Reviewing a Risk Control Framework

[The material below is the work of an ad hoc IAA working group.  It was produced in 2011 but never completed or published.  RISKVIEWS is sharing so that this good work can be viewed.]

A Risk Control Framework (RCF) can be considered as the measuring stick against which risk management performance will be judged. It is right at the heart of the co-ordinated activities used to control an organisation with regard to risk, that is risk management.

The effective management and leverage of risk should add to the bottom line of an organisation that implements it. The risk control framework is a central tool in an organisations armoury, that can be used to ensure that the organisation achieves its strategic goals, with regard to an accepted and monitored level of risk.

There needs to be committment at a high level to managing the risk, and this should be transparent. This would involve the risk managers having a very clear view of what the company does and not just trying to avoid risk. It should be undertaken to the extent that it pays for itself, although this is hard to measure. Ownership and implementation by all is required as a risk in one small section of the organisation can be a serious threat to the whole organisation.

A RCF would need to be bespoke and fit the organisation’s Vision, Mission, Objectives, Strategy and Tactics (VMOST).

<An organization’s vision is all about what is possible, all about potential and may be aspirational. The mission is what it takes to make that vision come true. Happy to change the words or put in a definition, the point being that there is a bigger picture view of whats going on that the risk control frame work need to be informed by this. I really want to get across that the risk management need to be alighned, to what the organisation is trying to achieve >.

The RCF can act as a focus and ensure that:

• There are no gaps and that there is appropriate accountability
• Aligning organsiations objectives with the RCF
• The reporting mechanisms and management system is embedded – this could be a driver of culture
• A uniform risk criteria and evaluation metrics is created – those accountable know how they are going to be measured

Given much risk is derived from a company’s culture (think investment banking culture/ENRON etc), and that the ease of implementing the key stages will also depend on culture. For example if the risk control framework may be excellent on paper, but if it is not implemented effectively then it is not worth the paper it is written on.

A clear goal of the RCF is to ensure clarity of the risks being managed along with appropriate accountability (with individuals) for ensuring effective action.

When implementing an RCF (either creating a new one or testing an existing RCF) then the following model internal factors (using the McKinsey 7 s framework ) should be considered:-

Hard factors (tangible)
Systems

• Are there systems in place that can assist in risk identification and monitoring?
• Can an IT soution be implemented for subsets of systemic risk (e.g. aggregate monitoring for RI’s)?
• What are the legal minimums with respect to certain risks, how is compliance measured?
• Is there information already gathered

Strategy

• Does strategic planning consider risk management, is it open to this, can risk management contribute?
• Does risk management have board level support?
• What is the organisations risk appetite?
• What is the organisations risk tolerance?

Structure

• Is the risk management function senior enough to have an influence?
• Do the risks need to be restructured so that a single individual/department can take the key responsibility for certain cross function risks?
• Is there a forum for considered emergent risks?
• Are there regional or location specific risks to consider, how integrated is the whole approach?

Soft factors (intangible)
Style

• The way management goes about solving problems, listening or dominant there are ways to measure this
• Passive vs active management
• Business goal driven or risk averse
• Who makes the key decisions – who is involved – is this structured?  Does risk management get a seat?

Staff

• The collective presence of the people- different styles will appeal to certain types: gung ho vs risk averse
• How active is the framework managed, active “positive assurance” to passive “nothing has come my way”
• Are staff time poor, are there dedicated risk staff in business units?
• Is risk perceived as compliance rather than business driven?

Skills

• adaptable, thoughtfull, processing?
• Is there suffienct understanding of what is risky and what is unknown?
• Are the risk able to be measured
• Are there enough skillfull communicators to ensure that messages sent are received in the same context internally

Shared Values

• infighting between depts, risk mgmt seen as an inhibitor rather than strategic?
• Is the companies strategic vision emebeded in the culture, is each department headed in the same direction?
• Is there interdepartmental meetings happening or a siloed approach?
• How are decisions made, centralised vs local, is this effective, who has the final say?

The above can act as a litmus test to perhaps assess the receptiveness or otherwise of the risk management in general, an important part is the links between the factors. For risk management to be effective it needs to be part of “the way things are done around here”, ie the companies culture.

The following are the key minimum generic elements that need to be considered in a Risk Control Framework(RCF):-

• Risk identification
• Risk monitoring
• Policies and limits
• Risk Treatment
• Limit Compliance
• Feedback

Effectiveness

It can often be difficult to measure the effectiveness of effective controls as the events that the controls are in place to prevent never happen. This lack of event could be an effective control well implemented or an uneccesary control (similar to the old anti elephant powder joke).

Below we give some definitions on the effectiveness of the RCF using the minimum criteria identified above.

Ad Hoc Risk Control Framework

• Risk identification – Not all significant risk exposures have been identified.
• Risk monitoring – Company’s risk monitoring is informal, irregular, and of questionable accuracy.
• Policies and limits – Risk limits are not documented or are so broad that they do not have any impact on operational decision making. Risk limits and policies are not widely known or understood.
• Risk Treatment – Risk-management activities are situational, ad hoc, and driven by individual judgment.
• Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
• Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Basic Risk Control Framework

• Risk identification – Significant risk exposures are believed to have been identified.
• Risk monitoring – Company’s risk monitoring is performed post events, tend to miss events before they occur
• Policies and limits – Risk limits are documented,  but they have limited impact prior to an event that is they do not have any impact on operational decision making.
• Risk Treatment – Risk-management activities not laid out, but are raised to management
• Limit Compliance – Review of compliance of limits is irregular, and often there are no consequences for exceeding limits.
• Feedback – Company quickly puts loss situations behind it without review or with a review of extremely limited scope.

Standard Risk Control Framework

• Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures.
• Risk monitoring – Company monitors all significant risks on a regular basis, with timely and accurate measures of risk.
• Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company.
• Risk Treatment – Company has clear programs in place that are regularly used to manage the risks the company takes.
• Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences.
• Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

Advanced Risk Control Framework

• Risk identification – Company management has performed a process of identifying risks exposures and the most significant of those exposures. This is holistic and done a part of the usual way of doing business.
• Risk monitoring – Company monitors all significant risks as a matter of course
• Policies and limits – Company has clearly documented policies and limits for risk taking and risk management that are widely understood within the company, these are embedded and part of normal routines, they never get challenged and don’t get in the way of the business.
• Risk Treatment – Company has clear and integrated programs in place that are regularly used to manage the risks the company takes.
• Limit Compliance – Company has a process in place to see that risk limits and risk-management programs are followed as planned. Exceeding limits has clear, predetermined, and effective consequences, although in practice risk limits are amolst never challenged.
• Feedback – Company has a loss post-mortem process to determine if its processes need improvement.

Advertisement

Explore posts in the same categories: Control Cycle, Enterprise Risk Management, Risk Management System

Tags: Business, Risk Management

You can comment below, or link to this permanent URL from your own site.