Every step takes you closer to confidence in delivering on the plan, and getting credit for your unit.
If you’ve been through the steps, you will have seen that each one has a clear assurance purpose. The end of the journey is confidence based on knowing the answers to questions that would otherwise highlight doubt.
After taking the steps to confidence, you will definitely be ready to look the boss in the eye over the business plan.
The steps in this guide guarantee that your risk work will line up with what’s important to you, your boss, and your organisation.
The steps begin with understanding the specific organisational objectives for your unit (jump to those steps). The guide builds the whole concept of ‘risk’ around the uncertainty that those objectives will be achieved. That’s what ‘risk’ is. (This understanding of ‘risk’ is in both the International Standard ISO 31000 and COSO Enterprise Risk Management. Some common practices pull in other directions.)
You can take all the steps in self-protection, without any support from the boss.
If you and the boss cannot discuss what matters to the organisation, you can apply the steps based on what is important to look after your own position. In doing that you will also be protecting the organisation as well as possible under the circumstances.
This process can be followed by units at multiple levels, all at once.
If you are the manager of a large organisation unit that includes smaller work units, the total effort can be spread across the included units. You will steer all of that effort. You will also have to do some work centrally. Some of the central work can also be delegated, under your perspective and leadership.
The central work includes integrating the result of distributed risk assessment, to create a well-informed single view of risk at your own level.
You can take all of these steps without any corporate support or guidance from risk specialists.
The point of this how-to guide is to give you everything you need.
The steps here are all you need do to meet published standards for risk management, such as ISO 31000, to the extent that they apply at work unit level.
There are some areas where you may run into differences with risk specialists or corporate expectations.
Risk for work unit business planning is much simpler than risk management in general (jump to this point). That is a good reason for a difference. Your risk work in business planning does not replace the thematic and strategic risk work that any organisation needs.
If you happen to be the manager of the cybersecurity unit in your organisation, you will probably end up with two risk processes, one for your unit’s business plan, and one for organisational cybersecurity. You may also contribute to other classes of risk work, perhaps Divisional or strategic in scope. There are many Clear Lines on discrete risk processes within an enterprise.
There are two other likely sources of difference between your risk work and what risk specialists have to say. The reasons for those may be less good.
- The organisation may drive risk management as a prescribed process – going through motions – rather than shaping the assurance demand to drive it.
- The organisation or its risk specialists may focus exclusively on Enterprise Risk Management.
As a result of one or both strategies, your organisation may have given you detailed how-to instructions for risk management, different from these Clear Lines on Audit and Risk. Those instructions may be general recommendations, which would be fine. But they might be detailed process rules about feeding systems and templates, which might be just as good, or not. Either way, the organisation should not prevent you from generating confidence in your business plan, following the steps in this guide, and if necessary putting aside corporate systems. (More on how to deal with corporate expectations.)
You will be way ahead of typical corporate ‘risk management’.
Your unit will be well ahead of most large organisations on integration of risk management with decision making (Principle C from the International Standard ISO 31000, Section 2).
Previous article for Managers
|New to this: This series assumes you have no prior knowledge. It does not use technical terms without explaining them first.|
Previous article for Risk Specialists