Risk Management Principles.
Information | Understanding | Best Practice.Certain “core” principles have been developed in order to ensure the implementing of effective risk management processes. The following risk management principles are based on risk principles developed by the International Standards Organization (ISO) and the Project Management Body of Knowledge (PMBOK).
Value: The risk management process needs to add value to the organization. There needs to be a clear benefit to having a risk process and the benefit(s) should be seen and understood by the staff, management and stakeholders.
Sized for purpose. Risk management needs to be appropriate to the size and complexity of the organization.
Established process. A defined, documented, approved risk process should be in place. Staff need to understand the process requirements and tightly adhere to the requirements. In parallel audits of process performance should be performed to ensure that the risk process is actively applied across the organization.
Risk needs to be integrated. The risk process should not be seen as a standalone function, but should be integral into routine ongoing decision making. The approach to risk management, should be similar to that taken with quality management, financial management, human recourse management, etc.. These latter functions are seen as integral to the success of an organization and similarly the risk management process needs to be seen as a critical function that is fully integrated into the routine operation of the organization.
Best practice. The risk process needs to be continually updated, taking account of the most recent experiences both internally within the organization and experiences from similar environments external to the organization. The risk process needs to remain up to date and those charged with leading the risk function need to continually ensure compliance with best practice.
Human factors. The risk process needs to be user friendly, understandable and take account of potential human failings, human reactions to unexpected events, the likelihood that humans will make errors. In estimating risks, will there be potential for bias by the risk estimators? For example, process designers may under-estimate the potential for process failure as they may see potential risks as a reflection of poor design.
Decision making needs to consider risks. Whenever decisions are taken, the potential change in risk should be considered. Will a process, product, operational, strategic decision, increase, decrease or have no effect on risk levels?
Uncertainty. Risk management is a process largely influenced by estimates of probability, likelihood, potential severity, etc.. Clearly, there is no certainty that an estimated risk event will ever arise. However, the risk management process needs to consider the uncertainty or confidence levels associated with estimating risk.
Active risk management. The risk process must be continually reviewed, with risk estimates continually challenged. The process must be actively and dynamically applied across the organization.
Open and transparent. The process needs to provide full clarity as to how risks are identified, estimated, measured and controlled.
Continuous improvement. As with all processes, there should be an expectation that the risk process can be continually improved. Therefore the users of the risk process, the customers, all stakeholders should be consulted and performance feedback obtained. The process should be benchmarked against best in class and where opportunities for improvement are identified, then actions taken to implement.
- Risk Identification. Risk Evaluation. Risk Mitigation. Risk Control. Etc..
- Requirements. Standards. Current best practices.
- Information | Understanding | Best Practice >>>