Having a robust risk framework | Risk management - Business Resilience Toolkit скачать в хорошем качестве

Having a robust risk framework | Risk management - Business Resilience Toolkit

Business Resilience Toolkit - Having a robust risk framework Presented by Andrew Ellis, Business Consultant A risk management framework is one of the most important systems for organisational resilience. Here’s an example of a framework, especially designed for not for profits. Transcript: When it comes to creating a resilient business, the framework for how you manage risks has to be one of your most important systems. It’s important that your risk framework address the three different types of risk – which we have addressed in one of the other videos in this series. Today, we are going to quickly walk through the risk framework that CBB has developed to help not for profit organisations. My name is Andrew Ellis and I’m a business consultant with Community Business Bureau (CBB). 1/ The first element of the Risk Framework is Risk Governance The Board is ultimately responsible for the management of risk and overseeing the framework – including the risk policy and appetite; fostering a culture that addresses risk; reviewing and overseeing strategic risks; and monitoring emerging strategic risks. Risk is governed around the context of the organisation internally and externally within your sector and broader environment. Internal context includes your strategic plan; vision, purpose and direction. External context includes trends and risks in the sector and environment. The Board’s role includes to foster the risk culture with the tone set from the top of the organisation. Management embed and nurture a proactive approach to risk. Management ought prepare a draft risk appetite for review and approval with the Board – outlining the types and levels of risk that the organisation is willing to take on in the pursuit of the overall vision and objectives. This risk appetite informs policies, authority limits and delegation frameworks. As an example, the Board might have very little tolerance around safety/quality, but may be prepared to take some moderate financial risks. The Strategy process should consider risk and opportunity in a proactive way. This also includes addressing risk and opportunity in the Budget. 2/ The second element of the Risk Framework is Risk Processes The risk policy and procedure are an important first part of your risk processes. Originally written over 15 years ago the ISO 31000 model of a structured process of risk analysis, prioritisation, treatment and ownership remains just as relevant as when it was written. And that process helps to create a risk register which is used to analyse, categorise, mitigate risks and identify their owners. As we have spoken about with external risks, it is critical to have a regular process to review and update the risk register, including reporting to management and Board with updates. Once a Business Continuity Plan has been established, scenario planning and testing should be done to ensure management understand the Plan, and that the Plan continues to evolve and develop. 3/ The third and last element of the Risk Framework is Risk Resourcing Ownership should be allocated to an individual or group for each identified risk in the risk register, and for strategic risks that are before the Board. Business Units and Corporate Functions each have a different role with risk. Business Units/departments seek to take intelligent risks; identify, assess & mitigate risks, and report to management. Corporate Functions are proactive in identifying and managing risks in their area of expertise (e.g. cyber security, WHS, compliance requirements) and provide guidance and challenge to business units, as well as support to management. As an organisation grows, it should have a resource/s dedicated to supporting and coordinating risk management activities. Might be Quality Manager. This doesn’t relieve other employees of their responsibility to identify and manage risk – the whole business needs to be risk aware, but someone should have a dedicated role responsible for ensuring risk management is being done effectively Business processes (policies, procedures, forms) should incorporate elements of risk in to their design and how they operate. e.g. HR, IT, strategy; budget; insurance; marketing, service delivery, Finance, Quality, WHS. Lastly, internal, external and financial audits can provide assurance that controls and risk mitigation plans are in place and effective. As you have watched through this video, what stands out as the one or two things you most need to improve in your business? What can you change or act on from what you heard today in order to improve your business resilience? Related video to watch next: 5 steps to develop risk maturity.