Guidance Paper - The Institute of Risk Management
Guidance Paper - The Institute of Risk Management
Guidance Paper - The Institute of Risk Management
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Strategic<br />
319<br />
At a strategic level we are<br />
suggesting that a variety <strong>of</strong><br />
high level models might be<br />
used including:<br />
• Shareholder value for private sector<br />
organisations. See the box above for<br />
more information on one possible<br />
approach. (Black, Wright and<br />
Bachman, 2000)<br />
• Stakeholder value might be a more<br />
appropriate measure for not-for-pr<strong>of</strong>it<br />
organisations<br />
• Economic Value Added (“EVA”)<br />
has been commonly used in many<br />
organisations.<br />
<strong>The</strong> important issue here is not<br />
320 so much the precise model<br />
that is selected, but rather<br />
that it is appropriate for the<br />
nature <strong>of</strong> the organisation. One <strong>of</strong> the key<br />
attributes <strong>of</strong> using models such as these is<br />
that there is a focus on translating<br />
strategy to the underlying value drivers<br />
and, <strong>of</strong> paramount importance, a need to<br />
identify key assumptions and therefore<br />
key risks.<br />
Such models may be more<br />
321 sophisticated than is necessary<br />
for less mature organisations<br />
and it is clearly not<br />
appropriate to implement a shareholder<br />
value approach in the context <strong>of</strong> the<br />
public sector or some third sector<br />
organisations. We acknowledge that<br />
additional work is still required to identify<br />
other models that would be equally valid<br />
in the public sector but we do not think<br />
that this represents a significant<br />
shortcoming in the proposed framework.<br />
Tactical and operational<br />
322<br />
We recommend that<br />
organisations should develop<br />
a series <strong>of</strong> risk metrics and<br />
control metrics to measure tactical and<br />
operational risks and controls. <strong>The</strong><br />
concept <strong>of</strong> risk and control metrics is<br />
widely referred to in risk management<br />
literature, normally as KRI’s and KCI’s,<br />
although implementation is at best<br />
patchy. <strong>The</strong>re are many practical<br />
approaches to identifying key indicators.<br />
However, in implementing them,<br />
management should ensure that they are<br />
readily understood and are drawn from<br />
appropriate information systems and<br />
reliable data-sources which are subject to<br />
proper governance procedures. For<br />
organisations that already use KPI’s as<br />
part <strong>of</strong> their balanced scorecard<br />
management reporting information, both<br />
risk and control indicators should be<br />
relatively easy to implement.<br />
Data<br />
323<br />
<strong>The</strong> approach to risk appetite<br />
has to become a data-driven<br />
exercise. Much <strong>of</strong> what<br />
currently passes for risk management is<br />
<strong>of</strong>ten a data-free or at best data-lite zone.<br />
Organisations that manage risk in this<br />
way will not be able to manage according<br />
to a pre-determined risk appetite.<br />
Accordingly we recommend that<br />
organisations should identify the relevant<br />
sources <strong>of</strong> data that will be required and<br />
ensure that there are appropriate levels<br />
<strong>of</strong> governance over those data sources to<br />
ensure that they are sufficiently robust to<br />
form the basis <strong>of</strong> a decision-influencing<br />
and report generating management tool<br />
All forms <strong>of</strong> measurement<br />
324 need to be tailored and<br />
appropriate to the<br />
environment within which<br />
they are being used. It is not our intention<br />
to recommend undue levels <strong>of</strong> complexity.<br />
However, as part <strong>of</strong> the regular reporting<br />
<strong>of</strong> risk appetite to senior management<br />
and boards, we believe that organisations<br />
need to develop the same level <strong>of</strong> rigour<br />
in reporting this information as they do in<br />
reporting periodic management accounts,<br />
including appropriate governance over<br />
the data and information systems<br />
employed.<br />
Constructing a<br />
risk appetite -<br />
questions for the<br />
boardroom<br />
• What are the business,<br />
regulatory or other factors<br />
that will influence the<br />
relative importance <strong>of</strong> the<br />
organisation’s propensity to<br />
take risk and its propensity to<br />
exercise control at strategic,<br />
tactical and operational levels<br />
• Does the organisation employ<br />
helpful risk taxonomies that<br />
facilitate the identification and<br />
responsibility for managing risk<br />
as well as providing insight on<br />
how to manage risks<br />
• Does the organisation<br />
understand clearly why and<br />
how it engages with risks<br />
• Is the organisation addressing<br />
all relevant risks or only those<br />
that can be captured in risk<br />
management processes<br />
• Does the organisation have a<br />
framework for responding to<br />
risks<br />
• What approach has the<br />
organisation taken to<br />
measuring and quantifying<br />
risks<br />
29