Six principles for effective risk management

This post outlines six main principles of effective risk management and goes further to define risk management and its role in achieving objectives.
effective risk managementIn World-Class Risk Management, I review the eleven principles in the ISO 31000:2009 global risk management standard and condense them to just six. (Later in the book, I discuss a possible risk management maturity model as well as what it takes to go beyond simply effective to deliver world-class value.)

  1. Risk management enables management to make intelligent decisions when setting strategy, planning, making decisions, and in the daily management of the organization. It provides reasonable assurance that performance will be optimized, objectives achieved, and desired levels of value delivered to stakeholders.
  2. Risk management provides decision-makers with reliable, current, timely, and actionable information about the uncertainty that might affect the achievement of objectives.
  3. Risk management is dynamic, iterative and responsive to change.
  4. Risk management is systematic and structured.
  5. Risk management is tailored to the needs of the organization and updated/upgraded as needed. This takes into account the culture of the organization, including how decisions are made, and the need to monitor the program itself and continually improve it.
  6. Risk management takes human factors (that may present the possibility of failures to properly identify, analyze, evaluate or treat risks) into consideration and provides reasonable assurance they are overcome.

I believe it is useful to assess your risk management activity against these principles.
As my friend Alex Sidorenko says in a recent video (which I recommend), risk management is not about managing risks: it’s about enabling informed decisions.
Informed and intelligent decisions are how we achieve objectives. Those decisions need to consider what might happen (harms, opportunities, and combinations of the two) as we strive to succeed.
With that in mind, I suggest a different definition of risk management in the book:

The effective management of risk enables risk-aware decision-making, from decisions about the direction of the organization, to its core strategies, to the decisions made every day across the extended enterprise.
The processes and related policies, structures, and systems for identifying, analyzing, evaluating, and responding to risks are established by management with oversight by the board to ensure that the effects of uncertainty (both positive and negative) on the achievement of objectives are understood and managed to support the realization of the organization’s mission and commitment to stakeholders.

My understanding is that COSO will publish its update of the ERM Framework very soon. It will be interesting to see the principles they have come up with and how they compare with mine.
In the meantime, I welcome your thoughts on the above – and any other comments you may have on this best-selling book.

Share

Related Posts

Imagen 1

The new age of workplace gossip – TMI!

I’ve discussed workplace gossip here before, and what bosses can do to prevent it or at least reduce the potential harm, but there are a couple of hyper-modern developments that I didn’t get into: reality television and the Internet. These two things have created a culture of “sharing”, for lack of a better word, that encourages people at play or work to divulge the most mundane and private details of their lives to others—the kind of information that one previously might only have shared with family or best friends.

Adam Gorley

Read more
Imagen 1

Privacy risk management – by design

I’ve discussed the Privacy by Design principle before, in the Inside Internal Control newsletter. In case you don’t know, PbD is an approach developed by Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, which proactively embeds privacy protection by default in the design of an organization’s practices and products.

Colin Braithwaite

Read more
Imagen 1

Employers discussing employee medical condition with other employees

In general, an employer, manager, supervisor or HR professional discussing an employee’s medical condition with other employees is just plain inappropriate…

Marie-Yosie Saint-Cyr, LL.B. Managing Editor

Read more