Article
An Integrated Approach to Risk Management
In our first article, we introduced the concept of risk silos and what you can do about them. In this article, we will take a closer look at the steps you can take to help break down risk silos at your organisation by asking a few key questions.
What is an enterprise-wide risk management framework?
Risk management frameworks that provide organisations with a structure that promotes internal information flow, address blind spots and provide a common language for risk are commonly referred to as enterprise-wide risk management frameworks. They are also commonly referred to as integrated risk management or holistic risk management frameworks.Enterprise means ‘whole of enterprise’ and also ‘enterprise level’ oversight.
Enterprise risk management is implemented in response to the need to ensure that a consistent approach to risk management is applied to all areas of the organisation and can be viewed and accessed at all levels. For example, just as there are managers and executives that manage and have a view of the whole enterprise, enterprise risk management means that there should be a whole of enterprise view of risks.
To explore this concept further, Ideagen provides a table showing the differences between the traditional approach to risk management (TRM) and the enterprise-wide approach to risk management (ERM) .
Traditional risk management (TRM) | Enterprise risk management (ERM) |
Focuses solely on risks that can be insured, for instance, if a member of staff has a fall at work that causes injury, or a flood damages part of an office | Accounts for insurable hazards along with any other risk an organisation faces that no amount of money can remedy, such as a cyber breach that causes the loss of highly sensitive data and possible damage to brand reputation |
Reactive and sporadic risk management that takes place only after an incident has happened to prevent it from reoccurring | Proactive and consistent risk management that attempts to predict potential events before they happen, whilst considering impact and probability |
Risk-averse mindset, viewing risks only as something that can cause the organisation to lose money | Risk-taking mindset, where the downsides and upsides of risks are considered to determine which pose an opportunity for growth and expansion |
Fragmented or siloed approach where each department manages risk independently with no communication outside of their respective business units | Integrated and holistic approach where risk management is coordinated throughout the business with senior-level oversight to help better allocate resources and prioritise risks |
Risks are mitigated based on each silo’s expertise and decision-making skills with a one-dimensional assessment | Risks are mitigated in line with an ironclad multi-dimensional strategy on an enterprise-wide level |
Disjointed activity with no connection to strategic objectives and little awareness of risk across the organisation | Risk is embedded as a culture and ingrained as a valuable decision-making tool to ensure business success |
Follows basic and limited standards that may stall operations and provide minimal value to an organisation | Follows modern standards such as the COSO framework and ISO 31000 which complement the technical and soft skills required to extend risk management beyond a compliance-oriented exercise |
How do I approach the process of identifying risks across my organisation?
Thinking about every single risk that could happen across your organisation is enough to put anyone off this process due to the large number of risks that are likely to be identified. However, there are different ways to approach this problem that will help focus your efforts in a useful way. One way is to consider risks relating to the organisation’s profile.There are three main sources of risks related to the organisation’s profile:
- the operational profile itself
- mandatory compliance obligations
- non-mandatory compliance obligations.
Risks related to an organisation’s operational profile
These are risks that arise due to the nature of an organisation’s operations – its operational profile. For example:
- schools provide services to children so must manage child safety risks
- financial services organisations manage other people’s money and provide financial advice, investment products and other financial services to clients so they must manage a range of risks including fraud and corruption risk
- aged care services provide service to clients in a care setting so there are many risks associated with the quality of care provided.
Risks related to an organisation’s mandatory compliance obligations
The organisation’s operational profile also results in specific compliance risks that arise from the particular operations being undertaken. Failure to manage compliance obligations is a key risk for any organisation that will affect long term viability and ongoing success.
Risks related to an organisation’s non-mandatory compliance obligations
Risks can also arise from obligations that the organisation chooses to comply with, for example, voluntary codes of conduct for an industry or obligations arising from contracts with key stakeholders.
This diagram illustrates the above:
Why do I need to apply a consistent methodology to filter and sort risks?
A common question asked when organisations consider an enterprise-wide approach to risk management is:“Won’t there be too many risks for my board or executive team to have visibility over given all of the departments, activities and sometimes different locations of the business?”
The answer is “yes, there are going to be a large number of risks”! Therefore, to make sense of all the risks and ensure that boards and executive teams are only focusing on items of importance to them, it is necessary to apply a methodology to enable risks to be filtered and sorted.
Two suggested methodologies to filter and sort risks are to:
- apply the principle of risk granularity
- distinguish between operational and strategic risks.
This will help organisations to only focus on risks that are important at each level of the organisation, preventing them becoming overwhelmed with the rest.
Applying the principle of risk granularity
Risk granularity means organising risks according to whether they are macro or micro or, putting it another way, big picture or little picture.
An example of a macro level risk might be a health and safety risk. For example:
Failure to effectively implement systems and process to manage legal compliance with health and safety laws and to develop a positive and safe workplace culture.
This is a single ‘macro’ overarching risk related to the organisation’s health and safety activities and risks.
Underneath this at a more granular or micro level might be a large number of risks associated with workplace hazards. For example:
Failure to provide first aid kits and other first aid requirements that comply with the First Aid in the Workplace Code of Practice.
This is a much more granular or micro health and safety risk, but still important.
Using the principle of risk granularity helps identify the risks that should be reported and managed by the organisation’s leaders and those that can managed by others with specific operational responsibilities.
The advantages of applying the principle of risk granularity to a set of risks includes:
- enables visibility of all risks across the organisation at a high level
- appropriate reporting to board and executive team
- aligns with leadership responsibilities for example WHS risk – the owner is the leader responsible for WHS
- prevents the board and the executive team being bogged down in highly granular (low level) risks that can be distracting
- supports delegation of risk management to appropriate levels within the organisation for example:
- macro level = executive team
- micro level = staff responsible for that particular aspect of operations e.g. traffic safety.
Separating operational and strategic risks
Some risks relate to an organisation’s operations and other risks relate to strategy. Separating these risks helps to identify and provide a common language for discussing these risks and assists in risk reporting. It would be expected that most strategic risks would be reported to and sometimes overseen by the board, whereas operational risks are more frequently managed by the organisation’s leaders and managers.
Ideagen describes strategic risks as:
“referring to the events or decisions that could potentially stop an organisation from achieving its goals. It also refers to the danger of an organisation’s strategic choices being incorrect, or not responding effectively to changing environments”.
Strategic risks include:
- events or decisions, whether internal or external, that make it difficult or impossible for an organisation to execute and achieve objectives and strategic goals
- risks that are a result of the strategic decisions that an organisation makes
- risks that the strategic decisions are incorrect
- risks that arise from a failure to identify and respond appropriately to changes to the organisation’s operating environment
- long terms risks that may impact the success of the organisation
- executive management or board level risks.
Strategic risks will change over time as strategy changes and as internal and external operating environments change.
Operational risks are risks that are associated with business operations, systems, processes, and products. They affect daily activities and are a ‘ground level’ look at risks. These risks will vary depending on the nature and scope of operations (the organisation’s “operational profile”). They also arise from the compliance obligations that are associated with operations – again based on the operational profile.
Conclusion
Risk silos can easily occur, especially without a well-structured and integrated framework to support risk management at your organisation. Now that you understand more about the importance of an integrated approach to risk management you will be better equipped to help your organisation identify and resolve risk silos when they occur.
About the Author
Jonathan Oliver