Implementing a Risk Management Process : A Starters Guide

Risk management is an essential component of any organisation. We have covered the need and benefits of Risk Management Frameworks elsewhere, but as a reminder we focus on the key driver which is to enable us to understand and manage risks, and support business continuity and growth.

Organisations with little experience often face huge challenges in implementing effective risk management processes. In this simple starter guide, we will look to de-mystify the activities that can make your implementation a success, and high-light the key stakeholders, their responsibilities and the approach that has shown to be the most successful.

Like many of our guides, this follows a generic and 'common' set of goals and circumstances. While the core set of activities and approach is often common across different organisations, each scenario will benefit from adaption and refinement to ensure it aligns to local requirements and reflects your maturity.

Risk Management Maturity Models

A risk management maturity model can be a useful tool in managing and guiding implementation, providing a structured approach for evaluating your risk management capabilities and processes. It provides a framework to assess the maturity of risk management practices, identify gaps, and guide improvement efforts. RMMMs enable you to benchmark your risk management processes against industry best practices and set targets for your implementation and then ongoing continuous improvement.

The Benefits of using a Risk Management Maturity Model

• Benchmarking: RMMMs enable organisations to compare their risk management practices with industry best practices and standards. This helps identify areas where improvement is needed and set realistic targets for enhancement.
• Prioritisation: By assessing the maturity of risk management practices, organisations can identify the most critical gaps and prioritise improvement efforts accordingly.
• Continuous Improvement: RMMMs provide a structured approach to track progress and measure improvement in risk management capabilities over time.
• Alignment with Organisational Objectives: By aligning risk management practices with organisational objectives, RMMMs help organisations focus on managing risks that matter most to their strategic goals.

Picking a Risk Management Maturity Model

There are several Risk Management Maturity Models available, each with its own focus and methodology. Its important to select an approach that fits with your circumstances, and each will often benefit for further refinement to ensure it meets your needs. Some of the most widely recognised models that should be considered include:-

1. Committee of Sponsoring Organisations of the Treadway Commission (COSO) Enterprise Risk Management (ERM) Maturity Model: This model focuses on the integration of risk management with an organisation's strategy and performance. It evaluates maturity across five components: governance and culture, strategy and objective-setting, performance, review and revision, and information, communication, and reporting.
2. Project Management Institute (PMI) Organizational Project Management Maturity Model (OPM3): This model assesses the maturity of project, program, and portfolio management practices within an organisation, including risk management. OPM3 evaluates maturity based on standardised best practices and helps organisations identify areas for improvement.
3. Capability Maturity Model Integration (CMMI): While not specifically designed for risk management, CMMI provides a framework for assessing and improving process maturity across various disciplines, including risk management. CMMI's risk management component focuses on identifying, analysing, and mitigating risks throughout the project lifecycle.
4. Australian/New Zealand Standard for Risk Management (AS/NZS ISO 31000): This standard provides a set of principles and guidelines for effective risk management. It can be used as a basis for assessing risk management maturity by evaluating an organisation's adherence to the standard's principles and recommended practices.

By using a Risk Management Maturity Model, organisations can effectively assess their risk management capabilities, identify areas for improvement, and direct change activity to enhance their risk management practices and align them with organisational objectives.

The Seven Step Approach to Risk Management Implementation

This seven step guide outlines key phases of activity, and we recommend form the basis of your programme, resource and skills planning.

1. Assessing the Current State of Risk Management Maturity

Before implementing a new risk management process, organisations need to first assess their current risk management maturity level. This involves evaluating the existing risk management processes, identifying gaps, and determining areas that require improvement.

This is where the Risk Management Maturity Model can be very useful.

• Conduct a baseline assessment: Evaluate the organisation's current risk management maturity using the chosen model. This involves assessing risk management practices, processes, and capabilities against the model's criteria or best practices.
• . Identify gaps and improvement opportunities: Analyse the results of the baseline assessment to identify areas where the organisation's risk management practices fall short of the desired maturity level.

2. Establishing a Risk Management Framework

A risk management framework provides a structured approach to identifying, assessing, and managing risks. Key components of a risk management framework include:

• Risk Management Policy: This policy outlines the organisation's commitment to risk management, its objectives, and the roles and responsibilities of stakeholders. It should align closely to its Corporate Objectives, its operating environment and its responsibilities Understanding these inputs is essential for developing an effective policy that aligns with the organisation's goals and objectives. Key inputs include:
  • Organisational objectives: The organisation's strategic goals and objectives are the primary drivers of its risk management policy. The policy should support and protect the organisation's ability to achieve these objectives by managing potential threats and capitalizing on opportunities.
  • Legal and regulatory requirements: Compliance with applicable laws, regulations, and industry standards is a critical input for risk management policies. The policy should be designed to ensure that the organisation meets its legal obligations and maintains a strong reputation within the industry.
  • Stakeholder expectations: Stakeholder expectations, including those of shareholders, employees, customers, and suppliers, should be considered when developing a risk management policy. The policy should address the concerns and interests of these stakeholders and aim to maintain their trust and confidence in the organisation.
  • Industry and market trends: Understanding the risks and opportunities associated with the organisation's industry and market is crucial. Market trends, competitor activities, and technological advancements can all impact an organisation's risk profile and should be taken into account when designing a risk management policy.
  • Internal factors: The organisation's internal environment, including its culture, structure, resources, and capabilities, can influence its risk management policy. The policy should be tailored to the organisation's unique characteristics and needs and should be designed to leverage its strengths and address its weaknesses.
  • Risk tolerance and appetite: An organisation's risk tolerance and appetite dictate the level of risk it is willing to accept in pursuit of its objectives. Risk tolerance is the degree of uncertainty an organisation is willing to accept, while risk appetite is the amount and type of risk it is willing to take on. Understanding and defining the organisation's risk appetite and tolerance is essential for developing a risk management policy that supports its strategic goals and objectives.
• Risk Management Process: This comprises a series of steps that include risk identification, risk assessment, risk response, and risk monitoring and control. We have covered the selection and adapting of your Risk Management Framework and subsequent process in our previous article.
• Risk Register: A central repository for documenting identified risks, their potential impacts, and mitigation strategies.
• Risk Appetite: The level of risk an organisation is willing to accept to achieve its objectives. To develop and understand your risk appetite, the following steps can be taken:
  • Align risk appetite with strategic objectives: Ensure that the organisation's risk appetite aligns with its overall goals and objectives. This will help to determine the appropriate level of risk-taking in various areas of the organisation.
  • Involve key stakeholders: Engage with the Board of Directors, senior management, and other relevant stakeholders to discuss and agree on the organisation's risk appetite. This will ensure that all parties understand the organisation's risk preferences and are committed to supporting the risk management policy.
  • Define risk categories: Break down risks into categories, such as operational, financial, strategic, and compliance risks. This will help to establish a clearer understanding of the organisation's risk appetite for each category.
  • Set risk limits: Establish limits for each risk category based on the organisation's risk appetite. These limits should be used to guide decision-making and resource allocation within the organisation.
  • Communicate risk appetite: Clearly communicate the organisation's risk appetite to all relevant stakeholders, including employees, vendors, and partners. This will help to create a risk-aware culture within the organisation and ensure that everyone is aligned with the organisation's risk-taking preferences.
  • Monitor and review risk appetite: Regularly review and update the organisation's risk appetite based on changing circumstances, new information, or lessons learned. This will help to ensure that the organisation's risk management policy remains relevant and effective over time.

3. Building a Risk Management Team

A dedicated risk management team is crucial for implementing and maintaining a robust risk management process. Key roles in the risk management team include:

• Risk Owner: Senior management or executive responsible (SRO/CRO) for overseeing the risk management process and ensuring its alignment with the organisation's strategic objectives.
• Risk Manager(s): Responsible for implementing the risk management process, coordinating risk assessment activities, and ensuring that risks are adequately addressed.
• Risk Analysts: Responsible for identifying, assessing, and documenting risks, and supporting the development of risk mitigation strategies.

4. Training and Awareness

Training and awareness programs are essential for ensuring that stakeholders understand their roles and responsibilities in the risk management process. These programmes should cover:

• Risk Management Concepts: The principles and processes involved in risk management.
• Roles and Responsibilities: The specific responsibilities of each stakeholder in the risk management process.
• Risk Management Tools and Techniques: The tools and techniques used for risk identification, assessment, and response.

5. Implementing the Risk Management Process

The key implementation steps of a risk management process include ;-

• Risk Identification: Identify potential risks by considering both internal and external factors that may affect the organisation's objectives.
• Risk Assessment: Assess the likelihood and impact of each identified risk, and prioritise risks based on their potential consequences.
• Risk Response: Develop strategies to mitigate, transfer, accept, or avoid the risks, and assign responsibility for implementing these strategies to specific stakeholders.
• Risk Monitoring and Control: Continuously monitor the identified risks and their mitigation strategies, and update the risk register as necessary. Each Risk Management Framework has variations on these core themes, but this fundamental set of steps are consistent throughout the Risk Management approaches.

6. Embedding Risk Management into Organisational Culture

To sustain the risk management process, organisations must embed risk management into their organisational culture (Purdy, 2010). There are a number of ways of achieving this, including :-

• Integrating risk management into decision-making ( Change Boards, Business Case Approvals, Design Authorities etc )
• processes: Incorporate risk assessment and response into strategic planning, project management, and other key decision-making processes. ( Prince2, MSP, SAFe etc all support this approach ).
• Encouraging open communication: Foster a culture of open communication, where employees feel comfortable discussing risks and sharing their concerns. Accessibility to Risk assessments, and Risk decisions.
• Establishing clear accountability: Ensure that stakeholders understand their roles and responsibilities in the risk management process and are held accountable for their actions.
• Incentivising risk management: Recognise and reward employees who contribute to effective risk management, and encourage continuous improvement. Promote Success, and Early awareness, Mitgation and improvements in Maturity).

7. Identifying and Mitigating Risks to Adoption

Implementing a new risk management process can pose several challenges, including resistance to change, lack of stakeholder buy-in, and insufficient resources. A number of approaches can be taken to overcome these risks, including considering ;-

• Change management: Develop and implement a change management plan to address potential resistance and ensure a smooth transition to the new risk management process.
• Stakeholder engagement: Engage stakeholders throughout the implementation process, involving them in the development of risk management policies, processes, and tools.
• Resource allocation: Allocate sufficient resources, including time, personnel, and financial resources, to support the implementation of the new risk management process.
• Continuous improvement: Regularly review and evaluate the effectiveness of the risk management process, and make adjustments as needed to improve its performance.

Conclusion

Implementing a new risk management process in an organisation with low maturity requires a comprehensive approach that includes assessing the current maturity, establishing a risk management framework, building a risk team, providing training and awareness, implementing the risk management process, embedding risk management into organisational culture, and identifying and mitigating risks to adoption. These key steps, supported by engaging stakeholders can enable successful implementation of a robust risk management process, that enables delivery of strategic objectives and ensures long-term sustainability.

References

There are many useful publications and materials on this subject. We include a number below, some of which we have used to provide examples and conclusions. We encourage you to explore this material as it can help set context or provide additional information. All rights reserved, All Trademarks Acknowledged, and all original content referenced is owned by the third parties identified.

• COSO. (2004). Enterprise Risk Management - Integrated Framework. Committee of Sponsoring Organisations of the Treadway Commission.
• Hillson, D. (2002). The Risk Management Universe - A Guided Tour. Project Management Institute.
• ISO 31000. (2018). Risk Management - Guidelines. International Organization for Standardization.
• Kutsch, E., Hall, M., & Turner, N. (2014). Project risk management: A process approach. Routledge.
• Purdy, G. (2010). ISO 31000:2009—Setting a New Standard for Risk Management. Risk Analysis, 30(6), 881-886.
• Project Management Institute. (2017). A Guide to the Project Management Body of Knowledge (PMBOK® Guide) – Sixth Edition. Project Management Institute.Implementing your Risk Management Process : A Starters Guide