This article is an overview of the recommended approach for risk management in business planning. It is written in a compact style for experienced risk specialists. For unit managers, each step is explained much more fully in plain English, with examples and models.
The overview submitted for your evaluation includes comparisons with common risk management conventions, and references to the ISO 31000:2009 family.
The recommendations in the tutorial series are specifically drawn from experience in the Australian public sector. There are links to SA/NZS HB 436:2013 Risk Management Guidelines—Companion to AS/NZS ISO 31000:2009. The Australian Commonwealth Risk Management Policy is also mentioned.
Another influence has been the Study Guide for the IIA’s Certificate in Risk Management Assurance (CRMA). Like ISO 31000 and the Commonwealth Risk Management Policy, the CRMA Study Guide allows for flexibility in risk process details. It always puts substance and effect before form and process.
Risk in work unit business planning and ERM
The recommended risk management process is specifically for annual business planning by work units within large organisations. It is an application of the general risk management process described on LinkedIn.
It is not a process, or a framework, for Enterprise Risk Management.
Clear Lines on Audit and Risk will cover ways of using unit-level risk management in Enterprise Risk Management, Real Soon Now. There is a straightforward way to do that. If you’re really interested in the topic right now, you might want to make a start on the series Discrete risk management processes within an organisation.
The tutorial series for unit managers will cover the basic concept in its recommendations for risk management in (large) units that contain other (smaller) units.
Overview of the recommended approach
The concept of risk is drawn directly from the ISO 31000 family. Risk is understood as the effect of uncertainty on objectives. (ISO Guide 73 1.1, referenced by ISO 31000 and consistent with the Australian Commonwealth Risk Management Policy.)
The process is all about achieving assurance on meeting objectives, and taking actions where outcomes are not assured to meet objectives. That is the way in which it fulfils Principle A from ISO 31000: Risk management creates and protects value (Section 3). It assumes that risk management is driven by the assurance demands of stakeholders and the boss, and not by process compliance.
It is not about following prescribed steps or filling out documentation. It produces appropriate documentation artefacts supporting assurance, decisions, and actions – mainly because without the artefacts, assurance cannot be shared. Documents are never an end in themselves.
The recommended process for a work unit manages risk to that unit’s annual objectives. It does not rely on risk management activity elsewhere in the organisation. (If this idea is new, or slightly uncomfortable, you might like to dip into the series on Discrete risk management processes within an organisation.)
‘Framework’ (ISO 31000 Section 4)
There is nothing in the series about risk ‘frameworks’ as they are described in ISO 31000 Section 4. Risk management frameworks are the domain of risk specialists like yourself. If there is a framework in your organisation, it may or may not have led to the risk component of unit business planning.
If you have standard risk scales and templates and think that they are the main content of your ‘framework’, that might work for you, but the ISO 31000 concept of a ‘framework’ is entirely different.
The recommended approach to risk in unit business planning is at the level of a risk management process (ISO 31000 Section 5), and is not a framework (Section 4).
Establishing the context (ISO 31000 5.3)
The recommended risk management process emphasises the objectives that may be affected by uncertainty (ISO 31000 5.3.1, HB 436 126.96.36.199 through 188.8.131.52). The relevant objectives are those of the work unit within a large organisation, covering a planning period of (for example) one year. This concept of ‘objectives’ matches the usual conception of an annual business plan.
This approach to setting objectives excludes strategic objectives for the whole enterprise. It also excludes narrow thematic objectives that are normally handled in other specialised frameworks such as fraud risk management, health and safety, and business continuity.
Those exclusions greatly clarify and simplify risk management within business planning.
Because the process is all about risk, there is specific attention to the potential for unintended harms to arise from the work unit’s activities. Objectives to avoid or minimise those harms are identified and included in the same way as the objectives for delivering benefits (revenue), costs (value), and ongoing capability to the organisation.
Standardised and imposed scales for consequence, likelihood, and level of risk are decisively rejected, in line with ISO 31000 Principle G Risk management is tailored. If you have a standardised scale for all of the work units in your organisation, it is clearly not tailored for each of them, and will not measure the effects of uncertainty on each of their objectives.
Instead, ‘consequence criteria’ (ISO 31000 5.3.5) are developed directly from the identified work unit’s particular objectives. The emphasis is clearly on the organisation’s objectives for the unit, not the aspirations of unit members. For each objective, the unit manager identifies a spread of desired and undesired outcomes. The desirable and undesirable outcomes are understood as positions the work unit might reach at the end of the planning year. The spread of outcomes for each objective is then used as the measure of consequence, for risk analysis purposes.
The process of developing the consequence criteria as possible outcomes is detailed and painstaking. Subsequent risk identification and analysis will be very much easier and more rewarding than if the hard work had not been put into defining the possible outcomes.
The recommended methods for finding the objectives and for setting up the consequence criteria follow the advice in HB 436 (5.3.5, parts 1 and 2 and ‘Mineright’ in Appendix C.2). They are therefore consistent with ISO 31000. There are differences at the level of examples and process detail, which you may want to consider.
First, the examples in HB 436 concern a whole enterprise, rather than a work unit within the enterprise. The tutorial method is for work units.
Secondly, the HB 436 examples of ‘consequence’ describe enterprise setbacks and boosts of short or undefined duration. The tutorial method insists that the consequences are understood as differences in outcome as at a specific future date. In particular, consequences are understood as unplanned positions reached at the end of the planning year.
Lastly, the HB 436 examples for consequence scales have a symmetrical spread of ‘consequence levels’ better and worse than the planned or expected outcome. To risk nerds, that is a highly stimulating idea. For the intended audience of middle managers, it is judged to be unnecessary and implausible. The tutorial method allows for outcomes to be better than planned. To that extent it recognises ‘positive risk’ like ISO 31000 and HB 436. It also recognises (implicitly) that work units are typically more concerned to limit the potential for disappointment and disaster, as are their stakeholders.
Other risk criteria
‘Likelihood criteria’ and ‘level of risk’ criteria are given much less attention than consequences (ISO 31000 5.3.5; HB 436 5.3.5 Parts 3 to 5). Likelihood is understood directly as a percentage or long-term frequency, with no classification or scale. ‘Level of risk’ is also understood directly, as the prospect of a defined unintended year-end outcome qualified by the likelihood of that outcome being reached. For example, this sentence represents a level of risk:
5% likelihood that the unit will have been responsible for a privacy incident that cripples the organisation’s credibility for multiple future years.
For business planning, that pairing of outcome and likelihood, in raw text form as above, is considered sufficient to distinguish acceptable and unacceptable risk. There is no other use for a ‘level of risk’ within the process.
Typical look-up tables for ‘level of risk’ are not recommended in the way they are suggested in HB 436 (only in Appendix C2.5; there is no mention of it in ISO 31000 or in the main text). Clear Lines regards the typical use of look-up tables for ‘level of risk’ as only partly valid at best, and as unhelpful to real-world management of risk by managers.
If there is no lookup table, there is no need for a scale of likelihoods. Unit managers are not expected to read theoretical arguments on this point, but they are fair game for you as a risk specialist – please don’t hesitate to respond with disagreements.
Context details such as ‘external’ and ‘internal’ context (ISO 31000 5.3.2 and 5.3.3, also 5.3.4 and 5.3.6) are skipped, on the basis that those ‘contexts’ are already familiar and captured through business planning itself. Managers are reminded about the importance of stakeholders, at critical moments.
Risk assessment (ISO 31000 5.4.2)
The recommended use of risk registers is conventional. There is an insistence that risk descriptions show clearly how a specific year-end outcome might be reached through the effects of uncertainty (HB 436 2.4 How risks should be described). Each assessed risk in the register is a scenario that includes any recovery and response actions that would be taken in response to an unplanned event.
The recommended method for risk identification is based on finding pathways leading to each potential unplanned outcome. In other words, the primary search for effects on objectives looks back from the affected objective, up-stream toward possible events, mistaken assumptions, and hazards. ‘Forward’ hazard-based risk identification and risk breakdown structures are also recommended, as complementary completeness checks.
‘Uncertainty’ is understood to include events that may or may not occur. ‘Uncertainty’ is also intended to include assumptions that may or may not be correct. These two branches of uncertainty make a simplified picture of ‘uncertainty’ as used in ISO 31000, particularly ISO Guide 73 1.1, Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. The meaning is not exactly the same, but close.
The work on objectives and consequence criteria early in the process means that there is no specific need for ‘risk categories’. In the world of Clear Lines, ‘risk categories’ are an attempt to fill the space that remains when objectives and stakeholder perspectives are not given enough attention.
Risk analysis (ISO 31000 5.4.3)
The recommendation for risk analysis includes explicit recognition of established controls, and then attaching a likelihood to the risk’s path to an unplanned year-end outcome. Those potential outcomes are already set out for each objective. The particular outcome linked to a risk may be already known from the risk identification, but may be revised at any time. The likelihood for a risk is the likelihood of the linked outcome being reached as a result of that risk (HB 436, 2.1 The level of risk is expressed as the likelihood that particular consequences will be experienced…). This likelihood may be much lower than the likelihood of an event mentioned in the risk, in the common case that an imagined event might have a range of possible consequences.
Risk evaluation (ISO 31000 5.4.4)
The recommendation assumes that risks are evaluated judgementally by the unit manager and the management hierarchy above, each level of management having regard to stakeholder expectations. Evaluation concludes that the current untreated (or later, treated) risk is acceptable, unacceptable, or needs referral to a higher management level for decision. There is no need to assume that a Board is involved. The recommended process does not refer to formal risk appetite or tolerances, but there is a recommendation that any applicable authoritative risk acceptance criteria are respected.
Risks can be classified as acceptable or unacceptable at the individual risk level, or at the level of overall likelihood of a particular defined outcome.
Risk treatment (ISO 31000 5.5)
The recommended approach to risk treatment follows the usual concepts based on avoiding, taking, changing, or sharing the risk. Change is achieved through controls that alter likelihood that the identified consequential outcome will be reached from the described risk scenario. In familiar terms, the event likelihood is changed or the link between the event and the consequence outcome is changed.
It is emphasised that improving the expectation on one objective (e.g. one of the benefit-maximising objectives) nearly always involves worsening expectations on another (e.g. one of the cost-minimising objectives).
The method understands an ‘improvement’ to be an increase in the likelihood of a good outcome, or a decrease in the likelihood of a bad outcome. The outcomes are all set out in advance, spread out from most to least desirable. As the likelihoods of the particular outcomes move up or down, the planned or forecast outcome – that is, the particular outcome currently considered the most likely – can shift through the range of defined outcomes.
Managers are reminded that selecting a risk treatment is meaningful only if the treatment is actually implemented and maintained over the period. That consideration may lead to adding risk treatments as strategies or activities within the original business plan. It will always lead to accountability and monitoring for controls and risk treatments.
Risk Based Outcomes Forecast
In this risk management process, likelihoods can be assessed for individual risks, as usual. Likelihoods can also be assessed for a specific outcome regardless of cause. The total likelihood of a defined outcome should equal the total of the likelihoods of risks that have that outcome as a consequence. The total likelihood for each defined outcome can also be estimated directly. The reconciliation of the likelihoods may be highly productive in pushing the overall risk assessment toward reality.
A table of customised outcomes with a total likelihood for each of outcome can be called a risk based outcomes forecast, supporting confidence or concern around the achievement of the business plan. As such it can be revised continuously through the year, as the basis of regular ‘boss’ conversations around past and future unit performance.
In the recommended approach, business planning and risk are closely connected at the beginning of the year and remain connected through to performance review when the year is over. As ISO 31000 says, risk management is part of decision making (Section 3, Principle C).
Risk in work unit business planning: Comparison with typical corporate prescriptions (drill-down article)