APPENDIX
CIPFA’s Model for Assessing Risk Maturity
Vision, commitment and ownership
Vision comes from the top and should be shared throughout the organisation. To have any impact, risk management must have strong support and endorsement from the top. The ownership of risk cannot be delegated and must be owned by those accountable for the achievement of their element of the organisation’s objectives, at whatever level.
The approach and structure that the organisation uses to integrate risk management into its management arrangements should be reflected in a formal corporate risk policy/strategy which:
-
■is a method of communicating the risk philosophy of the organisation
-
■explains how risk management is to be implemented
-
■details the different responsibilities for risk management in the organisation
-
■highlights procedures that should be adopted in the risk management process.
The policy/strategy statement will include:
-
■a mission/objective statement
-
■a summary of the procedures needed to implement the policy
-
■a risk management organisational structure.
The organisation’s risk appetite and risk tolerance should be established and included:
-
■Risk appetite is the level of risk that the organisation will accept in providing value to its stakeholders. This ranges from ‘risk averse’ through ‘risk neutral’ to ‘risk taking’. It is important to have a good understanding within the organisation of the types of risk it is willing to take, and also at what level of activity staff have the necessary authority.
-
■Risk tolerance is used to consider the most appropriate responses to the management of the identified risks.
|
Key issue
|
|
Management, staff and the governing body have a shared view of risk and understand the acceptable level of risk taking.
|
|
Key questions for consideration
|
-
■Is there a common language used throughout the organisation relating to risk?
-
■Does the risk policy/strategy define risk in easy-to-understand terms?
-
■Is there encouragement to consider risks as opportunities as well as threats?
-
■Is the risk policy/strategy approved at governing body level and communicated to all managers?
-
■How is the organisational risk appetite and tolerance level expressed and communicated?
-
■Does the risk policy/strategy make it clear that risk assessment is an integral part of the business planning process?
-
■Is the risk policy/strategy specific about the outcomes and benefits that the organisation expects to achieve from risk management?
-
■Does the business plan set out a vision for risk management in the future as part of a continuous improvement approach?
-
■Does the annual governance statement disclosed by the governing body reflect the risk management approach and describe the organisation, and is it relevant to key stakeholders?
|
|
Key documents
|
-
■Risk policy and/or risk strategy (including risk appetite)
-
■Business plan
-
■Annual governance statement published in annual financial statements and report
-
■Strategic and project plans incorporating opportunities and initiatives
|
|
Consideration of risk maturity for this element
|
|
|
Risk enabled
|
Risk managed
|
Risk defined
|
Risk
aware
|
Risk
naive
|
|
Now
|
|
|
|
|
|
|
Short term
|
|
|
|
|
|
|
Long term
|
|
|
|
|
|
|
Comments:
|
Structure, roles and responsibilities
An effective structure is likely to include a working group or risk committee, bringing together staff from the main services, with a chair at a senior responsible level to organise and lead the activity:
-
■Membership will depend on the size and the structure of the organisation and could include representatives from top management and those responsible and accountable for areas of significant risk.
-
■The roles and responsibilities of all parties is a critical area. All parties must play their part and have a share of accountability for managing risk in line with their responsibility for the delivery of objectives.
-
■Clear and effective reporting lines should be established between the governing body and the executive management team on the management of the key risks, informed by different specialist advisers and/or the risk committee.
-
■The key risks will need to be clearly aligned to the business objectives, with allocation of ownership, accountability and responsibility to individual top managers for a group of selected key risks, as well as collective/corporate responsibility. There needs to be a clear line of communication between the risk group/committee and the audit committee, whose terms of reference should include oversight of the risk management process.
|
Key issue
|
|
There is a clear understanding of, and accountability for, risk.
|
|
Key questions for consideration
|
-
■Is there a synergy between the objective of the team carrying out the risk assessment and the risks for which they are responsible? (Top management is responsible for strategic risks, departmental management for functional risks, project teams for project risks, etc.)
-
■Are accountability and responsibility for monitoring and reporting clearly shown for key risks at top management level?
-
■What is the process for reporting control failures and learning from problems, and how does this feed back into the risk assessment?
-
■Do the terms of reference for the governing body and committees set out their responsibilities for risk management?
-
■Do the governing body, management and staff have the knowledge and skills necessary to support the achievement of objectives and the management of risk?
-
■What training in risk management is offered to staff, management and governing body members?
-
■Has a risk panel or similar ‘expert’ co-ordination group been established or is this function carried out by another group?
-
■Do governing body papers and minutes show clear consideration of risk in making decisions?
-
■Has the role of internal audit in risk management been considered and have safeguards to independence been put in place if necessary?
-
■Have risk management responsibilities been written into the job descriptions and performance expectations of managers?
-
■How is best practice spread throughout the organisation?
|
|
Key documents
|
-
■Governing body and committee terms of reference including audit committee
-
■Governing body and committee minutes and papers
-
■Organisational training programme/documents
-
■Policy for sharing information on control failures
-
■Risk panel terms of reference
-
■Job descriptions
|
|
Consideration of risk maturity for this element
|
|
|
Risk enabled
|
Risk managed
|
Risk defined
|
Risk
aware
|
Risk
naive
|
|
Now
|
|
|
|
|
|
|
Short term
|
|
|
|
|
|
|
Long term
|
|
|
|
|
|
|
Comments:
|
Identifying the risks
Ultimate responsibility and ownership of the process of risk identification lies with the organisation’s executive/governing body. The task of risk identification may be carried out at this top level of management or devolved or delegated to a corporate risk management group/committee:
-
■No one person will have the depth of knowledge to take on the task of identifying risks for the whole organisation. A number of people should be involved, across disciplines, so that every aspect of risk and its impact can be identified.
-
■The process involves identifying the key aims and objectives of the business. Failures to achieve these aims and objectives therefore become the key risks.
-
■The process of identifying the key risks aligned to the business aims and objectives can be carried out by the top levels of management/the governing body.
-
■The various elements of the business that contribute to these key risks can be identified and mapped. The individual contributory risks can be identified at a lower and a specialist level.
-
■This simple approach can very quickly produce a logical basis for a risk register, with responsibility for the key risks allocated to individual members of top executive management and the contributory lower levels attributed to middle or specialist management.
-
■The reporting/monitoring structure will provide the link between these levels of management for regular monitoring and reviewing the key and contributory risks.
-
■Top management should concentrate on a finite number of top key risks – around a dozen is considered the optimum number – and perhaps 50 to 60 contributory risks. The compilation of a risk register with hundreds of risks is counterproductive and dilutes the focus of attention.
|
Key issue
|
|
Risk identification is comprehensive, timely and part of the organisation’s business planning process.
|
|
Key questions for consideration
|
-
■Is there a clear link between objectives and risks at all levels?
-
■Are strategic objectives clear, concise and set at the highest level to ensure that risk assessment is focused on strategic rather than operational risks?
-
■Is there an experienced and capable facilitator who can lead managers and governing body members through the process?
-
■Are risks described in a way that everyone can understand using common organisational language?
-
■How does the organisation ensure the risk identification process is comprehensive?
-
■Does the organisation make use of risk workshops and ensure that risks are identified by all relevant people?
-
■Has information been produced that could usefully inform the process? (Sector benchmarks, feedback on risks that have materialised, environmental scanning, best value reviews, budget reports, etc.)
-
■Does risk identification happen before and after the business planning process to help inform the planning process in terms of which risks to take and which to reduce and to consider achievement of key objectives?
-
■Is there a process for identifying opportunities?
|
|
Key documents
|
-
■Business plan and objectives
-
■Risk assessment timetable for governing body and management reviews, meetings and workshops categorising and prioritising risks
-
■Risk assessment guidance for managers or risk workshop agendas
-
■Sector guidance on common risks
-
■Project methodology
|
|
Consideration of risk maturity for this element
|
|
|
Risk enabled
|
Risk managed
|
Risk defined
|
Risk
aware
|
Risk
naive
|
|
Now
|
|
|
|
|
|
|
Short term
|
|
|
|
|
|
|
Long term
|
|
|
|
|
|
|
Comments:
|
Categorising and prioritising the risks
The key risks and main contributory risks will need to be linked, prioritised and categorised – possibly into ‘high’, ‘medium’ and ‘low’ – to ensure a comprehensive understanding of the threats to achieving the business objectives and opportunities to take risks. This process can range from a group of people using their collective judgment and wisdom to complex scoring mechanisms.
To categorise risks, a systematic approach such as APRICOT can provide a structure to the process, taking into account:
-
■Assets (buildings, contents, material)
-
■People (personal security, safe working systems, welfare, health)
-
■Reputation (poor media coverage, political embarrassment)
-
■Information (breaks in service delivery, IT failures)
-
■Continuity of Operations (failure, poor service delivery)
-
■Targets (failure to meet targets, best value).
And using CEI, the following issues could be addressed:
-
■Cause (eg strikes, shortage of essential materials, natural phenomena)
-
■Effect (eg material damage, loss of staff, lack of required resources)
-
■Impact (eg service failure, inability to meet targets set by government).
The raw material can be refined by these techniques and a risk graph developed. The likelihood and impact can be scored on the graph, for example high = 3, medium = 2,
low = 1. The objective of this simple process is the production of an approximate ranking that will allow immediate concentration on the risks judged to be high and their relevant controls, and, equally important, discussion of their cause and effect.
|
Key issue
|
|
Risks are prioritised to ensure an appropriate management consensus on the level of control and monitoring and an appropriate level of reporting.
|
|
Key questions for consideration
|
-
■Are there clear criteria for categorising and prioritising risks?
-
■Do the criteria make clear which are the primary risks for management focus?
-
■Are risks evaluated on the basis of the likelihood (or probability) of the risk occurring and the consequence (or impact) of occurrence?
-
■Is it clear whether risks are prioritised as inherent risks (before controls are applied) or residual risks (after controls are applied)?
-
■Are the risk scoring (or prioritisation) criteria sensitive enough to show differences between risk priority and simple enough to ensure that it is easy to review and keep up to date?
-
■Does the scoring process ensure consensus from the management team about the significance of the risk?
|
|
Key documents
|
-
■Risk assessments
-
■Risk register
-
■Risk assessment guidance
-
■Reports on changes to risk positions
|
|
Consideration of risk maturity for this element
|
|
|
Risk enabled
|
Risk managed
|
Risk defined
|
Risk
aware
|
Risk
naive
|
|
Now
|
|
|
|
|
|
|
Short term
|
|
|
|
|
|
|
Long term
|
|
|
|
|
|
|
Comments:
|
Action and response
Having identified the key risks and prioritised them, the next stage is to decide what the response should be. The organisation will want to tackle those risks that threaten the key business objectives and service provision, and/or areas where the existing controls are weakest. There are a number of generally accepted techniques – known as the ‘four Ts’:
-
■Tolerate – informed decision by management to accept the impact or consequences of a particular risk occurring.
-
■Transfer – traditionally, organisations have sought to transfer risks to an insurer. Outsourcing and public–private partnerships also provide an opportunity to transfer risks. It is important to note that the responsibility is not transferred.
-
■Terminate – take steps to remove the risk by stopping the activity.
-
■Treat – take action.
A fifth T is ‘Take the opportunity’. This option is not an alternative to those above; rather, it is an option that should be considered whenever tolerating, transferring or treating a risk.
Having identified and prioritised the risks and the controls in place to manage them, there will always be an element of risk remaining. This is referred to as residual risk. The organisation will have gone through the process of deciding whether it can live with this level of risk. This will be influenced by the organisation’s risk appetite – see chapter two.
|
Key issue
|
|
There is a clear understanding of how the risk is to be managed.
|
|
Key questions for consideration
|
-
■Does the risk assessment document show how each risk is to be managed in terms of the four Ts or similar criteria?
-
■Is it clear that those risks to be ‘tolerated’ are within the organisation’s risk appetite?
-
■Where risks are being ‘treated’, are the key controls documented and evaluated and will they actually reduce the risk (likelihood and/or impact)?
-
■Where a risk is to be ‘terminated’, are there plans in place to do so and is the action to date timely and appropriate?
-
■Are liability and accountability for ‘transferred’ risks sufficiently clear?
-
■Are actions taken in a timely way?
-
■Are actions, ownership and timetables for treating residual risks clear and appropriate?
|
|
Key documents
|
-
■Risk assessment
-
■Risk strategy (risk appetite definitions)
-
■Exit strategies and plans
-
■Insurance records
-
■Partnering agreements
-
■Contracts
-
■Service level agreements (where risk is transferred to another department)
-
■Monitoring reports on outstanding risk actions
|
|
Consideration of risk maturity for this element
|
|
|
Risk enabled
|
Risk managed
|
Risk defined
|
Risk
aware
|
Risk
naive
|
|
Now
|
|
|
|
|
|
|
Short term
|
|
|
|
|
|
|
Long term
|
|
|
|
|
|
|
Comments:
|
Monitoring and review
Performance monitoring of risk management activity must ensure that the treatment of risks remains effective and that the benefits of implementing risk control measures outweigh the costs of so doing:
-
■The performance monitoring procedure needs to be continually reviewed – not only the whole process, but also individual risks and projects.
-
■There should be a clear structure for reporting risk management activity back to the governing body/executive regularly – at the very least annually to review risk management policy/strategy and identify and agree major changes; at least quarterly to track key risks and action plans, and new and emerging risks.
-
■Members of the top executive management will also require regular interim updates from delegated managers on the individual risks that contribute to the key risks for which they have personal responsibility.
-
■High-quality, accurate and timely information is essential at the top and at intermediate reporting levels to identify and review the risks, and their management and action.
-
■Successful initiatives and the reduction of risks should be publicised, as should the continuing commitment from the very top.
-
■Top management needs to promote a positive attitude towards the understanding and treatment of risks, ranging from major projects to individual jobs.
-
■The audit committee has a role in reviewing the effectiveness of the process and ensuring there are no surprises for the governing body/top management.
|
Key issue
|
|
The organisation’s risks and controls are regularly assessed, evaluated and reported in relation to changes in objectives, market and environment.
|
|
Key questions for consideration
|
-
■Does the organisation have key performance measures relating to important risks?
-
■Are actions arising from control weaknesses implemented in a timely way?
-
■Is there a process for assessing significant emerging risks in between normal risk assessment timescales?
-
■Does the audit committee (or committee with oversight of risk management) annually review the risk management approach?
-
■Are risk assessments dynamic, demonstrating changes in priority and risk exposure, and are these trends reflected in reports?
-
■Does internal audit report on the reliability of management assessment of risk and control when auditing risk areas?
-
■What is the frequency for reporting to top management?
|
|
Key documents
|
-
■Performance management framework
-
■Governing body reports
-
■Risk committee reports
-
■Trend reports
-
■Control failure reports
-
■Risk assessments
-
■Audit committee terms of reference, minutes and meeting papers
-
■Internal audit reports
|
|
Consideration of risk maturity for this element
|
|
|
Risk enabled
|
Risk managed
|
Risk defined
|
Risk
aware
|
Risk
naive
|
|
Now
|
|
|
|
|
|
|
Short term
|
|
|
|
|
|
|
Long term
|
|
|
|
|
|
|
Comments:
|
The extended enterprise
No organisation is entirely self-contained – it will have a number of interdependencies with other organisations. These are sometimes called the ‘extended enterprise’ and will impact on the organisation’s risk management, giving rise to certain additional risks that need to be managed.
Where one organisation has a direct impact on the risk another organisation faces, an effective liaison between the two organisations is essential to facilitate a risk management approach to allow both to achieve their objectives. These relationships may range from straightforward supply of goods that the organisation requires in order to function, through to delivery of major services. This could include public–private partnerships or contracted-out services such as IT.
|
Key issue
|
|
There are effective arrangements for managing risks with partners.
|
|
Key questions for consideration
|
-
■Are the risks associated with all other influential organisations assessed and managed?
-
■Is consideration given to a consistent and common approach to managing risks that cut across organisation boundaries?
-
■Has the extent of risk transfer been considered and acted upon?
-
■Is there reliable and regular information to monitor the risk management performance of all organisations involved?
-
■Are there adequate contingency arrangements?
-
■Where risks are transferred, are accountabilities clearly established and performance monitored?
|
|
Key documents
|
-
■Service level agreements
-
■Contracts
-
■Contract management reports
-
■Performance statistics/monitoring
-
■Project risk assessments
|
|
Consideration of risk maturity for this element
|
|
|
Risk enabled
|
Risk managed
|
Risk defined
|
Risk
aware
|
Risk
naive
|
|
Now
|
|
|
|
|
|
|
Short term
|
|
|
|
|
|
|
Long term
|
|
|
|
|
|
|
Comments:
|
Embedding risk management
Within an organisation there needs to be a framework for the various risk management processes that occur as part of the organisation’s normal procedures. Integrated risk management can only be said to have been fully achieved when the management of risk is embedded into all the functions and processes within the organisation; when everyone from the chief executive down is risk aware:
-
■Given that all organisations must take risks, it is important that each one decides its tolerance level, ie its risk appetite. Risk management should become an integral part of business processes, including development and expansion, bids/tenders, investment appraisal and change management.
-
■A key factor in setting the tone for risk management is the right message from the top: personal objectives and targets embracing clear, concise and regular endorsement, so that risk assessment can be applied to the kinds of decision made every working day, at all levels of the organisation.
-
■Sufficient funding is required to enable risk treatment measures to be evaluated and implemented. Provision of staff time for training and attendance at the risk group/committee is essential.
|
Key issue
|
|
Risk management is embedded in the normal governance and management process of the organisation and is not seen as a ‘one-off’ or ‘add-on’ exercise.
|
|
Key questions for consideration
|
-
■Is it clear that risk is on the agenda at strategy reviews, budget approval meetings, performance reviews, project planning and review meetings, as well as being scheduled items on the management team and governing body agenda?
-
■Is there evidence of senior management commitment to, and endorsement of, risk management?
-
■Is risk assessed at both pre- and post-business-planning sessions and are revised risk assessments approved along with the business plan and budget?
-
■Are control failures and the materialisation of risk discussed openly and in an environment that encourages learning that is shared throughout the whole organisation?
-
■Are insurance managers, risk managers and internal auditors asked to advise and review the quality of risk management?
-
■Is risk management part of every manager’s competency framework, job description and performance appraisal?
-
■Does the organisation reward good risk management and early problem prevention?
-
■Does the performance management system act as an early warning of risks materialising in the key risk areas of the business?
-
■Is there a common language for risk management that is communicated effectively and generally understood?
-
■Are successes publicised and managers rewarded for sharing lessons from things that did not go according to plan?
|
|
Key documents
|
-
■Governing body and management meeting agendas and away-day notes
-
■Business planning and risk assessment timetable
-
■Control failure/risk materialisation reports
-
■Risk panel meeting agendas and minutes
-
■Performance management framework
-
■Training programme
-
■Project methodology
-
■Job descriptions
-
■Performance appraisal records
-
■The organisation’s main communication tools
|
|
Consideration of risk maturity for this element
|
|
|
Risk enabled
|
Risk managed
|
Risk defined
|
Risk
aware
|
Risk
naive
|
|
Now
|
|
|
|
|
|
|
Short term
|
|
|
|
|
|
|
Long term
|
|
|
|
|
|
|
Comments:
|