Selecting a Risk Management Framework for your Organisation

In today's complex and uncertain business landscape, organisations face a multitude of challenges, ranging from data protection to ensuring a safe work environment. By implementing a risk management process/framework, businesses can effectively identify, assess, and address potential risks, leading to enhanced data protection, corporate resilience, safety assurance, and a strong safety culture. This senior stakeholder guide delves into the benefits of adopting a risk management process/framework and the business requirements and demands that drive the need for such comprehensive risk management strategies.

The Benefits and Business Goals in Adopting Your Risk Management Framework

We will explore the benefits of adopting a risk management process/framework and the business requirements/demand for implementing such processes. In future articles we can consider how best to adapt, and then adopt such approaches to ensure success.

The Benefits.

The Benefits of Adopting a Risk Management Process/Framework will vary from industry to context, but the following provides a good overview that would inform most business cases:-

1. Improved Decision-Making : A comprehensive risk management process/framework enables organisations to make informed decisions by providing a clear understanding of potential risks and their impact on business objectives. This improved decision-making capability allows businesses to allocate resources more effectively, prioritise initiatives, and develop robust strategies that take into account potential threats and opportunities.
2. Enhanced Stakeholder Confidence : Investors, customers, employees, and regulators increasingly demand transparency and accountability from businesses. By adopting a risk management process/framework, organisations can demonstrate their commitment to managing risks effectively, thereby increasing stakeholder confidence in the company's ability to navigate uncertainty and deliver on its objectives.
3. Increased Operational Efficiency: A risk management process/framework helps organisations identify potential inefficiencies in their operations, such as redundant or outdated processes, and implement corrective measures to improve overall efficiency. This can result in cost savings, increased productivity, and better resource allocation across the organisation.
4. Strengthened Reputation and Brand Value: Organisations that actively manage risks are better equipped to protect their reputation and brand value in the face of adverse events. A well-established risk management process/framework can help businesses mitigate potential reputational risks by proactively addressing issues that may damage their brand image, and by demonstrating their commitment to responsible risk management.
5. Enhanced Compliance and Regulatory Preparedness: In regulated industries, businesses are subject to various rules and regulations designed to ensure the stability and integrity of the industry. Adopting a risk management process/framework can help organisations stay ahead of regulatory requirements, avoid fines and penalties, and maintain a strong relationship with regulators.
6. Enhanced Data Protection: As businesses become increasingly reliant on digital technologies, safeguarding sensitive data from unauthorized access, breaches, and misuse is critical. A risk management process/framework enables organisations to identify and mitigate potential data security risks, ensuring compliance with data protection regulations and preserving the integrity of valuable information assets.
7. Strengthened Corporate Resilience: Corporate resilience supports an organisation's capacity to withstand and recover from disruptions, such as natural disasters, cyberattacks, or supply chain issues. Implementing a risk management process/framework helps businesses enhance their resilience by identifying potential vulnerabilities, devising contingency plans, and fostering a culture of risk awareness and preparedness.
8. Safety Assurance and a Robust Safety Culture: Safety assurance is essential for maintaining a safe and healthy work environment. By adopting a risk management process/framework, organisations can proactively identify potential safety hazards, develop effective mitigation strategies, and nurture a safety culture that encourages employees to prioritize safety and report potential issues. This leads to a reduction in accidents, improved employee well-being, and a stronger reputation for safety.

The Business Goals

The Business Requirement/Demand for Implementing a Risk Management Process/Framework can be varied, and clearly will depend on circumstances and maturity, however the following summary provides an overview of the key business requirements that drive adoption and need for understanding and managing risks in a organised/structured approach.

1. Increased Complexity and Uncertainty: The modern business environment is characterised by rapid technological advancements, globalisation, and shifting economic landscapes. This complexity and uncertainty have made risk management increasingly important for organisations, driving the demand for a systematic approach to identify, assess, and manage risks.
2. Evolving Regulatory Landscape: Regulators around the world are imposing stricter rules and guidelines on businesses, particularly in highly regulated industries such as finance, healthcare, and energy. The evolving regulatory landscape has increased the demand for risk management processes and frameworks that enable organisations to maintain compliance and avoid costly fines and penalties.
3. Growing Cybersecurity / Information Threats Cyber-security risks are a significant concern for businesses across all industries, as the frequency and sophistication of cyber attacks continue to increase. The growing threat of cyber risks has driven businesses to adopt risk management processes and frameworks that address cyber security risks and protect sensitive information and systems.
4. Stakeholder Expectations: Stakeholders, including investors, customers, and employees, expect businesses to operate responsibly and manage risks effectively. This increased emphasis on risk management has resulted in a growing demand for organisations to implement risk management processes and frameworks that demonstrate their commitment to managing risks and meeting stakeholder expectations.

Adopting a risk management process/framework is no longer a luxury for many organisations, but a business imperative in today's complex and uncertain environment. The benefits of implementing a risk management process, such as improved decision-making, enhanced stakeholder confidence, increased operational efficiency, strengthened reputation, and better regulatory preparedness, make a compelling case for organisations to invest in risk management.

The Relation of Risk Management to a "Learning Culture", with Continuous Improvement

Adopting a risk management process is not only essential for identifying, assessing, and mitigating potential threats but also serves as a catalyst for promoting a learning culture and supporting continuous improvement within an organisation. Implementing a risk management process can have a transformative impact on how organisations approach learning and growth, leading to better decision-making and overall performance.

Firstly, a risk management process encourages open communication and the sharing of knowledge across different levels and departments of an organisation. By promoting a culture of transparency, employees feel empowered to discuss potential risks, propose solutions, and share their insights and experiences. This collaborative approach fosters an environment in which learning and knowledge sharing are valued and integrated into the organisation's daily operations.

Secondly, adopting a risk management process helps to establish a culture of continuous improvement by systematically identifying areas of potential weakness, inefficiency, or vulnerability. As organisations analyse and evaluate their risk exposure, they uncover opportunities to refine processes, enhance productivity, and improve overall performance. By prioritizing risk management, businesses naturally engage in a cycle of evaluation, adaptation, and optimization, driving continuous improvement and growth.

Furthermore, a risk management process supports the development of a learning culture by encouraging organisations to learn from both successes and failures. By analyzing past events and decisions, businesses can identify patterns and trends that contribute to effective risk management. This retrospective analysis promotes a mindset of learning and adaptation, enabling organisations to refine their strategies and respond more effectively to future risks.

Finally, a comprehensive risk management process fosters a proactive approach to change and innovation. By identifying potential risks and opportunities, organisations can anticipate future challenges and adapt their strategies accordingly. This forward-looking perspective encourages a culture of continuous learning and improvement, as businesses strive to stay ahead of the curve and remain competitive in an ever-changing landscape.

In conclusion, adopting a risk management process is instrumental in driving a learning culture and supporting the implementation of continuous improvement within an organisation. By fostering open communication, promoting systematic analysis and evaluation, encouraging learning from past experiences, and adopting a proactive approach to change, businesses can cultivate a learning-centric environment that fuels growth, innovation, and long-term success.

Selecting the right Risk Management Framework

Various risk management processes and frameworks have been developed to suit the needs of different organisations in the public and private sectors, with different appropriateness for each sectors.

ISO 31000:2018 Risk Management

The International Organization for Standardization (ISO) developed ISO 31000:2018 as a globally recognised risk management framework. It provides guidelines for managing risks in a systematic, transparent, and credible manner. The framework is applicable to all types and sizes of organisations, including public and private sector entities in regulated industries (ISO, 2018).

ISO 31000:2018 is a generic framework designed to be customised and adapted to the specific needs of an organisation. It is not sector-specific, making it suitable for a wide range of industries. It is ideal for organisations looking for a flexible, adaptable, and internationally recognised risk management framework.

Companies such as Airbus, IBM, and Shell have implemented ISO 31000:2018 to manage risks in their operations (Technavio, 2020).

• Pros: If an organisation operates internationally or is planning to expand, adopting ISO 31000:2018 may be beneficial due to its global recognition.
• Cons: Implementing ISO 31000:2018 can be time-consuming and may require significant resources.

Using ISO 31000:2018 can improve decision-making, increase stakeholder confidence, and enhance organisational resilience.

Management of Risk (M_O_R) Framework

The Management of Risk (M_o_R) framework is a robust and comprehensive approach to risk management developed by AXELOS, a joint venture between the UK Government and Capita. It offers a set of principles, processes, and techniques to help organisations identify, assess, and control risks effectively. The M_o_R framework is designed to be flexible and adaptable, making it suitable for organisations of all sizes and across various sectors.

M_o_R is built upon four core elements:

1. Principles: The M_o_R framework provides a set of essential principles that guide organisations in designing and implementing effective risk management practices. These principles emphasize the need for a tailored approach, the importance of stakeholder involvement, and the value of continuous improvement.
2. Approach: The M_o_R framework encourages organisations to develop a risk management approach that aligns with their specific context and objectives. This involves defining risk management policies, procedures, and strategies that support the organisations goals and values.
3. Process: The M_o_R framework outlines a structured process for managing risks, which includes identifying, assessing, planning, implementing, and communicating risk management activities. This process ensures that organisations can systematically manage risks throughout their life cycle.
4. Techniques: The M_o_R framework offers a range of risk management techniques and tools that organisations can use to support their risk management processes. These techniques include risk identification, risk assessment, risk response planning, and risk monitoring and review.

The M_o_R framework aligns with international standards, such as ISO 31000:2018 Risk Management. Both M_o_R and ISO 31000 emphasise the need for a systematic, transparent, and adaptable approach to risk management, which is applicable to various industries and organisational contexts. The M_o_R framework also complements other management methodologies, such as PRINCE2 for project management and ITIL for IT service management, ensuring a comprehensive and integrated approach to managing risks across the organisation.

In summary, the M_o_R framework offers a flexible and comprehensive approach to risk management that aligns with international standards, such as ISO 31000. Its principles, approach, process, and techniques provide a solid foundation for organisations to manage risks effectively, supporting their strategic objectives and enhancing their overall performance.

COSO Enterprise Risk Management (ERM) Framework

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed the ERM framework to help organisations manage risks holistically. The framework is designed to integrate risk management into the organisation's overall strategy and culture (COSO, 2017). The framework emphasises the integration of risk management into the organisation's strategy and culture, making it more comprehensive than some other frameworks. It is considered suitable for public and private sector organisations in regulated industries seeking a comprehensive approach to risk management. ( For Example: The U.S. Securities and Exchange Commission (SEC) encourages public companies to use the COSO ERM framework for internal control and risk management (SEC, 2013)) .

• Pros: The COSO ERM framework can enhance risk awareness, support strategic decision-making, and improve organisational performance.
• Cons: The comprehensive nature of the COSO ERM framework may make implementation complex and resource-intensive. If an organisation seeks a holistic approach to risk management, the COSO ERM framework may be a suitable choice.

The NIST Cybersecurity Framework (CSF)

The National Institute of Standards and Technology (NIST) developed the CSF to help organisations manage cyber security risks. The framework is designed to be customisable and scale-able, making it suitable for organisations of all sizes and sectors (NIST, 2018). It focuses specifically on cybersecurity risks, whereas other frameworks cover a broader range of risks, and hence is considered ideal for organisations in regulated industries with significant exposure to cyber security risks, such as financial institutions, healthcare providers, and government agencies.

The U.S. Federal Government and several private sector organisations, including Google, Apple, and Bank of America, have adopted the NIST CSF to enhance their cybersecurity risk management (NIST, 2020).

• Pros: The NIST CSF can improve an organisation's cyber security posture, reduce the likelihood of data breaches, and increase stakeholder confidence in the organisation's ability to protect sensitive information.
• Cons: The NIST CSF is focused solely on cybersecurity, which means that organisations using this framework may need to adopt additional risk management frameworks to address other types of risks.

If an organisation's primary concern is managing cyber-security risks, the NIST CSF may be the most appropriate choice.

The Three Lines Model

The Institute of Internal Auditors (IIA) developed the Three Lines Model to help organisations establish a clear delineation of roles and responsibilities in risk management and internal control. The model identifies three "lines" of defence: (1) operational management, (2) risk management and compliance functions, and (3) internal audit (IIA, 2020).

The Three Lines Model is unique in its focus on defining roles and responsibilities in risk management and internal control, rather than providing a specific risk management framework. It is considered suitable for public and private sector organisations in regulated industries seeking to clarify roles and responsibilities related to risk management. It has been adopted by Financial institutions, such as banks and insurance companies, to strengthen their risk management and internal control systems (Deloitte, 2019).

• Pros: The Three Lines Model can enhance organisational accountability, improve risk management effectiveness, and strengthen internal control systems.
• Cons: The Three Lines Model does not provide specific guidance on risk management processes, which means that organisations may need to adopt additional frameworks to address their risk management needs.

If an organisation is looking to establish a clear delineation of roles and responsibilities in risk management, the Three Lines Model may be a suitable choice.

Conclusion

Choosing the right risk management process or framework for an organisation operating in regulated industries depends on various factors,including the organisation's size, industry, and risk profile. Organisations should consider the various differences, relevant appropriateness, and potential pitfalls and benefits of each framework before making a decision.

Ultimately, the key to effective risk management lies in adopting a process or framework that is flexible, scale-able, and adaptable to the organisation's unique context. In some cases, this may involve combining elements from multiple frameworks or customising a specific framework to address the organisation's risk management needs. By implementing an appropriate risk management process or framework, organisations can better protect themselves against potential threats, reduce uncertainty, and ultimately achieve their strategic objectives.

References

There are many useful publications and materials on this subject. We include a number below, some of which we have used to provide examples and conclusions. We encourage you to explore this material as it can help set context or provide additional information. All rights reserved, All Trademarks Acknowledged, and all original content referenced is owned by the third parties identified.

• Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2017). Enterprise Risk Management: Integrating with Strategy and Performance. Retrieved from https://www.coso.org/Documents/2017-COSO-ERM-Integrating-with-Strategy-and-Performance-Executive-Summary.pdf
• Deloitte. (2019). The Future of Risk Management in the Digital Era. Retrieved from https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Financial-Services/gx-fsi-the-future-of-risk-management-in-the-digital-era.pdf
• Institute of Internal Auditors (IIA). (2020). The Three Lines Model. Retrieved from https://global.theiia.org/standardsguidance/Pages/Three-Lines-Model.aspx
• International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk Management - Guidelines. Retrieved from https://www.iso.org/standard/65694.html
• National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
• National Institute of Standards and Technology (NIST). (2020). Cybersecurity Framework Success Stories. Retrieved from https://www.nist.gov/cyberframework/success-stories
• Securities and Exchange Commission (SEC). (2013). Internal Control Reporting and Cybersecurity Risks. Retrieved from https://www.sec.gov/news/speech/2013-spch120413aa
• Technavio. (2020). Global Risk Management Advisory Market Report. Retrieved from https://www.technavio.com/report/risk-management-advisory-market-industry-analysis
• AXELOS. (2015). Management of Risk (M_o_R) Guidance for Practitioners. Retrieved from https://www.axelos.com/best-practice-solutions/mor
• International Organization for Standardization (ISO). (2018). ISO 31000:2018 Risk Management - Guidelines. Retrieved from https://www.iso.org/standard/65694.html
• National Institute of Standards and Technology (NIST). (2018). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
• Taneja, N., & Pryke, S. (2021). Risk Management in the Era of Cybersecurity: A Review of the Literature. International Journal of Information Management, 57, 102186. Retrieved from https://doi.org/10.1016/j.ijinfomgt.2020.102186
• KPMG. (2019). Embracing Enterprise Risk Management: The Benefits of ERM. Retrieved from https://advisory.kpmg.us/articles/2019/embracing-erm.html
• European Union Agency for Cybersecurity (ENISA). (2021). Guidelines for SMEs on the Security of Personal Data Processing. Retrieved from https://www.enisa.europa.eu/publications/guidelines-for-smes-on-the-security-of-personal-data-processing