Chapter 3: Risk Management Frameworks and Standards

Risk management framework.

What is risk management framework?
An organisation needs a formal, explicit risk management framework to ensure that its risk
management decisions support the achievement of its strategic objectives and that the risk
preferences of its stakeholders are considered.
• Coherent structure to support the management of risk within the organisation
• Rely on intuition? ineffective as it will lead to inconsistent and wrong management
decisions
• Provide guidance to adopt holistic approach to managing risk
• add value to an organisation, help to operate in a successful and sustainable way over
the long term
Risk management standard.
Overall approach to risk management provides description of the risk framework
• AS 4360 Australia replace with ISO 31000
• ISO 31000 globally used.
• IRM (Institute of RM) UK
• Orange Book UK
• COSO ERM
At a minimum, a risk management framework for a typical organisation will include
mechanisms for:
•Identification of risks which could impact the organisation in either a positive or negative
way
•Assessing the significance of identified risks, in order to help prioritise management
attention and financial resources
•Monitoring to help detect any changes in the organisation’s exposure to identified risks
•Controlling the organisation’s exposure to the risks that have been identified
Closer look to Risk Standard ISO 31000
ISO 31000 Risk Management
•RM Principles •RM Framework •RM Processes
The publication of ISO 31000 started in 2009. The original 2009 standard was updated in
2018 to reflect advances in practice and changes to certain risk exposures such as cyber risk
and terrorism. The objective for ISO 31000 is to provide a set of internationally recognised
principles and guidance on the practice of risk management in organisations. These principles
and guidance may be used to help improve the design and implementation of a risk
management framework within an organisation.

1
A) Risk principles

B) Risk framework- leadership and commitment

i) The introduction of risk management and ensuring its on-going effectiveness require strong
and sustained commitment by management of the organization, as well as strategic and
rigorous planning to achieve commitment at all levels
ii)Importance of leadership in designing and implementing effective risk management
frameworks.
iii) Tangible commitment to effective risk management is needed from an organisation’s
leaders, including its managers, senior managers and Board or equivalent
Approve and endorse framework
Align risk with objectives
Set risk KPI
Compliance with risk policy
Embed risk culture
Risk framework –design of framework
1) Understand the context of organisation
Internal (SWOT)
External (PESTEL)
2) Risk management policy
Include the following:
i) Its aims and objectives for risk management, including how they support the wider
strategic objectives of the organisation;

2
ii) the processes, procedures, and activities that comprise its risk management framework,
including any other risk or control policies (policies for health and safety management,
information security or similar);
iii) governance arrangements for risk management, such as the use of a risk committee; and
iv) the allocation of roles and responsibilities for risk management.
A large or complex organisation may have multiple risk management policies. Different
business units may maintain their own individual risk management policies or different
policies may be drafted for different categories of risk.
Such an organisation will often have an overarching risk management policy to ensure that
any sub-policies are consistent with the overall objectives of the organisation, with each
other, and with the risk preferences of its stakeholders.
Risk Appetite Statement (risk policy)
i)A risk appetite statement will usually outline the types and levels of risk that an
organisation is willing to take in the pursuit of its objectives, as well as the risks that it is not
willing to take or will only tolerate in specific circumstances.
ii) Stakeholder risk preferences should be taken into account when deciding what risks to take
or avoid.
iii) A risk appetite statement may be kept as a standalone document or included in the risk
management policy.
iv) Larger organisations may choose to make some or all of their risk appetite statement
public. Public limited companies often include information on their appetite for risk in their
annual report.
v) Internally, an organisation may have more than one risk appetite statement. Statements
may exist for specific categories of risk or for different business units.
vii) An organisation may have a different appetite for different risks and business units.
vii) This will often reflect the strategy of the organisation, the risks it wishes to take to
achieve its objectives and the risks it may want to reduce to avoid business disruption,
unnecessary cost or operational inefficiency.

3
3) Accountability
identifying risk owners that have the accountability and authority to manage risks;
identifying who is accountable for the development, implementation and maintenance of
the framework for managing risk;
identifying other responsibilities of people at all levels in the organization for the risk
management process;
establishing performance measurement and external and/or internal reporting and
escalation processes;
ensuring appropriate levels of recognition
4) Allocate appropriate resources
people, skills, experience and competence;
resources needed for each step of the risk management process;
the organization's processes, methods and tools to be used for managing risk;
documented processes and procedures;
information and knowledge management systems; and
training programmes.

4
Design of framework (resources) (3 Lines of Defence)

Risk framework (implementation)

a) In implementing the organization's framework for managing risk, the organization should:
define the appropriate timing and strategy for implementing the framework;
apply the risk management policy and process to the organizational processes;
comply with legal and regulatory requirements;
ensure that decision making, including the development and setting of objectives, is aligned
with the outcomes of risk management processes;
hold information and training sessions; and
communicate and consult with stakeholders to ensure that its risk management framework
remains appropriate.
Importance of leadership in designing and implementing effective risk management
frameworks.
b) Risk management should be implemented by ensuring that the risk management process is
applied through a risk management plan at all relevant levels and functions of the
organization as part of its practices and processes

5
Risk framework (evaluation and improvement)

Risk framework –integration

Risk management should be embedded in all the organization's practices and processes in a
way that it is relevant, effective and efficient.
The risk management process should become part of, and not separate from, those
organizational processes.
a) In particular, risk management should be embedded into the policy development, business
and strategic planning and review, and change management processes.
b) There should be an organization-wide risk management plan to ensure that the risk
management policy is implemented and that risk management is embedded in all of the
organization's practices and processes.
c) The risk management plan can be integrated into other organizational plans, such as a
strategic plan

6
C) Risk process
The risk management process should be
a) an integral part of management,
b) embedded in the culture and practices, and
c) tailored to the business processes of the
organization.
Establishing the context
Define the scope for the risk management process,
define organization’s objectives, and establish the risk
evaluation criteria. Includes:
•external context: regulatory environment, market
conditions, stakeholder expectations
•internal context: organization’s governance, culture,
standards and rules, capabilities, existing contracts, worker expectations, information systems
1. Risk assessment is the overall systematic process of risk identification, risk analysis and
risk evaluation.
a) Risk identification: to find, recognize and describe risks that might help or prevent an
organization achieving its objectives-Describe risk, identify risk owner
b) Risk analysis: understanding the sources and causes of the identified risks; studying
probabilities/ possibilities and consequences/ impact given the existing controls, to identify
the level of residual risk.
c) Risk evaluation: comparing risk analysis results with risk criteria to determine whether
the residual risk is tolerable.
2. Risk treatment: changing the magnitude and likelihood of consequences, both positive
and negative, to achieve a net increase in benefit through formulating, selecting and
implementing risk treatment options
3. Recording & Reporting
The risk management process and its outcomes should be documented and reported through
appropriate mechanisms.
Risk management standards- National Standard Agency Ireland
a) The National Standards Agency of Ireland (NSAI) provides additional guidance on ISO
31000 for Irish organisations in NWA 31000:2011.
b) This guidance outlines various risk management methods and techniques that Irish
organisations can use to implement an effective risk management framework.
c) The guidance covers topics such as:
• guidance on designing a risk management framework;

7
• how to draft a risk management policy;
• allocating accountability for risk management;
• establishing effective risk management communication mechanisms;
• risk assessment techniques;
• risk treatment options; and
• how to design an effective risk register (with an example).
The Orange Book
The Orange Book (HM Treasury, 2004) is published by the UK Government. The purpose:
a) provide an introduction to risk management for those new to the discipline;
b) offer a set of principles against which risk management practices in organisations can be
benchmarked;
c) help senior leadership to understand their responsibilities for risk management;
d) provide practical support for those tasked with day-to-day risk management
responsibilities; and
e) offer insights into more advanced concepts like risk appetite for those with more risk
management experience.
The Orange Book is aimed at government organisations and departments, but it contains
much that is of use to all other types of organisation.
The document is a guide, rather than a standard or set of regulations. Government
organisations are not required to comply with the contents or implement all of the practice
that is contained within the Orange Book.
The Orange Book starts with what is termed a risk management ‘model’ with core tasks:
1) identifying risks
2) assessing risks
3) addressing risks (another term for risk control)
4) reviewing (monitoring) and reporting risks.
The Institute of RM Standard
The IRM Standard was developed by a team of risk management professionals working for
professional associations and consulting organisations. Input from other experts was obtained
during a consultation process.
The Standard is not intended to be prescriptive. It provides a best practice benchmark that
organisations can use to help design and implement effective risk management frameworks.
The Standard takes the view that risk management is an essential activity in all
organisations and that it complements both strategic and operational management.

8
 Within the Standard, risks are considered to have an upside as well as a downside. Good
risk management should help an organisation to exploit risky opportunities and at the same
time mitigate the costs that may be associated with the adverse effects of risk exposures.
The Standard explains that the risks that may affect an organisation can result from factors
that may be external or internal to the organisation, or a combination of the two. These
factors are further categorised into financial, strategic, operational and hazard risks.
The Standard indicates that an organisation’s risk management process should be audited
periodically to determine whether it remains fit for purpose and to ensure it is operating
effectively.
The IRM Risk Management Standard discusses two further important components of a risk
management framework: the contents of a risk management policy and the documentation of
roles and responsibilities for risk management.
Case study
Chocs plc Background
Chocs plc (Chocs) was established in 1951 by Peter Davison. Despite the consistent success,
business growth is now slowing. The financial year-end results for 30th June 2019 reflect a
turnover of £425million (down by 7% from 2018) and a net worth of £642million (down by
5% from 2018).
A general decline in profits over the last five years has been attributed to increased
competition, rising prices of raw materials and increased labour costs worldwide.
Chocs has remained a family business in culture and ethos, and at age 99 Peter still tries to
attend the AGM each year. The CEO is now Susan Davison, Peter’s grand-daughter, she took
over from her father (Peter’s son, Ben, who remains as Chair) in 2011. Although in many
ways unrecognisable from 1951, the Birmingham factory is still the head-office and is the
centre of a highly modernised production operation. An external stakeholder would consider
this to be a business where all was running well.
Chocs now has seven sites across the world employing approximately 1,800 people. They
differ only in size and capacity but all offer a generalised range of products. At the last Board
meeting Susan proposed a review of site capacity with a view to developing specialisation at
certain sites, she was concerned that the declining profitability was at least in part due to loss
of focus and the risk of Board complacency about future viability; this was not received well
by Ben and further discussion was deferred to the next meeting.
42% of Chocs shareholding remains with family and family trusts, the remaining 58% is
traded (infrequently) on the Alternative Investment Market after a successful IPO led by Ben
in 2007. The funding raised enabled expansion, modernisation and a capital return to the
family shareholders. The institutional and retail shareholders are mainly longer-term
investors and have generally been satisfied with dividend return and share price stability.

9
Governance
Chocs has seven directors; three months ago, you were appointed as Company Secretary
reporting to the CEO.
• two executive directors – Susan Davison (CEO) and Kenneth Dwight (CFO);
• three family NEDs – Ben Davison (Chairman) and two of his cousins (Peter Balfour
and Elsie Davison) – family NEDs are proposed and elected by a council representing
family shareholders;
• two independent NEDs – Ramesh Singh (based in Mumbai) and Stefan Volski (based
in Warsaw).
The board meets eight times a year (four times in Birmingham and four times at different
operating sites of the business). An Audit Committee and a combined Remuneration and
Nomination Committee each meet three times a year, usually coinciding with a board
meeting. All NEDs are the constituent committee members, and all meetings are attended by
the executive directors.
The AIM investors have been happy with this governance arrangement thus far, not least
because the financial returns have remained consistent and in line with expectations.
Risk and control
• The key strategic and operational decisions throughout the business seem to be made
through closed and un-minuted weekly meetings between Ben (Chairman), Susan
(CEO) and Peter Balfour (family NED).
• Papers presented to Board meetings are short, succinct headline summaries from each
operating business.
• Decisions seem to have already been made and are only brought to the Board for
ratification.
• You have discussed this with Kenneth who told you that this was the culture, he was
sometimes at these meetings and that he was treated as family, as his partner is a
nephew of Ben.
• As Chocs has large scale production capability, health and safety (H&S) features
frequently in operational reports, but again is only ever summarised in Board papers,
usually in the form of pie charts.
• Having analysed the figures further, you find that there has been an increase in
reportable Health and Safety (H&S) incidents at five out of the seven sites across the
past 24 months, but this is barely mentioned in the board reports.
• Having read through the Board and Committee papers for the past three years, you
find there is very little record of how the directors view the alignment of strategy, risk
and control.
• Each site keeps their own version of a register of the risks pertinent to their site (partly
to keep the local H&S regulators satisfied). Each site has a high level of autonomy
with regard to its approach to risk management.

10
 • Monthly local reports regarding risk and any related incidents are amalgamated by a
team at the Chocs site in Ireland using a spreadsheet to provide a set of charts which
appear as an appendix to the Board papers.
• There is no minuted record of director discussion of any level of risk strategy,
although you assume this must have happened as there are oblique references to a
number of accidents across the world, and to two deaths that have occurred on Chocs
sites (one in Poland earlier in the year, and one in Brazil last year).
• Control, in so far as it exists at all, seems to be delegated to a very low level on
individual sites, and then discussed only confidentially at the weekly closed meetings.
• Stefan has discussed with you his concerns regarding a lack of risk management
awareness. He is also surprised at the lack of apparent concern from the English
directors; he has assumed that they just have more experience than him of running this
type of business. He is aware of his duties under UK law and plans to raise the issue
at the Board meeting, scheduled to be held on the Choc’s site at Sao Paulo next
month.
• He has talked to Ben about the whole H&S and CSR approach but has been told that
“CSR is just another acronym designed to take valuable director time”.
It has also been brought to your attention in a conversation with Stefan that cocoa farmers in
South America have staged a series of protests over low wages and payments that they have
been receiving for their goods and services. Chocs has been wrongly implicated as one of the
companies who have attempted to hold down prices. This has received media attention and
support groups are threatening a media campaign to boycott Chocs‟ products.
1. Discuss the relevance of risk categorisation and the risk management process of
identification – assessment – monitoring – control.
2. Analyse the governance benefit for Chocs of incorporating a risk control framework
such as the three lines of defence into its risk management strategy.

11