Наши популярные онлайн курсы
30 practical steps to implement risk management 2. Follow these steps to integrate risk management into decision making, processes and culture https://buff.ly/2KTZBOe the last 15 years I have implemented risk management in hundreds of organisations across Europe, Australia and Middle East. Here is a step by step guide how I actually did it. May not work every time and some decision makers will ignore risks no matter what we do, but it did win the Best ERM implementation award in 2014 ))
A. Despite the fact that risk management is a decision making tool, you should probably get Risk Management 1 sorted first, to keep the auditors, rating agencies and regulators at bay. It's RM1, so keep it as simple and as quick as possible, this is less than 10% of the overall effort.
Auditors love asking for policies and procedures, so give them what they want and make it pretty
A1. Develop a short risk management policy structured around ISO31000 principles – this one is very easy, just follow the steps below:
take existing corporate policy template
take the principles from ISO31000:2018
build a policy around the principles, keep it short. I think I have an example on my download page.
A2. Develop a very basic risk management framework document, aligned with ISO31000 – same as above, use the ISO31000:2019 to develop a framework document. Stick to the text of the standard as close as possible, don't reinvent the wheel. Borrow some good sentences from COSO: ERM 2017 as well, just for fun. Claim that the document is aligned with both. Auditors love that.
A3. Identify and fulfil any other regulatory or shareholder requirement regarding risk management – this is also an important step, as many industries have additional risk management requirements, make sure you crossed them all when drafting policy and framework documents.
Apparently organisations should have a risk appetite and a risk profile, so do it as well. It's not real, but will win some brawny points with the stakeholders.
A4. Develop a high level risk profile, linking key risks to strategic objectives – this is basically a colourful risk register. You can talk to some of the key decision makers, but you really don't have to. Competitor 10K reports and sample risk registers like the one I have will do the job.
A5. Document risk appetite – did you notice how I put risk appetite after risk profile? This is just to show that RM1 is just window dressing, it doesn't matter how you do it, it's not real. You don't believe me it's not real, well allow Grant Purdy, one of the creators of the AS/NZS 4360 and ISO31000, share his sobering views. This is a must watch for all risk managers. Jack Jones, Chairman, The FAIR Institute, also has a compelling case why RM1 is a waste of time, but still necessary unfortunately.
Documenting risk appetite is super simple:
review existing Board level policies
identify any corporate or regulatory limits, for example investment deals above 1B can only be approved by the Board, that's a limit. Or zero tolerance on safety incidents, AML or bribery, those are also limits. Financial delegations are also limits.
collect all existing limits and put them into a single document. Call it risk appetite statement. Laminate it and use colours to show auditors you are serious about it.
Congratulations, now you have a nifty package to take to rating agencies, insurance companies and banks. This RM1 documentation will allow your company to improve credit rating, get cheaper financing from the banks and get lower premiums from the insurance companies. The amount of money saved by just doing RM1 will cover risk team salaries for the next 5 years at least.
B. OK, now it's time to do some real Risk Management 2 (RM2)
When implementing RM2 start with the key decisions
B6. Develop a specific risk analysis methodology for each key decision type – the organisation should implement risk management by:
identifying where, when and how different types of decisions are made across the organisation, and by whom;
modifying the applicable decision-making processes where necessary by applying some of risk analysis techniques to the actual decision making process. This will help decision makers make informed and intelligent decisions based on proper risk analysis. Which techniques work and which don't? I have an article on that.
ensuring that the organisation’s arrangements for managing risk are clearly understood and practised.
B7. Provide tools to the decision makers or perform risk analysis on key decisions yourself – this is an important step to decide whether the risk team will become a methodology and monitoring centre and the actual risk analysis will be performed by decision makers or the risk team will become the analysis support centre and will perform all risk analysis thems…
Weekend fun: win amazing prizes by just registering to #riskawarenessweek2019
Controversial thoughts about modern day risk management in non-financial companies, training and consulting services
