural standards which underpin the functional standards will be circulated for consultation separately in April 2015.

Design principles The standards have been developed to reflect:

An enterprise risk management approach, recognising the principles of the global risk management standard, ISO 31000 and other influential and relevant standards.

The need for risk professionals to have both technical risk management and business knowledge and skills.

Different levels of risk maturity within organisations, depending on size, sector and geographical region.

Aspirations of organisations that wish to raise their risk management standards and capabilities and where appropriate, develop a risk management function.

The wide range of variations in job roles between sectors and organisations.

The need for individuals and employers to adapt standards to roles and responsibilities as organisational strategy and priorities evolve.

IRM’s standards are jargon free and easy to understand and use. They are flexible and can be adapted and implemented in all types of organisations, sectors and geographical regions. They are outcomes based and can easily be measured. They purposefully do not prescribe exactly what must be done or in what way, to ensure they remain adaptable and future-proof. While the standards are written as competences, they implicitly include the relevant knowledge needed to meet the competence.

6

Structure The standards are broken down into FOUR discrete areas:

1. Insights and context

2. Strategy and performance

3. Risk management process

4. Organisational capability Each of these areas has been divided into a number of components. See page 8.

Career levels Due to the universal nature of risk and the wide variation in job roles between sectors and organisations, IRM’s framework is based around four career levels, rather than specific job roles or titles.

Leadership level

Senior level

Management level

Junior level Each level encompasses a number of different roles and job titles. For example, the Leadership level includes Chief Risk Officer, Director of Risk Management, Heads of Risk Management and Partners and so on. The table below provides a summary of what is expected at each career level. Knowledge in the standards is accumulated as individuals progress from Junior to Leadership level.

7

Career level

Summary description

Examples of job titles

Leadership level – Highest level

of knowledge and application

KEY WORDS:

INFLUENCES / SHAPES

Shapes an organisation’s risk strategy and

direction and provides oversight of risk

matters. Influences and informs decision-

makers on risk management strategies.

Influences the direction and profile of

risk management and the profession.

Chief Risk Officer

Director of Risk

Management

Head of Risk Management

Director

Partner

Senior level – Advanced level of

knowledge and application

KEY WORDS:

DELIVERS/STEERS

Delivers risk management policies and

procedures and contributes proactively

to organisational risk management

strategies and oversees implementation.

Steers and advises on improvements to

risk management practices and

associated changes, liaising with internal

and external stakeholders.

Risk Manager

Senior Risk Consultant

Senior Risk Analyst

Head of Risk Management

Management level – Sufficient

knowledge and application

KEY WORDS:

IMPLEMENTS

Implements risk management processes

and procedures effectively and actively

champions risk management practice to

internal and external stakeholders.

Risk Management

Executive

Risk Management Officer

Risk Management Adviser

Risk Analyst

Risk Consultant

Junior level – Basic knowledge

and application

KEY WORDS:

UNDERSTANDS/CONTRIBUTES TO

TEAM

Understands and communicates the

importance and benefits of risk

management and supports the

implementation of risk management

processes and procedures.

Risk Management

Assistant

Risk Management Officer

8

FUNCTIONAL AREA 1: Insights and context

This functional area describes how the successful risk professional: Uses knowledge of internal and external influences to ensure risk management is robust, agile and effective.

FUNCTIONAL AREA 1 COMPONENTS:

1 A: Risk management principles and practice: Understands the principles and practices of risk management and the relevance and uses of theories, processes and tools.

1 B: Internal organisational environment: Understands the internal environment of an organisation and its implications for risk management practices

1 C: External business environment: Understands how the external environment influences an organisation and the implications for risk management practices.

FUNCTIONAL AREA 1 STANDARDS:

1 A: Risk management principles and practice

NO. Area Leadership Level

Senior level

Management level

Junior level

1A1 Adapts risk management to organisational context

Promotes risk management as a central part of an organisation’s strategic management.

Educates an organisation on the probability, nature and scope of risks and opportunities and likely impact on an organisation.

Advises on the selection and implementation of appropriate concepts, processes, tools and techniques.

Explains different types of risks and possible responses for their treatment.

1A2 Builds organisational resilience

Ensures that resilience is incorporated into organisational strategy.

Builds resilience across an organisation to manage current and future risks, opportunities and uncertainties.

Analyses the suitability of, and makes recommendations about appropriate risk management tools and techniques.

Explains risk management standards, concepts, theories, processes and approaches to risk management.

1A3 Promotes risk management

Anticipates developments in risk management and influences it at a national and/or international level.

Advises on the benefits and appropriateness of different approaches to managing risks.

Champions and explains the benefits of risk management to stakeholders.

Understands and explains the value of risk management.

9

1 B: Internal organisational environment

NO. Area Leadership Level

Senior level

Management level

Junior level

1B1 Aligns risk management strategy to organisational strategy

Shapes the relationship between an organisation’s overall vision, mission, objectives, culture and strategy and the risk management strategy.

Assesses the influence of an organisation’s strategic intent, internal context and governance practices on risk management.

Encourages internal understanding of the link between an organisation’s vision, mission, objectives, culture and strategy and organisational risk practices.

Understands the link between an organisation’s vision, mission and its operational objectives and risk practices.

1B2 Influences decision making

Influences an organisation to adopt a comprehensive, consistent and collaborative approach to risk.

Influences management decision-making to achieve the right balance of risk and opportunity.

Interprets risk information and feeds into organisational structures and systems to support decision making.

Compiles relevant risk information to support decision making.

1B3 Improves organisational policies and processes

Drives how an organisation embeds risk management into its strategies, policies and processes to create the desired culture.

Embeds risk management into organisational strategies and policies.

Embeds risk management practices into operational processes.

Describes the factors involved in how to embed risk management and supports embedding it into operational processes.

10

1 C: External business environment

NO. Area Leadership Level

Senior level

Management level

Junior level

1C1 Emerging risks and horizon scanning

Influences risk management across an industry sector and the wider business environment.

Analyses the potential impacts of the external environment on an organisation.

Identifies and explains the factors in the external environment that may affect an organisation.

Describes the kind of factors in the external environment that may affect an organisation (e.g. PESTLE).

1C2 Strategic risk management

Adapts the strategic alignment of an organisation’s risk management to its external operating environment.

Improves the alignment of an organisation’s risk management to its external operating environment.

Identifies opportunities within the external environment to maximise reward and minimise risk.

Understands and explains the likely impact that external factors may have on an organisation.

1C3 Regulatory context

Evaluates the implications and limitations of the regulatory environment on an organisation. Represents the risk management perspective to regulators as appropriate.

Analyses the impact of developments within the regulatory framework.

Implements risk management activities to meet regulatory requirements.

Understands and describes the regulatory framework within which an organisation operates.

11

FUNCTIONAL AREA 2: Strategy and performance This functional area describes how the successful risk professional: Develops a risk management strategy to meet organisational needs.

FUNCTIONAL AREA 2 COMPONENTS: 2 A: Risk management strategy and architecture: Develops and implements risk management strategy and architecture. 2 B: Risk management policy and procedures: Develops and implements proportionate risk management policy, guidelines, procedures and action plans to support the strategy. 2 C: Risk culture and appetite: Shapes risk appetite and a risk culture that is intrinsic to an organisation’s culture. 2 D: Risk performance and reporting: Develops and implements an effective risk management measurement, performance and reporting framework.

FUNCTIONAL AREA 2 STANDARDS:

2 A: Risk management strategy and architecture

NO. Area Leadership Level

Senior level

Management level

Junior level

2A1 Defines risk management strategy

Achieves buy-in from the Board to develop a proportionate risk strategy and architecture.

Evaluates the extent to which individual risk strategies are coherent with the overall risk strategy.

Understands the purpose and role of a risk management framework, strategy and architecture.

Explains the components of a risk management framework, strategy and architecture.

2A2 Implements risk management strategy

Leads the development of the risk management strategy and approach to optimum risk appetite.

Assigns ownership and levels of authority that comply with the requirements of the strategy.

Makes recommendations for improvements to the risk management strategy.

Provides management information to support risk strategy development.

2A3 Risk governance structure

Establishes a coherent, transparent and rigorous governance structure that supports an organisation’s risk appetite and culture.

Ensures consistency between an organisation’s risk management strategy, organisational strategies and its governance structure.

Communicates the requirements of the risk governance structure.

Describes the features of an effective risk governance structure.

12

2 B: Risk management policy and procedures

NO. Area Leadership

Level Senior level

Management level

Junior level

2B1 Risk management policy

Develops the risk management policy that is consistent with the risk management strategy.

Implements plans and priorities to deliver risk management policy within agreed timescales and budgets.

Explains the purpose, role and benefits of embedding risk management policy and procedures into organisational policies and procedures.

Explains the purpose of the risk management policy and its procedures and components.

2B2 Risk management methods and processes

Defines risk management guidelines, accountabilities, methodologies, tools and techniques that meet strategy and policy requirements.

Delivers risk management policy ensuring that ownership and responsibilities are fulfilled within authority limits.

Advises on the appropriate use of methodologies, tools and techniques within the context of the risk policy and guidelines.

Explains the features of methodologies, tools and techniques and their uses.

2B3 Risk management effectiveness

Secures commitment and resources that will enable the effective implementation of the risk strategy.

Reviews the effectiveness of risk management policy and processes and the use of resources and makes recommendations, for improvements.

Analyses management information to recommend improvements to risk management policies and procedures.

Provides management information to support improvements to risk management policies and procedures.

13

2 C: Risk culture and appetite

NO. Area Leadership Level

Senior level

Management level

Junior level

2C1 Desired risk culture

Influences and exemplifies an organisation’s leadership in determining the desired risk culture.

Fosters an organisation’s culture through the design of organisational systems, processes and behaviours.

Acts as a role model and encourages others to ‘live’ the agreed culture.

Explains the culture and acts accordingly.

2C2 Risk appetite defined and used

Drives the boards understanding of risk appetite and its implications for strategy, tactics and operations.

Drives an organisations understanding of the balance between risk taking, risk management and personal rewards in line with its risk appetite.

Explains how an organisation establishes its risk appetite and tolerance.

Understands the concept of risk appetite and explains the factors that influence people’s perceptions of risk and opportunities.

2C3 Risk maturity and ethos

Shapes the approach to risk management at board level in line with an organisation’s risk maturity.

Embeds risk management approaches into organisational values.

Understands an organisations current risk maturity level and its implications for the implementation of risk management practices.

Understands the concept of risk maturity.

14

2 D: Risk performance and reporting

NO. Area Leadership Level

Senior level

Management level

Junior level

2D1 Risk reporting Establishes a comprehensive risk reporting system and ensures compliance with other organisational performance management structures and processes.

Reports on the strategic and financial impact of risks that have been managed effectively and of unmanaged risks.

Ensures that risk reporting systems operate efficiently.

Explains the purpose of measuring and reporting risk performance and the use of technology to support effective risk management.

2D2 Risk metrics Integrates risk management metrics with an organisation’s other performance indicators and monitors and responds accordingly to issues identified.

Defines organisational Key Risk/Performance Indicators (KRIs/KPIs) for evaluating risk management performance and strategy, and develops a risk register and organisational risk profile.

Uses analytical tools and techniques to monitor changes in risks and opportunities to an organisation and updates risk information.

Complies with legal, ethical and regulatory requirements in the gathering and recording of risk information.

2D3 Risk performance improvement

Assures the approach to risk management is ‘fit for purpose’ through appropriate assurances and audit.

Develops a time-sensitive, action-orientated risk reporting system that enables effective decision making and is capable of identifying actual and emerging risks.

Reports and explains recommendations for improvements based on systematic analyses of information at agreed intervals.

Produces reports, highlighting areas of concern, change, emerging threats and opportunities.

15

FUNCTIONAL AREA 3: Risk management process This functional area describes how the successful risk professional: Manages the risk management process.

FUNCTIONAL AREA 3 COMPONENTS: 3 A: Risk assessment: Identifies, analyses and evaluates the nature and impact of risks and opportunities. 3 B: Risk treatment: Develops, selects and implements risk treatment strategies and controls.

FUNCTIONAL AREA 3 STANDARDS:

3 A: Risk assessment

NO. Area Leadership Level

Senior level

Management level

Junior level

3A1 Risk assessment process

Defines the approaches to risk identification, analysis and evaluation and establishes the tools and techniques to be used.

Interprets facts, patterns and trends to reach evidence-based decisions on the nature of risks and opportunities.

Uses a range of information sources and assessment methods to identify, analyse and evaluate risks and opportunities.

Explains and contributes to the risk assessment process.

3A2 Assessment tools and techniques

Determines and deploys appropriate resources and investment.

Scopes the potential impact of aggregated risks and worst case scenarios quantitatively and qualitatively.

Uses and advises on the appropriate risk assessment tools and techniques and prioritises and classifies risks and opportunities.

Explains how and why to use different risk assessment tools and techniques.

3A3 Interpreting and explaining risk assessment information

Evaluates the impact and value of potential strategic opportunities and integrates these into an organisation’s strategy, and applies expert judgement on presenting the right level of risk information to the board.

Evaluates interdependencies between risks, uncertainties and opportunities, critical failure points and resource implications.

Advises on how to produce and use appropriate risk assessment information.

Explains how to display the results of risk assessments.

16

3 B: Risk treatment

NO. Area Leadership Level

Senior level

Management level

Junior level

3B1 Risk treatment processes

Ensures an organisation’s approach to the treatment of risk is focused, robust, proportionate, and viable and aligned with its risk appetite and strategy.

Monitors the effectiveness of an organisation’s approaches to risk treatment and makes recommendations.

Advises on and monitors risk monitoring and mitigation actions taken and challenges when issues arise.

Understands and explains the suitability of different risk response options and control types.

3B2 Allocates resources

Determines risk treatment strategies and resources to align with an organisation’s approach to risk management.

Develops, prioritises and resources suitable controls to treat identified risks and manage opportunities.

Advises on budgets and resources for risk treatment activities.

Understands and explains the costs and benefits of risk treatment activities.

3B3 Integrates Business Continuity Management and Crisis Management

Integrates business continuity strategies and crisis management within an organisations risk management strategy and plans.

Ensures the continuing co-ordination of crisis management and business continuity strategies and plans with risk management.

Collates and analyses management information to support crisis management and business continuity plans and activities.

Explains the principles and features of crisis management and business continuity.

17

FUNCTIONAL AREA 4: Organisational capability This functional area describes how the successful risk professional: Develops and manages a skilled, agile and responsive risk organisation.

FUNCTIONAL AREA 4 COMPONENTS: 4 A: Communication and consultation: Develops and implements communication structures and plans. 4 B: Change management: Manages risks within strategic and operational change. 4 C: People management: Provides systematic performance management and skills development to meet strategic needs.

FUNCTIONAL AREA 4 STANDARDS:

4 A: Communication and consultation

NO. Area Leadership Level

Senior level

Management level

Junior level

4A1 Risk communication infrastructure

Establishes an organisation’s approach and infrastructure for communication about risk management.

Identifies media and methods for communicating the risk strategy that align with target groups.

Uses agreed media and methods to communicate risk matters.

Communicates risk matters to agreed stakeholders, adhering to agreed organisational values and standards.

4A2 Communication plans

Promotes the position that risk management is a universal responsibility and acts as a risk champion across an organisation.

Develops a risk communication plan in a way that furthers relationships with stakeholders and is consistent with organisational values and standards.

Seeks stakeholders’ feedback on the effectiveness of the risk communication infrastructure and strategy.

Ensures that information communicated is accurate, complete and complies with relevant regulations.

4A3 Stakeholder management

Develops an organisational stakeholder engagement strategy that is consistent with the risk strategy.

Manages stakeholders’ expectations in a way that is consistent with organisational values and standards.

Builds productive relationships with stakeholders through effective communication and consultation.

Supports risk communication and consultation processes within agreed guidelines.

18

4 B: Change management

NO. Area Leadership Level

Senior level

Management level

Junior level

4B1 Embeds risk management into change

Ensures that appropriate risk management is embedded throughout major organisational change programmes.

Advises on the risk aspects of organisational change.

Actively supports risk aspects in change activities throughout an organisation.

Understands the nature of change and the role of risk management.

4B2 Culture change Achieves strategic and cultural change that optimises opportunities and mitigates risks through change programmes.

Develops change plans to support agreed changes to strategies and policies.

Implements change plans in accordance with their role.

Supports others in managing risks in accordance with their role.

4B3 Champions change

Promotes the vision for strategic change in line with the risk culture and strategy.

Ensures change-related risks and opportunities are communicated effectively and managed proportionately.

Assesses the impact of the delivery of change plans, reporting any adverse effect or unexpected opportunities.

Contributes positively to tasks relating to the implementation of change.

19

4 C: People management

NO. Area Leadership Level

Senior level

Management level

Junior level

4C1 People leadership

Provides inspirational leadership that motivates and empowers people to fulfil their objectives.

Supports and incentivises people to take responsibility for managing risks and opportunities within the limits of their role.

Influences the behaviour of others to ensure that risk management objectives and standards are met.

Understands the requirements of their own role and how it supports an organisation.

4C2 Right people, right roles

Establishes an appropriately resourced structure that is capable of delivering the risk strategy.

Deploys the right mix of competence and expertise to meet strategic and operational imperatives.

Supports operational teams and individuals on the practice of risk management.

Takes active responsibility for their own personal and professional development.

4C3 Capability and skills

Defines the knowledge and competence an organisation needs to meet risk management requirements.

Practically develops the knowledge and competence of an organisation for the management of risks and opportunities.

Provides risk management support to individuals that enables them to achieve their objectives.

Contributes constructively to the achievement of agreed goals and objectives.