STRATEGIC RISK MANAGEMENT GUIDANCE
Introduction
This guidance provides an outline of risk management to help organisations put in place effective frameworks for taking informed decisions about risk. The guidance provides a route map for risk management, bringing together policy and guidance from HMTreasury, NAO and OGC. It outlines a recommended approach that will help to achieve more robust risk management.
Why management of risk is important
A certain amount of risk taking is inevitable if an organisation is to achieve its objectives. Effective management of risk helps you to manage innovation and improve performance by contributing to:
· increased certainty and fewer surprises;
· better service delivery;
· more effective management of change;
· more efficient use of resources;
· better management at all levels through improved decision making;
· reduced waste and fraud, and better value for money;
· innovation;
· management of contingent and maintenance activities.
The key areas that have to be addressed are:
· the requirements of corporate governance - these include more focused and open ways
of managing risk;
· the need for a 'risk owner' at senior level for an activity (strategy, programme or
project) and the need for risk owners at everyday working levels as appropriate for the
activity and risk exposure;
· consideration of the organisational capability to successfully achieve the required
outcome;
· the need for improved reporting and upward referral of major problems ;
· the need for shared understanding of risk and its management at all levels in the
organisation with partners and key stakeholders, combined with consistent treatment of
risk across the organisation;
· managing project risk in the wider context of programmes of change and the business.
Critical success factors for management of risk
The key elements that need to be in place include:
· nominated senior management individuals to support, own the risk management process and lead on risk management;
· risk management policies, and the benefits of following them, clearly communicated to all staff;
· existence and adoption of a framework for management of risk that is transparent and repeatable;
· existence of an organisational culture that supports well thought-through risk taking and innovation;
· management of risk fully embedded in management processes and consistently applied;
· management of risk closely linked to achievement of objectives;
· management of risk closely linked to achievement of objectives;
· risks associated with working with other organisations explicitly assessed and managed;
· risks actively monitored and regularly reviewed on a constructive 'no-blame' basis.
Appropriate use of business continuity plans and contingency plans is an important
element of the management of risk. So there are likely to be success criteria identified
with regard to:
· building in a risk allowance based on the risk assessment. These funds need to be
included in the financial provision. Unused funds for risk allowance can then be
redeployed when the activity completes or if the exposure to the related risk disappears
· existence of continuity plans which consider how the business will survive should the outcome not be achieved (this would include looking at if a service should fail to come on stream at the required time, or if the users refuse to make use of the service).
Joint working and partnerships often involve more complex types of risk that can adversely affect the delivery of business services. For example, if part of the service provided by one organisation is delayed or of poor quality, the success of the whole collaboration can be put at risk. You must make sure that your organisation knows about the risk management approaches of your partners. Sharing information about risk management means that risks in collaborative programmes can be identified and managed in a proactive way.
Essential elements of risk management
Risk includes the probability of both good and bad outcomes; the consideration of risk has to be set in the context of opportunity. The task of risk management is to limit the organisation's exposure to an acceptable level of risk by taking action on the probability of the risk occurring, its impact or both. The principles of risk management can be directed both to limiting adverse outcomes and achieving desirable ones.
Your organisation will have a set of key objectives. Risks (ideally not more than 10-15) should be identified against these objectives, at the highest level. These high-level risks should then be considered and managed by senior management.
Management of risk involves having processes in place to monitor risks; access to reliable, up-to-date information about risks;an appropriate level of control in place to deal with those risks; and decision making processes supported by a framework of risk analysis and evaluation. Risks must be managed in an integrated way at four key levels in order to manage interdependencies - these levels are strategic, programme, project and operational.
At a high level, risks can be categorised as follows:
· business risk - whatever affects your ability to meet business objectives . These risks are managed by the business and cannot be transferred
· service/operational risk - includes design/build/finance/operate; project risk; these are managed by the party best placed to do so. Providers and customers share detailed plans for managing risks
· external risk - outside your control, such as legislation, changes in provider marketplace; providers and customers produce and maintain plans for mitigating these risks.
The table below shows the levels of risk and examples of typical risks occurring at each level.
Examples of typical risks considered at this level;
Strategic/corporate Commercial, financial, political, environmental, strategic, cultural, acquisition, political and quality risks.
Programme, project and operational risks should be escalated to this level against set escalation criteria - e.g. not acceptable, outside agreed limits, could affect strategic objectives
Programme Procurement/acquisition, funding, organisational, projects, security, safety, quality and business continuity risks. Project and operational risks should be escalated to this level against set escalation criteria - e.g. not acceptable, outside agreed limits, could affect programme objectives
Project Personal, technical, cost, schedule, resource, operational support, quality and pro vider failure
Strategic and programme related risks should be communicated to this level where they could affect project objectives.
Project managers should communicate information about project risks to other projects and operations as appropriate
Operations Personal, technical, cost, schedule, resource, operational support, quality, provider failure, environmental and infrastructure failure.
Higher management levels will agree criteria under which an activity is managed. When risks exceed these set criteria - e.g. not acceptable, outside agreed limits, information needs to be escalated so that decisions can be taken.
A risk management framework
The minimum requirements for a risk management framework are:
· existence of the organisation's risk policy
· clear identification of main stakeholders
· clarification of the main approaches to be used to identify; assess and report on risks; as well as look at actions to deal with risks
· clear assignment of responsibilities for managing risk and reporting to senior management, especially risks which cut across core business activities and organisational boundaries
· clear audit trail of decisions to ensure that risk management reflects current good practice, with quality assurance of key decisions as input to audit.
A framework for management of risk sets the context in which risks will be identified, analysed, controlled, monitored and reviewed. It must be consistent with processes that are embedded in everyday management and operational practices. It addresses:
· how risks are identified
· how information about their probability and potential impact is obtained
· how risks are quantified
· how options to deal with them are identified
· how decisions on risk management are made, such as further risk reduction
· how these decisions are implemented
· how risks are subsequently tracked and managed
· how actions are evaluated for their effectiveness
· how appropriate communication mechanisms are set up and supported
· how stakeholders are engaged throughout the process.
The following text looks at the key steps involved in the risk management process and
looks at the major issues for those steps.
Risk ownership
· Allocate responsibility at a senior level for managing key risks
· Ensure that every risk has an owner; there may be separate owners for the actions to mitigate the risks
· Ensure anyone allocated ownership has the authority to take on the responsibility and that they are aware that they are the designated owner
· Adopt a mechanism for reporting issues - ultimately to the individual who has to retain overall responsibility
Embedding the risk management policy
· Ensure that risk management is an intrinsic part of the way the organisation works and that this is reflected in the policy
· Keep the policy up to date through review by senior management
Risk identification
· Look at what is at risk and why
· Consider the opportunities opened up by the current activity (e.g. programme or project) as that may also clarify where risk lies
· Aim to identify the 20% of risks that would have 80% of the potential impact
· Ensure that everyone involved has a sound understanding of the mission, aims and objectives and plans for delivery
· Check that there are realistic plans for how providers could deliver the outcomes sought from the activity; check that at there is shared understanding of the risks, whilst recognising that customers' and providers' perspectives on risk will not be the same.
Risk analysis
· Assess the probability of risks occurring and their potential impact.
· Set tolerances for individual risks, with reporting arrangements for escalating problems if risks exceed agreed tolerances. Use a Risk register to inform the analysis, assign action owners and subsequently to monitor progress.
· To determine the degree of review required (internal or external) on major projects use the Project Profile Model (part of the Gateway process) to identify the likely exposure to risk.
Response to risk
Address each risk as appropriate:
· transfer it to the party best placed to manage it (note that business and reputational risk cannot be transferred)
· tolerate it
· terminate it
· treat it by addressing the probability or impact and so contain it to an acceptable level.
Put in place processes that will actively encourage cooperation and open dialogue between customers and providers. Ensure that providers share information about problems at the earliest opportunity so that small issues do not escalate.
Communication strategy
You will need to ensure that appropriate communication mechanisms exist and are adopted. The strategy for communicating risk should cover all stakeholders and, where directly affected, the public:
· identify who you need to establish channels of communication with, through which you can convey good, and bad, news
· identify whose opinions, positions and in terests you should be aware of so that you can tailor the management of issues accordingly and more readily take advantage of opportunities, e.g. identify if the outcome is likely to be adopted by those it is intended to help.
Techniques to assist the management of risk
A wide range of techniques is available to assist in managing risk; for example to analyse risk, to help you to determine your organisation's current capability to manage risk, to assess the complexity of projects that are proposed or currently underway or to assess uncertainty relating to the project.
Further Information
For more detailed guidance on related topics 'Management of Risk: Practitioners Guide'
is published through The Stationery Office and the OGC publication Managing Successful
Programmes. Guidance on risk from related central sources includes HM Treasury's
Management of Risk: A Strategic Overview (The Orange Book), the Green Book, NAO's
Supporting Innovation: Managing Risk in Government Departments, and the Cabinet
Office 's Successful IT: Modernising Government in Action .
ANNEX A
Healthcheck: How well is your organisation managing risk?
1. Introduction
NOTE: This checklist can be used from different perspectives such as:
· before, or during Gateway Reviews
· when preparing for, or carrying out internal and external risk audits
· when considering a new initiative, such as a major project, entering a new acquisition lifecycle
· when progress reporting to HM Treasury
· when preparing to raise commitment to improving the existing process.
2. Key elements
Elements needed for an effective management of risk process and the indicators of a successful process include:
· policies for the management of risk and the benefits of effective risk management are clearly communicated to staff
· senior management support, promote, own and lead on risk management
· there is an organisational culture that supports well thought-through risk taking and innovation
· management of risk is fully embedded in the management process of the organisation, including the associated controls and distribution of management information
· the identification and assessment of risk is aimed at actively managing the key risks to the achievement of objectives
· the risks posed by working with other organisations are assessed.
3. Review of overall effectiveness
· Is management of risk implemented across the organisation to all line management and business management, as well as project and programme management?
· Is there a formal documented policy for the management of risk? Does the policy address the following:
o the corporate view of risk management?
o processes and procedures?
o the desired benefits to be achieved?
o roles and responsibilities?
o facilities/tools required?
o documentation standards?
· Is the management of risk policy regularly reviewed?
· Are business continuity and contingency plans in place in the event that risks result in adverse consequences?
o Are these plans tested (regularly reviewed and re-tested)?
o Are those responsible aware of their roles with regard to each plan?
o Is there a clearly identified authority to make the decision to implement the plan?
o Are copies of the plan held off-site? (and still accessible in an emergency?)
· Is there increasing visibility of risk and appropriate communication to staff so they understand their responsibility for being alert to risks?
o Are staff being trained or receiving guidance in risk management?
o Are risks being raised to the appropriate level?
o Are major risks assigned owners?
o Are you applying existing approaches/practices to address risk problems?
o Are you following the standard processes and procedure for addressing problems in managing risk?
· Is there clear identification of types/categories of risk?
· Are risk evaluation criteria clearly identified and articulated?
o Are risk responsibilities assigned for reporting and managing identified risks?
o Is the effectiveness of risk treatments monitored and reviewed?
o Is there appropriate communication and consultation with others within your organisation and with stakeholders?
· Is the risk documentation appropriate?
o Is the documentation consistent throughout?
· Is risk management ongoing and integrated with other procedures?