Risk taking is fundamental to the success of any organisation. The leaders of an organisation must decide the extent to which risk needs to be sought, accepted, addressed or avoided and their approach to this will determine how risks are managed across their organisation.
The concept of risk management has been of increasing relevance and importance in recent years, triggered in part by the 2008 financial crisis, well publicised large company failures and the increasing maturity of corporate governance frameworks.
Societal trends such as business accountability, disclosure of information, the velocity of change, the connectivity of risks and the impact of emerging technologies have all added emphasis and importance to the need for effective risk management. Coupled with the rise in global regulations and laws, risk management has never been higher on the board agenda nor required more of today’s risk manager.
A wealth of knowledge, guides, standards and publications exists to help with the detailed development of risk management strategies and implementation of risk management programmes.
However, increasingly, the focus now is to avoid increased complexity and ensure that risk management enhances existing business structures by operating as an integral part of established processes. This approach requires a shared view of the impact of risk on business objectives and effective communication between business leaders, functional teams and business operations.
This guide summarises current approaches to risk management to promote a shared understanding. It will be particularly useful for those new to risk management.
It looks initially at the definition of risk and how risk management helps organisations address uncertainty.
It then summarises the key principles underpinning the design and operation of a risk management programme with reference to the international risk management standard ISO 31000: 2018. It moves on to consider how risk governance fits within the developing corporate governance frameworks.
Human and cultural factors have a fundamental impact on the success of the risk management programme; these factors and the importance of leadership are considered in section 5.
Section 6 focuses on articulating risk within the organisation and will help the reader understand how risks are identified and assessed in the internal and external context of the business. The approach to accepting and managing risks in order to create and protect value varies substantially across businesses and this section highlights the way risks are evaluated in conjunction with the risk criteria developed by the business.
The guide incorporates practical examples where appropriate. It also introduces the subject of organisational resilience and outlines the importance of appropriate resilience within the wider risk management approach. The British Standard for business continuity, BS 22301, and the British Standard for resilience, BS 65000, are both referenced alongside cases from the Airmic Roads to Ruin and Roads to Resilience publications.
The guide outlines why internal and external communication and monitoring are a key part of any successful risk management programme. The impact of the Financial Reporting Council (FRC) guidance is considered as part of the external communication strategy of a listed company.
This guide is intended to be used by Airmic members starting out in their career in the profession, and by those who may be new to this subject, or to be shared with their business colleagues in areas such as procurement, finance, human resources, IT and internal audit.
Codes put forward principles for best practice that make poor behaviour less likely to occur; and public reporting can make it harder to conceal such behaviour. But, by itself, a code does not prevent inappropriate behaviour, strategies or decisions.
Stephen Haddrill, CEO, The Financial Reporting Council, The Airmic Lecture 2018