Sunday, February 9, 2014

The Principles of Effective Risk Management

Enterprise Risk Management is one of the core domain of Governance. In some business sectors, the success depends on an intelligent and effective risk management principles, framework and practices. The advancement in technology, like big data and analytics also plays a key role in making the risk management effective and adding value to the business. Other factors that necessitate a well architected ERM in an organization include, regulatory & compliance needs, security and privacy expectations, disasters and business continuity needs, etc. As the risk management practices evolved further, adoption of principle based approaches have been found to be more effective.

Here the some of the common principles to model the Risk Management framework around:

  • Create and protect value - Any framework should be able to add value and also protect the values that the assets of the organization is expected to deliver. This would also involve identifying the specific business needs, appropriately assess the risk measure and in turn facilitate deciding on the best risk mitigation or avoidance plan. Risk management must have demonstrable effect on achievement of objectives and improvement of performance of the enterprise.
  • Integrated approach - Risk management cannot be practiced effectively in silos. Today's organizations face the challenges of many different frameworks for meeting different goals. For instance, ISO27001 for security, ITIL for IT infrastructure management, COBIT for Governance, etc. Integrated risk management promotes a continuous, proactive and systematic process to understand, manage and communicate risk from an organization-wide perspective in a cohesive and consistent manner. To be effective, the Risk Management framework should be capable of being integrated into the existing process framework.
  • Recognise & manage complexity - Organisations are very complex environments in which to deliver concrete solutions. There are many challenges that need to be overcome when planning and implementing information management projects. In practice, however, there is no way of avoiding the inherent complexities within organisations. New approaches to information management must therefore be found that recognise (and manage) this complexity.
  • Flexible and adaptable - There is no "one-size-fits-all" approach to risk management and organizations should consider their own context when determining an appropriate approach. Organizations today face a considerable change management challenge for information management projects. In practice, it means that projects must be carefully designed from the outset to ensure that sufficient adoption is gained. The framework shall be tailored and responsive to the organization's external and internal context including its mandate, priorities, organizational risk culture, risk management capacity, and partner and stakeholder interests.
  • Highly usable - In general, the risk management practices should allow for the identification of risk information throughout the organization that can be used to support enterprise wide decision-making, and should also be flexible enough to evolve with changing priorities. This requires that every employee of the organization has a role to play in an effective Risk Management program. This calls for the structures and the associated processes should be simple enough to understand and also usable or executable. 
  • Dynamic and responsive to change - The process of managing risk needs to be flexible. The challenging environment we operate in requires agencies to consider the context for managing risk as well as continuing to identify new risks that emerge, and make allowances for those risks that no longer exist. Risk Management shall be deployed in a systematic, structured and timely manner to enable cost-effective embedding and focused generation of consistent, comparable and reliable results. 
  • Leverage tools & technology - An effective risk management calls for the ability to consider and make use of large volume of data and should leverage the statistical techniques to predict and prioritise the risks. Coming up with a right mitigation or contingency plan also calls for processing of large volume of data. The framework should provide for leveraging latest technology as it emerges to facilitate such high volume information handling and statistical analysis.
  • Considerate to human and cultural factors - The success of the risk management program largely depends on its employees in implementing it as part of their every day business activities. This calls for the structure and the processes to be considerate of the organization's cultural values and should not lead to creating conflicts. 
  • Communicate extensively - Communication is the key for success of any project or program. The framework shall provide for seamless communication amongst all stakeholders, so that the information is exchanged at the right time without losing its value.
  • Continuous Improvement - The big bang approach is unlikely to yield the expected outcome for obvious reasons. Instead, an evolutionary approach will work better and thus the ERM should be capable of evolving. Deployment should be complemented with mechanisms to assess and continually improve enterprise risk management maturity and be aligned with approaches driving the organization’s overall excellence and maturity agenda. 
  • Governance - Oversight and accountability for the risk management process is critical to ensure that the necessary commitment and resources are secured, the risk assessment occurs at the right level in the organization, the full range of relevant risks is considered, these risks are evaluated through a rigorous and ongoing process, and requisite actions are taken, as appropriate.

The above list is not an exhaustive list of principles that readily suits an organization. The right set of principles shall be identified based on the priorities of the business. These principles when adopted help the organizations to practice an improved risk management and thus giving the following benefits to the enterprise.
  • Enhance the coverage of risks in all areas including mission,strategy, planning, operations, finance.
  • Consider the causes of various risks and the resulting impacts.
  • Develop a culture in which employees manage risks as part of their daily routines.
  • Optimized risk appetite, so that the business functions can take take calculated risks.
  • Facilitate enterprise wide risk aware decision making.