Tuesday, May 22, 2012

Another view of a risk management framework

The previous blog entry on risk management frameworks, presented a relatively simple risk management framework but there are many ways to view risk and the interactions of the various elements involved. It’s not the intention to provide a single ‘perfect’ risk management framework – you need to work that out for yourself – but we’ll provide a couple of ideas to get you started.  

Figure 1 below (adapted from SRMBOK) presents a more complex example of a risk management framework.  In this model we break up the elements of risk management into six main categories:
Activity Areas
Practice Areas
Strategic Knowledge Areas
Operational Competency Areas
Risk Treatments

Risk Management Framework
Figure 1: Risk Management Framework example

Looking at the above example, we can see a rough outline of how different elements of risk management support each other. For example:

  • Practice Areas – the activity groups that embody distinct areas of expertise. These areas can also be the scope of the risks to be managed, or primary area in which a risk practitioner is focused (eg: Safety, Finance, Enterprise risk, etc) 
  • Strategic Knowledge Areas – the four concepts which all risk practitioners must understand in order to achieve an optimal trade-off in support of risk treatments (Ref: The Quadruple Constraints of Risk Management)
  • Operational Competency Areas – a group of closely-related skill sets in which a risk practitioner needs to be competent in at least one of (if not all) in order to support effective risk management. 
  • Risk Treatments – the strategies that we put in place to support objectives. In the graphic above, ‘assets’ are placed at the center of concentric circles. These circles represent the layered approach known as hierarchy of controls (Ref: Slides 10 and 11) whereby multiple mutually supportive treatments are more effective than a single treatment (Ref: Swiss Cheese).
  • Activity Areas – principle risk countermeasure areas through the lifecycle from pre-incident prevention (planning and preparation) to post-event response (emergency management and business continuity). As indicated in the diagram, there should be a primary focus on various elements at the appropriate phase of a risk event (pre or post) but all four elements need to be considered at all times – albeit with varying levels of focus or priority.
  • Enablers – the underpinning elements required to ensure the application of risk management processes and activities in a sustained fashion (eg: Policies, training, etc) 

Why Build Such a Complex Model?

It’s important to remember that the model illustrated in Figure 1 is just one possible way to view how risk management fits together. It's useful nonetheless, to stimulate your risk thinking in three main areas:

  • GAP ANALYSIS. What elements aren’t happening right now in our organization and what do we need to do to fill in the gaps?
  • BENCHMARKING. If we had to measure the effectiveness of our risk management, which metrics would we choose and how do they relate to each other?
  • INTEGRATION. How does this model help us integrate various functions such as treasury, IT, emergency response, design, governance, assurance, policies etc?