Risk Management
Initiating risk, identifying risk, managing and responding to risk, monitoring, reporting and communicating risk.
2. Initiating Risk
Literature tends to identify the first step in the risk management process as ‘initiation’. This area is a relatively new step in the risk management process which prescribes how an organisation should start the risk management process. Previously ‘identification’ used to be seen at the first step in the process but this has been preceded in the early 21st century by ‘initiation’ (Lorton, 2005. Hillson & Murray-Webster, 2007. Yilmaz & Flouris, 2010. Hung, 2012). Presenting their theoretical model for ‘enterprise sustainability risk management’ (a prominent form of risk management for the banking and finance sector) Yilmaz and Flouris (2010) place more emphasis on the importance of ‘initiation’ in improving awareness and encouraging a ‘risk culture’ within organisations.
In order to start the initiation process it is important for organisations to set a context in which staff have a clear understanding of when, how and why they are undertaking risk management. The Australian and New Zealand Standards: Risk Management 4360:2004 guidance (2004, p.12) states that “establishing context defines the basic parameters within which risk must be managed and sets the scope for the rest of the risk management process.” An organisation’s internal structure, external environment and the specific function of risk management activity are the factors which constitute the ‘context’.
Demidenko & McNutt (2010) looked at risk management practices in two countries, Australia and Russia, and found that in both countries there was a disparity when trying to define risk management within organisations. They concluded that there is clear need for a policy statement to set organisational risk management context. Hung (2012) endorses Demidenko and McNutt by arguing that within any framework or policy, ‘setting the context’ should manifest itself in a clear policy statement that is available to all staff and sets the organisational business context for starting and continuing the risk management process.
Once the ‘context’ for risk management has been established the next step in ‘initiation’ is to define what is meant by the term ‘risk’. Wang et al (2010) conducted a literature review of peer reviewed articles on risk management. They found that there are many different definitions of risk that vary in different domains. In economic theory, risk refers to situations where the decision maker can assign probability to different possible outcomes. In decision theory, risk is the consequence of a decision being made under the condition of known probability over states of nature. However, in project management, there is no consistent definition at all.
It is obvious that defining what a risk is does not involve a simple process and relates to many differing definitions and interpretations, despite this it is vitally important to set out clear parameters of what a ‘risk’ is. Hillson (2010 p.62) states that “one of the most common failings in the risk management process is [for staff] to identify things that are not risks…. For effective risk identification… a clear understanding of what is meant by the term ‘risk’ [is required]”. Hillson (2012) goes on to argue that it is therefore important for a business to define risk clearly, making it specific to the sector to which an organisation belongs, in order to aid staff in undertaking risk management.
However, a common misconception when businesses define ‘risk’ is to portray it in fundamentally negative terms (Lorton, 2005). Ward & Chapman (2003, p.101) found that:
“present use of the term risk is ambiguous. Best practice regards risk as encompassing both threat and opportunity but guidance… is frequently couched in threat management terms, and in common parlance risk is more usually synonymous with threat”
This negative outlook of risk is prevalent within the public sector in the UK, particularly as risk management is often seen as a way of reducing reputational risk of how public money is being spent (Crawford & Stein, 2004).
Once a risk has been defined, the literature moves on to describe a process called ‘risk appetite’. Within organisations the resources available for managing risk are finite. Therefore the aim is to achieve an optimum response to risk, prioritised in accordance with an evaluation of the risk as a concept. The amount of risk that is judged to be tolerable and justifiable by an organisation is defined as ‘risk appetite’ (Good Governance Institute, 2012. HM Treasury, 2004).
Bromiley (1991) was one of the first theorists to talk about ‘risk taking’ which outlines, without labelling it as such, the earliest theory of risk appetite. He defined a dynamic model for risk taking and argued that if organisations define risk taking they can improve performance. KPMG (2008, p.12) states that “many leading enterprises are demonstrating that a clearly understood and articulated statement of risk appetite helps unlock value by better aligning decision making and risk taking”. The Good Governance Institute (2012 p.2) argues the case further affirming that “if [staff] don’t know what [the] organisation’s collective appetite for risk is and the reasons for it, then this may lead to erratic or inappropriate risk taking exposing the organisation to risk it cannot tolerate; or an overly cautious approach which may stifle growth”.
The human aspect of risk management is vital to its success and effectiveness. People implement processes, set risk thresholds, identify and assess risks, propose appropriate responses and implement agreed actions. In short, the only way the risk process can succeed is if everyone knows their role (Hillson, 2010). Defining roles and responsibilities within a policy document is therefore of clear importance. In addition to this, the NHS Litigation Authority’s Risk Management Standards 2013/14, in which all former PCTs were assessed against, made including a section on ‘roles and responsibilities’ mandatory (Standard 1 Criterion 2: Policy on Procedural Documents). Four staff groups that must be included in the risk process are identified in the literature: the Board, senior management, risk manager and all staff.
The Higher Education Funding Council for England (2014) believes the Board has a fundamental role to play in the management of risk. The responsibility of the Board in the risk management process is an area well covered by guidance from, and specifically for, the NHS. The Good Governance Institute’s (2009) A Simple Rules Guide for the NHS: Board Assurance Framework outlines that the Board’s role is to focus on risks and events which may compromise the achievement of strategic objectives, and to support the creation of a culture which allows the organisation to anticipate and respond to adverse events, unwelcome business trends and significant organisational opportunities.
However, the Board is not only responsible for high level risks that may affect strategic objectives. The Department of Health (2002) states that the responsibility for an organisation’s overall system of internal control (a key function of risk management which will be discussed later) lies unequivocally with the Board, whose responsibilities encompasses:
- Setting appropriate policies of internal control
- Seeking regular assurance that will enable the Board to satisfy itself that the system is functioning effectively
- Ensuring that the system of internal control is effective in managing risks in the manner that the Board has approved
The next level down from the Board is the senior management of an organisation. The Higher Education Funding Council for England (2014) argues that the role of senior management and senior managers is to implement the risk management process, identify and evaluate significant risks and provide information to the Board about the status and control of risks. Brown and Khokher (2007) argue that senior management must be facilitated by an expert in the risk field. The literature predominantly uses the term ‘risk manager’ to define the role of facilitator. Hung (2012) states that it is important to define the objectives and capabilities of the risk manager, outlining the role, scope of work and authority given, in order to ensure that the goal of effective risk management is achieved.
In Hillson’s (2010) book entitled Exploiting Future Uncertainty: Creating Value from Risk, he argues that it is critical that all staff are involved in the risk management process because “is vital to its success and effectiveness. People implement processes, set thresholds, identify risks, assess…. and implement agreed actions” (Hillson, 2010 p.61). Therefore, staff are the main actors for implementing and maintaining an effective risk process Within an organisation it is important not only for the risk management process to be given a key role, but also for all staff to be aware of the pivotal role they must play to ensure that the organisational objectives are protected from risk.