Good risk management at a strategic level helps protect an organisation's reputation, safeguard against financial loss, minimise disruption to services and increase the likelihood of achieving business objectives successfully.
This also gives assurance on how an organisation's business is managed and at the same time will satisfy any compliance requirements of the organisation, where an internal control mechanism is established. Internal control includes:
Be clear first of all about the overall objectives of the organisation and understand how departmental objectives are aligned to the delivery of same. Think about:
With your objectives in mind, ask the following questions:
Consult with staff and others as appropriate and consider a range of possible scenarios including the best and worst cases. Be as creative with this process as possible. Consider the 'cause and effect' and scope of the risk and state as clearly as possible to avoid misunderstanding and misinterpretation. Try to quantify where possible based on what the effect might be.
Go back to Step 1 above and do the same for external risks by considering the relationship between the organisation and its wider environment and follow the steps above. Consider potential external cause of business disruption, issues affecting relationship with partners, suppliers and any possible changes in government policy and legislation.
This involves practical steps to managing and controlling risks. Think about:
Although policy may dictate a review and half yearly update should be enacted, risk owners need to regularly review to ensure there is ongoing relevant management of risks
Advice should be sought where quantification / confirmation is needed, i.e. Finance or Audit Department
Build into the current reporting structure via the business planning round. Where key risks need to be considered, ensure it is given priority within the agreed framework.
Risk: is the actual exposure of something of human value to a hazard and is often regarded as the product of probability and loss - Source: Smith K 2001; Environmental Hazards Assessing Risk and Reducing Disaster: London: Routledge: 6 -7.
Risk Assessment: The evaluation of a risk to determine its significance, either quantitatively or qualitatively.
Risk Management: Determines the levels at which risk acceptability is set and methods of risk reduction are evaluated and applied.
Resilience: The ability at every relevant level to detect, prevent and, if necessary handle disruptive challenges. Source: CCS Resilience
Business Continuity: A proactive process which identifies the key functions of an organisation and the likely threats to those functions; from this information plans and procedures which ensure that key functions can continue, whatever the circumstances, can be developed.