Fundamentals of Risk Management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
|
Risk-aware culture
297 Alignment of activities Risk management activities and the risk architecture, strategy and protocols should be aligned with the core business processes within the organization. Risk information flows around the risk management framework and (if successful) this will produce various outputs. These outputs have already been described as mandatory obligations fulfilled, assurance provided, decision making enhanced and effective and efficient core processes achieved (MADE2). Most risk management standards make reference to the upside of risk or discuss the management of opportunity risks. Project risk management, or the management of control risks, has become a separate discipline within risk management, and project risk management has become well developed, with separate guidance material. When considering the contribution that risk management can make to the organ- ization, it is important to decide whether the contribution will relate to strategy, projects and/or operations. This decision will enable the risk management activities within the organization to be aligned with the other business operations, activities and imperatives. It is important that risk management activities are aligned with other operations, so that the risk management procedures can be fully embedded into the existing management procedures and activities within the organization. This will also ensure that risk management activities are undertaken in an efficient and embedded manner and are not seen as a separate activity detached from management of the organization. There should also be alignment of the activities of internal audit with the culture or context of the organization. The approach followed by internal audit when deciding to design a risk-based audit programme has two components. Firstly, internal audit will look at the high-risk activities and focus the audit programme on those activities. Secondly, the risk-based audit programme will take account of the level of risk management maturity across the organization. If part of the organization has a less risk-mature approach, then internal audit may decide to undertake an increased amount of audit activity in that part of the organization. Another measure of how well-embedded enterprise risk management is within an organization can be represented by the fragmented–organized–influential–leading (FOIL) approach. Table 24.4 describes the four stages of risk maturity (as identified by the 4Ns) and the characteristics associated with the FOIL approach and it can be seen that the influence of enterprise risk management increases as the four levels are implemented. A fragmented approach to enterprise risk management is present when different risks are managed in different departments by specialists who do not, necessarily, work together. For example, an organization can have excellent health and safety, security and business continuity standards, but the benefits of working together may not have been established. The next stage is for these activities to become co-ordinated, so that the approach to enterprise risk management becomes more organized. All risks are then considered together and the result is likely to be a com- prehensive risk register. However, there is more benefit to be gained from enterprise risk management. Organizations that establish ERM activities that are influential on decision making gain these additional benefits. Risk management (and the risk manager) influence |
