You're reading...


Pedant’s Corner (2)

This is the second post on risk definitions in the context of risk management standards.  Here we are moving on to risk governance, the outer level of the three risk management processes I proposed some time ago.

In that previous work I suggested there should be three main components of a risk policy, the document created by risk governance review.  These are the policy on risk taking, which could also be regarded as a statement of the risk attitude (see pedant’s Corner (1)), the policy on risk processes and the policy on risk culture.

Looking at ISO 73 we have:

  • risk management policy – statement of the overall intention and direction of an organisation related to risk management
  • risk management process – systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk
  • risk culture – not defined.

The policy definition is fine, but the process definition is very wordy, simply because it thinks it knows what the answer is.  It gives a namecheck to every process the standard prescribes.  This is not helpful, suffering from the same criticisms as the definition of risk management in the previous article.  Instead let’s just try something like:

  • risk process – the methods deployed by an organisation to incorporate risk in decision-making and monitor risk management

We’ll come to monitoring shortly, but I just want reiterate that the risk culture forms an important element of the risk management landscape and can’t be ignored.  Its treatment is discussed elsewhere on this site.

Monitoring is defined in a generic way: continual checking, supervising, critically observing or determining the status in order to identify the change from the performance level required or expected.  ISO 73 clarifies it can be applied to the framework, process, risk or control.  In my scheme it is only the last two which are involved in the monitoring cycle so:

  • risk management monitoring – monitoring (as above) risk indicators and risk controls

which creates the need for two further definitions

  • risk control – measure that is modifying risk (as per ISO 73, but should also perhaps be recognised in the reference to options in the definition of risk evaluation)
  • risk indicators – performance measures selected to provide an indication of how the future may crystallise (referring back to the definition of risk – yes, I know, but this pedant’s corner).

Similarly, review has a generic definition: activity undertaken to determine the suitability of, adequacy and effectiveness of the subject matter to achieve established objectives. The standard applies this to the same 4 things as monitoring, but again I think the scope can be limited.  In fact I suggest the whole standard can be reduced to the set of definitions and the instruction:

the organisation shall/should (or whatever) review its risk management policy and its implementation and communicate the results to stakeholders as appropriate

as long as the definition of risk management policy is clarified as including a statement of risk attitude, a statement of risk process and a statement of risk culture.  I would prefer the term statement of risk governance to risk management policy, but that’s not essential.

Well that looks pretty good now.  But by reducing and simplifying the number of definitions and reducing the standard itself to one sentence we have obviously left a lot out.  The main points are:

The risk principles – a ragbag of principles, outcomes and general motherhood which could be nicely covered in a discussion document enlarging on the definitions and standard for the ‘great unwashed’ audience. Such an informal document would be a much better means for talking about risk management practices than the strangled tones of a standard.  However I have always said that the most important principles embodied in modern risk management are comprehensiveness (dealt with as part of risk analysis) and visibility (which I discuss under communication below).

The risk framework, a defined term which starts ‘set of components which provides the foundations and organisational arrangements ..’.  This is a concept which I have found hard to pin down (as you might imagine for something that is a set of components) and is broadly covered by the risk governance concepts here, as incorporated in the risk management and risk management policy definitions (which, as already noted could be replaced with risk governance concepts).

All the ‘a risk’, risk listing stuff which should go into a guidance document on risk analysis along with other approaches to characterising and prioritising risk.

All the risk context stuff – also good motherhood on risk analysis.

Risk communication and consultation – as noted, an important part of the risk principles which I have explicitly written into the new ‘standard’.

Risk treatment – an unnecessary complexity to add to the discussion of options for actions and controls.

Residual risk – it’s much better to talk about the risk under a particular option for action.  This will stop all the pointless and unnecessary practices around inherent risk, target risk, and the like.

I’m conscious this now needs a bit of tidying and summary, but essentially we have:

  • a one sentence standard
  • a much reduced set of definitions
  • a context-setting and explanatory document for the lay audience
  • a guide to risk analysis.

It’s this last which contains the real challenge: how to do it, yes, with risk lists, but also alternative approaches.  How can you best represent the different ways the future might unfold?  This is what I’ll address next, though I will also try to post a document which tidies up the first two bullets.  It may be some time before I get round to the third point.

Print Friendly