Risk Management
This page provides a brief introduction to risk management. It explains some of the terms and points to a wider range of resources to help your research. This includes documents published by the Institute in relation to the risk management process and the role of internal audit.
Use the links below to navigate between sections of information on this page:
What do we mean by risk, ERM and risk management?
How does the process work and who owns it?
What is the role of internal audit?
Is there an agreed definition and approach for risk management and ERM?
Risk management and ERM resources
What do we mean by risk, ERM and risk management?
The IIA's International Standards defines a risk as "the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood."
In organisations risk management is central to good governance and effective strategic management. It is a structured, consistent and continuous process across the whole organisation for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. This is known as enterprise risk management or ERM.
For most organisations risk management is concerned with positive and negative aspects of risk. In other words risk management is used to evaluate opportunities that may benefit the organisation (upside risk) as well as managing things that could have an adverse impact (downside risk). This means risk management can not only be applied in a holistic way it can also be used on a range of activities from strategic initiatives, projects and investments to processes and operations.
How does the process work and who owns it?
The Institute has published ‘Risk management processes - the fundamentals’ that summarises the recognised stages involved in the process and some of the key concepts such as risk appetite, responses to risks, inherent and residual risk.
Everyone in the organisation plays a part in the success of risk management and ERM but the primary responsibility for ensuring that risks are managed rests with the board.
In practice, the board is likely to set out its expectations within a risk policy, which delegates the design and implementation of the risk management strategy and framework to the senior management team, who may establish a risk management team to co-ordinate and project manage activities.
In 2011 ALARM the public services risk management association issued core comeptencies for risk management roles to help organisations establish a common risk language and process.
What is the role of internal audit?
The Institute published a Position Statement in 2004 entitled: The Role of Internal Audit in Enterprise-wide Risk Management that has been recognised as a Position Paper in the IPPF. This provides more detail about the various roles that internal audit can perform depending upon the maturity of the risk management culture within the organisation. The Institute has published An approach to implementing Risk Based Internal Auditing that set out methodologies for assessing an organisation's risk maturity, the preparation of periodic audit plans and individual assurance engagements.
Is there an agreed definition and approach for risk management and ERM?
The diversity of ideas and broad application of risk management means that there is no universally recognised definition or approach, although ISO 31000 has gained wider recognition in recent years. The following list provides links to some of the standards and frameworks (some of which require a purchase) that explain the principles, concepts, benefits and processes related to risk management and ERM:
- Institute of Risk Management/AIRMIC/Alarm - A Risk Management Standard
- Institute of Risk Management - A Structured Approach to ERM and the requirements of ISO 31000
- COSO (2011) Embracing ERM: getting started
- COSO (2011) Developing key risk indicators
- Managing risk in government - NAO 2011
- HM Treasury Guidance including (2004) Orange Book: Management of Risk – Principles and Concepts
- Canadian Government's Risk Framework
- HSE - Principles of Sensible Risk Management
- ISO/FDIS 31000 Risk Management – Principles and guidelines
- BS31100:2008 Risk Management – code of practice
- AS/NZS ISO 31000: 2009 Risk Management
Each standard or framework provides a way of categorising risk to assist identification, assessment and evaluation. The different ‘types’ of risk that are recognised can be used to tailor an approach to suit your organisation.
Risk Appetite
Some organisations find it difficult to determine and apply a risk appetite. A guidance series by HM Treasury entitled Thinking About Risk and Setting Your Risk Appetite set out emerging views and case studies that provide practical help for organisations. Ernst & Young also offer some practical examples on setting risk appetite.
In addition, The Institute of Risk Management (IRM) has published risk appetite guidance (Sept 2011) in two separate parts. The executive summary highlights the key messages and requirements for creating and maintaining an effective risk appetite. While the more detailed report entitled 'Risk appetite and tolerance' describes how organisations can design, construct and implement a risk appetite. It includes questions for the boardroom and five test for appetite frameworks.
Risk management and ERM resources
Risk management and ERM resources are available within our Resource Library, including magazine articles and an example of a Risk Management Assessment Framework from HM Treasury that uses the EFQM excellence model to review the way in which the organisation has established a risk management culture and the procedures that support this.
If you feel we can make useful additions to the page please contact our Technical Manager, Chris.Baker@iia.org.uk