Risk Management Guide_1.1

download Risk Management Guide_1.1

of 19

Transcript of Risk Management Guide_1.1

  • 8/12/2019 Risk Management Guide_1.1

    1/19

    Risk Management Guide

    Chapter 1: Introduction to the Risk Management Guide

    Chapter 2: Establishing Context and Identifying Risks

    Chapter 3: Evaluate Existing Controls

    Chapter 4: Risk Analysis and Evaluation

    Chapter 5: Risk Treatment

    Disclaimer

    This guide, and the tools and templates available from www.disasterresilience.comwill support your

    planning processes and strengthen your resilience. Using familiar software (Microsoft Word, Access,

    Excel and PowerPoint), we focus on quality processes within a risk management framework. These

    approaches serve as best practice models. They should not be used as "templates for duplication"

    with global word changes. You should evaluate the significance of any requirements specific to your

    context - then tailor your approach accordingly.

  • 8/12/2019 Risk Management Guide_1.1

    2/19

    Introduction to the Risk

    Management GuideFramework

    T his guide provides advice on implementing a risk management approach alignedwith International Risk Management Principles and Guidelines ISO 31000.

    Figure 1 Risk Management (ISO 31000)

    Chapter

  • 8/12/2019 Risk Management Guide_1.1

    3/19

    Icons

    T his guide is structured around two icons:1. The folder icon flags advice on what needs to be

    done and how to do it. This will generally be astext, and about a process with an accompanyingdiagram.

    2. The keyboard icon flags advice on how to record the outputs from what needsto be done and how to do it.

    This text will be specific to the data entry requirements with an accompanyingscreenshot (in this case, of the Excel Spreadsheet tool).

    Figure 2 Excel Spreadsheet Screenshot whole risk management process - full screen.

    I C O N K E Y

    Workbook advice

    Tool advice

  • 8/12/2019 Risk Management Guide_1.1

    4/19

    R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D I D E N T I F Y R I S K S

    Establishing Context and

    Identifying Risks

    Communication and Consultation - Stakeholders

    T he oil of the machine; the grist for the mill, the underpinning foundation thecentral and significant role of effective communication and consultation can not be

    understated.

    Risks are about the conditions and circumstances which give rise to uncertainty about thefuture. Those conditions and circumstances and their management are things about

    which many and varied people have an interest. Some more directly than others.Therefore a first and fundamental step is to identify stakeholders (defined as anyonewith an interest).

    Second, not all stakeholders havethe same level of hold that is,care or interest.

    Therefore it is important todifferentiate stakeholders.

    Any of several techniques (such asthe matrix provided here) areuseful for mapping stakeholders.

    Chapter

  • 8/12/2019 Risk Management Guide_1.1

    5/19

    R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D

    I D E N T I F Y R I S K S

    Communication and Consultation - Stakeholders (continued)

    A useful way of generating a list of who has an interest and what type ofinterest they have is to generate a process map called a SIPOC which is short forSuppliers Inputs Process Outputs Customers.

    The SIPOC map should be started from the right hand side identifying customers onthe basis of who has an interest and what will be required to address that interest.

    This type of mapping also enhances your understanding of context.

    Details on how to facilitate a SIPOC mapping process are available as Attachment A (atthe back of this guide).

    Communication and Consultation - Stakeholders

    The output from the stakeholder identification and differentiation process is a listof initial stakeholders which should be entered into the originator section of the ExcelSpreadsheet by clicking on Add New Originator.

    Figure 3 Establish Context and Identify Risks

  • 8/12/2019 Risk Management Guide_1.1

    6/19

    R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D

    I D E N T I F Y R I S K S

    Communication and Consultation Risk Statements

    Particular attention to detail should be exercised when generating a risk statement.A risk statement must derive from context. It is formulated in direct association with atask, goal, objective or value criterion of your business or organisation often directlylinked to your strategic plan, business plan or corporate plan.

    When writing a risk statement, to strengthen clarity and meaning:

    1. Write a complete sentence, consisting of a cause and effect.

    2. Identify the cause as far upstream - in the chain of cause and effect - as is practicalto manage. State the cause as a set of conditions, or as a trigger event.

    3. State the effect upon the task, goal, objective, or value criterion underconsideration.

    4. Link the two clauses by a phrase such as leads to; or causing; or results in.

    Example: "Having an outdated, unexercised business continuity plan leads tounacceptable vulnerability across the business"

    Communication and Consultation Risk Statements

    Risk Statements are entered in individual rows under the Risk Statement column inFigure 3: Establish Context and Identify Risks (above).

  • 8/12/2019 Risk Management Guide_1.1

    7/19

    R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D

    I D E N T I F Y R I S K S

    Communication and Consultation Consequence Criteria

    Each of your risk statements will have or not have an association with your(tailored) risk assessment criteria. Your risk assessment criteria measure what you careabout and how much you care. They need to reflect the context of the organisation not simply be cut and pasted from a template of another organisations set of values.Considerable care should be taken to ensure that appropriate criteria reflecting yourposition - are developed.

    Figure 4 Establishingassessment criteria is a social process

    Communication and Consultation Consequence Criteria

    Where a value criterion (such as Outcome; Output; Community; Governance; People,and Environment) is triggered by an effect generating a possible consequence, a

    specific level of possible consequence should be attributed to the risk statement byselecting the appropriate drop down threshold in the Consequence column [asshown on the right hand side of Figure 3: Establish Context and Identify Risks (above)].

    The threshold choices are 1 Insignificant; 2 Minor; 3 Moderate; 4 Major; or 5 Critical for each effected value criterion.

    To support the clarity of your attribution, the symbol which leads to both thedetailed description of thresholds and indicators should be clicked on. This advice onthe value criteria and their thresholds - can also be reached from the Consequence andLikelihood TAB at the bottom of the screen.

  • 8/12/2019 Risk Management Guide_1.1

    8/19

    R I S K M A N A G E M E N T G U I D E E S T A B L I S H C O N T E X T A N D

    I D E N T I F Y R I S K S

    Figure 5 Risk Assessment Criteria

  • 8/12/2019 Risk Management Guide_1.1

    9/19

    R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S

    Evaluate Existing Controls

    What we do now to manage this risk

    A control is any existing process, system, policy, device, structure, practice orother action that acts to minimize negative risk or enhance positive opportunities.

    The identification of current controls is a fundamental and critical step. Risk levels cannot be determined until we can attribute a level of likelihood to the consequence and

    the effectiveness of existing controls is crucial to advising our judgment on how likely aspecific consequence is to arise. Once controls have been listed, each should be given aneffectiveness score using performance indicators such as those outlined in Figure 6below.

    Performance Indicator1. Risk reduction

    This control prevents a significant proportion of losses posed by this risk.

    2. Continuity of effects

    The effects of the application of this control will be long term or ongoing.

    3. Timing

    The beneficial effects of this control are likely to be quickly realized.4. Administrative efficiency

    We have the expertise and this control is easily administered.

    5. Cost-effectiveness

    This control is cost-effective.

    6. Synergy, leverage and compatibility

    This control is likely to lead to further risk reducing actions by others. It ishighly compatibility with other controls that exist or are likely to be adopted

    7. Risk creation

    Implementation of this control does not introduce new risks.Figure6 Considerations when assessing the effectiveness of existing controls

    Chapter

  • 8/12/2019 Risk Management Guide_1.1

    10/19

    R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S

    What we do now to manage this risk

    T he controls which have an impact on the consequence of each particular valuecriterion should be listed individually against the specific consequence criteria (for the riskstatement under consideration). This will require copying in rows (to correspond with thenumber of relevant controls). This will then enable scoring for effectiveness to beattributed against each control.

    To support the clarity of your attribution of effectiveness, the symbol which leadsto both the detailed description of performance levels and performance indicators should be clicked on. (The Excel worksheet should be copied one sheet per control)

    This advice can also be reached from the Effectiveness and Adequacy TAB at thebottom of the screen.

    Figure 7 Control Effectiveness Advice TAB (Excel Spreadsheet)

  • 8/12/2019 Risk Management Guide_1.1

    11/19

    R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S

    Figure8 Screenshot - Existing Controls Evaluated

    An important risk management principle is a recognition thatadequacy is a function ofeffectiveness and consequence.

    Once the level of control is determined, the Adequacy Matrix (below) provides animportant tool to assess whether the control is likely to be appropriate or whether actionsto improve the level or quality of the control are required. Or indeed, if an entirely new

    way of thinking about developing other controls needs to be considered.

    (The adequacy of the existing control is automatically calculated within the ExcelSpreadsheet based on the matrix below.)

    Figure 9 AdequacyMatrix

  • 8/12/2019 Risk Management Guide_1.1

    12/19

    R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S

    Risk Analysis and

    EvaluationGiven the adequacy of current controls, determine the likelihood ofthe consequence

    Alevel of likelihood for each consequence should be premised.It is important to focus on the likelihood of the consequence NOT on the likelihood ofthe trigger event. The attribution of level should be against the criteria listed in Figure10 below.

    Likelihood

    Criteria

    A Almost certain to occur in most circumstances

    B Likely to occur frequently

    C Possible and likely to occur at some time

    D Unlikely to occur but could happen

    E May occur but only in rare and exceptional circumstances

    Figure10 Likelihood Criteria

    Chapter

  • 8/12/2019 Risk Management Guide_1.1

    13/19

    R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S

    Given the adequacy of current controls, determine the likelihood of

    the consequence

    The consequence level will be automatically reproduced from the EstablishContext and Identify Risks stage.

    The level of likelihood which you premise will automatically generate a level of risk.

    This level of risk will be a function of three things - likelihood, the consequence you havealready premised and your agreed risk appetite [which is reflected in the allocation of risklevels (Low; Medium; High; Very High) to each of the 25 cells in the Consequence /Likelihood Matrix displayed on the bottom of Figure 5 and in the Consequence andLikelihood Worksheet].

    Figure 11 Premisethe likelihoodof the specified consequence

  • 8/12/2019 Risk Management Guide_1.1

    14/19

    R I S K M A N A G E M E N T G U I D E - E V A L U A T E E X I S T I N G C O N T R O L S

    In order to maximize access, the tool has been deliberately designed using an early version

    of Excel (2003).

    A constraint of this early version is a formula limitation to not generate morethan three choices of colour therefore, if you change the likelihood attribution,you will need to click on the running man icon to refresh the risk level colourdisplayed.

    Figure12 Risk Levels -suggested prioritisation for action

    General advice about whether a level of risk requires treatment is provided in Figure 12.

    However, it is important to recognise the need to enable management discretionregarding both risk acceptance and solution resourcing options. Therefore the AcceptRisk (Yes or NO) and the Future Risk Target levels of the tool are not populatedautomatically. They are determined by the responsible party / parties and the risk may(in certain circumstances) be carried even though the level might be high or very high.

    Figure13 Risk Acceptance and Future Risk Target Levels are management discretions

  • 8/12/2019 Risk Management Guide_1.1

    15/19

    R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T

    Risk Treatment

    What we will do; within what budget, by when and by whom.

    The treatment of risk is very much about the standard governance qualities of any plan.This calls for a selection of high leverage cost effective controls to be considered using theperformance indicators outlined below and introduced in Chapter 3, Figure 6.

    Performance Indicator1. Risk reduction

    This control prevents a significant proportion of losses posed by this risk.

    2. Continuity of effects

    The effects of the application of this control will be long term or ongoing.

    3. Timing

    The beneficial effects of this control are likely to be quickly realized.

    4. Administrative efficiencyWe have the expertise and this control is easily administered.5. Cost-effectiveness

    This control is cost-effective.

    6. Synergy, leverage and compatibility

    This control is likely to lead to further risk reducing actions by others. It is highlycompatibility with other controls that exist or are likely to be adopted

    7. Risk creation

    Implementation of this control does not introduce new risks.

    Figure 14 Risk Treatment Selection Criteria

    Chapter

  • 8/12/2019 Risk Management Guide_1.1

    16/19

    R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T

    What we will do; within what budget, by when and by whom.

    The criteria can be accessed from the symbol.This will take you to performance levels and performance indicators.

    This advice can also be reached from the Treatment Selection TAB at the bottom of the screen.

    Figure 15 Criteria - available fromthe Treatment Selection TAB

  • 8/12/2019 Risk Management Guide_1.1

    17/19

    R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T

    Figure 16 Assess the likely effectiveness of each proposed control - copyone worksheet per control.

    Figure 17 Screenshot for recording and tracking Treatment

  • 8/12/2019 Risk Management Guide_1.1

    18/19

    R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T

    Attachment A:

    Three steps to developing a sound SIPOC diagram

    Purpose:The purpose of a SIPOC Diagram is to define and document the key elements of an activity. This includes

    Customers/Requirements, Outputs, Process Steps/Requirements, Inputs and Suppliers.

    Materials:SIPOC overview handout, whiteboard, worksheets, flipcharts, PowerPoint (not preferred as it can take away

    from engagement and participation), Posters, PostIts (or my favourite, coloured sticky arrows which are then placed ona large, blank, laminated SIPOC chart)

    Time:Varies. Plan for at least two hours based on the complexity of the process, the knowledge of the participants of the

    process, and their previous experience creating SIPOCs.

    Step ONE: Get everyone on the same purposepageNote 1 to facilitator: Do this step even if working with a knowledgeable group by reviewing the elements critical toconducting a successful SIPOC session.Use this review as a means of setting a positive tone and developing a conversational style of facilitating the session.

    The five critical elements to a good SIPOC are:

    1. Provide participants a brief overview of the SIPOC structure and how it important to manage its use in terms of range of

    purposes.Apply the Covey principle begin with the end in mind SIPOCs are flexible tools and can be focused on achieving a rangeof purposes such as project planning, or vulnerability mapping or organisational restructuring. So be mindful ask howwill you USE this SIPOC?

    2. The challenge for service industries (as distinct from making widgets) is to think beyond the process column (where

    many SIPOCs start). The challenge for individuals is to think outside of their square.

    3. When recording on the SIPOC use only as much detail as needed to understand/communicate effectively.

    4. Record the agreed purpose of this SIPOC session make the agreed purpose the label of the car park. The car park

    is an area of white space, such as butchers paper or a whiteboard on wheels, which is structured to capture as theyrelate to the SIPOC element being mapped at the time - (1)assumptions (2) constraints (3) risks and (4) decision criteria

    5. This is not an academic exercise - define how things really get done, not how we might want them to be.

  • 8/12/2019 Risk Management Guide_1.1

    19/19

    R I S K M A N A G E M E N T G U I D E R I S K T R E A T M E N T

    Step TWO: Establish the FrameworkNote 2 to facilitator:Groups sometimes prefer to be more organic than systematic. Be flexible and accommodate as longas the entire SIPOC form is completed with enough detail to understand the process. Be flexible and use plain language.Write it down, and then ask open-ended, clarifying questions to get it right. Place the thing or issue on the SIPOC at aplace of best agreed fit. Challenge the status quo, test the understanding of the process, and encourage dialogue.

    Note 3 to facilitator: A challenge from here on out in this process is to keep the group at a high level of detail do notallow them to get too granular. The detail can come later in the process flow diagram mapping or you can go back andbreak each key process step into sub-steps and SIPOC them. (It depends on the purpose of the SIPOC and the complexityof the process.)

    Use the SIPOC framework (on the wall chart, computer, whiteboard, worksheet, or flipchart).

    1. Seek permission and agreement from the group to start backwards from the right - from the Customer column.

    Identify customers (some will be stakeholders with specified needs to be met which are contractual, or legallyobligatory - others stakeholders may have a more indirect and general interest, needing only to be appropriately

    informed).

    Back into the customer requirements column by now clearly stating the requirement(s) of each stakeholder.

    [This two set customer column should be reviewed whenever something changes so that the ripple effects can bemapped and managed. (The result from this stage will be your initial stakeholder list)]

    2. List the outputs from the process which will deliver the requirements of the customer and collectively, achieve the

    required outcome of the activity.

    3. Structure a process which will deliver the outputs effectively and efficiently.

    Clearly identify theSTARTof your process (cue, prompt, trigger that requires you to act).

    Clearly identify theEND of your process (how do you know you are done?).

    List the 3-5 (NO MORE THAN 7) key steps in the process being mapped.

    Incorporate feedback loops how will you, your customer, your supplier communicate?

    (Record: Process name; Process owner;Process performance measures/metrics structured to inform improvement

    opportunities; any known operational definitions of key process elements; any known assumptions/constraints andimmediately apparent risks - record in car park)

    Note 4 to facilitator:Remind the group that the assumptions and operational definitions are ongoing lists and may be addedto as needed during the session. The idea is to make sure everyone is working on the same sheet of paper and means thesame thing when using a term and those assumptions are made visible, discussed, and validated or challenged asappropriate.

    4. List the inputs into each step of the process

    List the requirements of each input (your view the person doing the work)

    List the supplier of each input of the process

    5. List or highlight the Critical-to-Quality (CTQ) elements for the process

    Step THREE: Check your workReview the completed SIPOC.Verify all key components are completed/addressed.Determine Next Steps/Action Plan.Make sure allassumptionsare visible, discussed, validated, and documented.Documentoperational definitions of terms, symbols, acronyms, equipment, standards, etc.Do not forget to identify your information/communication loops and feedbackmechanisms.Document source specifications, standard operating procedures, and/or references for your process.Review where you need to have Service Level Agreements (SLAs) between you and supplier, you and customer.