|References on this page are to ISO31000:2009, not yet to ISO31000:2018.|
This page compares the manager how-to guide for risk in business planning with common risk management concepts. The page is organised along the lines of the ISO 31000 family.
There is a different page that compares the guide with typical corporate prescriptions for risk management.
The guide recommendations are specifically drawn from experience in the Australian public sector. There are links to SA/NZS HB 436:2013 Risk Management Guidelines—Companion to AS/NZS ISO 31000:2009 and some to the Australian Commonwealth Risk Management Policy.
Risk in work unit business planning helps ERM.
The process covered by the how-to guide is specifically for annual business planning by work units within large organisations. It is an application of the general risk management process described on LinkedIn (requires LinkedIn membership).
It is not a process, or a framework, for Enterprise Risk Management (jump to some details).
Clear Lines on Audit and Risk has covered ways of using unit-level risk management in Enterprise Risk Management, within the topic Centralised or de-centralised risk management in your enterprise?
The how-to guide has steps for managers of large work units that contain smaller units. Those steps include integrating the risk work up, down, and across within the hierarchy.
The Clear Lines on Audit and Risk draws their whole view of risk directly from the ISO 31000 family. Risk is the effect of uncertainty on objectives. (ISO Guide 73 1.1, referenced by ISO 31000 and consistent with the Australian Commonwealth Risk Management Policy.) Another series of Clear Lines unpicks risk definitions at length.
The Clear Lines on Audit and Risk support ‘risk management’ when it is done for the right reasons.
Risk management is all about achieving assurance on meeting objectives, and taking actions where there isn’t enough assurance. That is the way in which it fulfils Principle A from ISO 31000: Risk management creates and protects value (Section 2). It assumes that risk management is driven by the assurance demands of stakeholders and the boss, and not by process compliance (direct link to details).
It is not about following prescribed steps or creating paperwork. It produces evidence supporting assurance, decisions, and actions (direct link to details). The main reason is that sharing assurance requires shareable records. Records are never an end in themselves. This assurance is a here-and-now you-and-me picture of the end result of effective risk management, as set out in Attachment A to ISO 31000. An official summary of Attachment A is the organisation understands its risks and … [those risks] … are within its criteria. [HB 436 188.8.131.52] (more on this point).
Using the steps in the how-to guide, the manager manages risk to the work unit’s annual objectives. Unit managers do not need risk leaders from elsewhere in the organisation.
If this idea is new, or slightly uncomfortable, you might like to dip into the series on Discrete risk management processes within an enterprise.
‘Framework’ (ISO 31000 Section 4)
The how-to guide does not mention risk ‘frameworks’ as they are described in ISO 31000 Section 4. Risk management frameworks are the domain of risk specialists like yourself. If there is a framework in your organisation, it may or may not have led to the risk component of unit business planning.
If you have standard risk scales and templates and think that they are the main content of your ‘framework’, that might work be working for you, or perhaps against you. The ISO 31000 concept of a ‘framework’ is entirely different.
The how-to guide for managers is at the level of a risk management process (ISO 31000 Section 5), and is not a framework (Section 4).
Establishing the context (ISO 31000 5.3)
The how-to guide emphasises the objectives that may be affected by uncertainty (ISO 31000 5.3.1, HB 436 184.108.40.206 through 220.127.116.11). The objectives that matter are those of the work unit within a large organisation, covering a year. These objectives match the usual idea of an annual business plan (direct link to details).
By approaching objectives this way, the unit manager does not need to take on setting strategic objectives for the whole enterprise. The unit manager can also set aside narrow thematic objectives. Thematic objectives are normally handled in other specialised frameworks, and often by specialised people. Common examples are fraud risk management, health and safety, and business continuity.
Leaving out those very big classes of risk makes the business plan risk clear and simple for the manager.
The method pays specific attention to the potential for unintended harms to arise from the work unit’s activities. In developing work unit objectives, the manager includes objectives to avoid or minimise those harms. Those objectives are developed and used in the same way as objectives to deliver benefits, minimise costs, and sustain capability.
The manager does not use standardised or imposed scales for consequence, likelihood, and level of risk. ISO 31000 Principle G says that Risk management is tailored. If you have a standardised scale for all of the work units in your organisation, the standardised scale is clearly not tailored for each of them, and will not measure the effects of uncertainty on each of their objectives. The guide does not simply replace your organisation’s scale with a different scale. It shows the manager how to implement Principle G through their own tailoring.
Instead of starting with a standard scale, the manager develops ‘consequence criteria’ (ISO 31000 5.3.5) directly from the work unit’s particular objectives. These are the organisation’s objectives for the unit, not the aspirations of unit members. For each objective, the unit manager identifies the range of desired and undesired outcomes. The desirable and undesirable outcomes are understood as points the work unit might reach at the end of the planning year. The manager then uses the potential outcomes for each objective as the measure of consequence.
The how-to guide takes the manager through the process of developing the consequence criteria as possible outcomes. That way, the manager will find risk identification and analysis easier and more rewarding than if the hard work had not been put into definition of outcomes.
The methods follow the advice in HB 436 (5.3.5, parts 1 and 2 and Appendix C.2). They are therefore consistent with ISO 31000.
There are differences at the level of examples and process detail, which you may want to consider.
First, the examples in HB 436 concern a whole enterprise, rather than a work unit within the enterprise. The blog method is for work units.
Secondly, the HB 436 examples of ‘consequence’ describe enterprise setbacks and boosts of short or undefined duration. The method recommended by the blog insists that the consequences are understood as differences in outcome as at a specific future date. In particular, consequences are understood as unplanned positions reached at the end of the planning year.
Lastly, the HB 436 examples for consequence scales have a symmetrical spread of ‘consequence levels’ better and worse than the planned or expected outcome. To risk nerds, that is a highly stimulating idea. For the intended audience of middle managers, it is judged to be unnecessary and implausible. The blog method allows for outcomes to be better than planned. To that extent it recognises ‘positive risk’ like ISO 31000 and HB 436. It also recognises (implicitly) that work units are typically more concerned to limit the potential for disappointment and disaster, as are their stakeholders.
Other risk criteria
The how-to guide for unit managers gives much less attention to ‘likelihood criteria’ and to ‘level of risk’ than to consequences (ISO 31000 5.3.5; HB 436 5.3.5 Parts 3 to 5). Likelihood is explained simply as a percentage or long-term frequency. The guide does not suggest a scale for likelihood.
Neither does the guide put ‘level of risk’ on a scale. It suggests that the manager simply looks at the unintended year-end outcome, and the likelihood of that outcome being reached. For example, this sentence represents a level of risk:
5% likelihood that the unit will have been responsible for a privacy incident that cripples the organisation’s credibility for multiple future years.
The guide assumes that such a pairing of outcome with likelihood, in raw text, is enough for the manager to separate acceptable and unacceptable risk. If the manager isn’t sure, the boss decides. The question can be escalated again if necessary.
An unacceptable risk leads to a response action at the right level. Nobody needs scales to do that. The process does not need or use any other version of ‘level of risk’.
Typical look-up tables for ‘level of risk’ are not recommended in the way they are suggested in HB 436. (HB 436 shows one only in Appendix C2.5; there is no mention of such a thing in ISO 31000 or in the main text of HB 436). The Clear Lines on Audit and Risk regard the typical use of look-up tables for ‘level of risk’ as only partly valid at best, and as unhelpful to real-world management of risk by managers.
If there is no lookup table, there is no need for a scale of likelihoods. Unit managers are not expected to read theoretical arguments on this point, but those arguments are fair game for you as a risk specialist – please don’t hesitate to respond with disagreements (reply box below).
The guide skips context details such as ‘external’ and ‘internal’ context (ISO 31000 5.3.2 and 5.3.3, also 5.3.4 and 5.3.6), on the basis that those ‘contexts’ are already familiar and understood through business planning itself. Managers are reminded about the importance of stakeholders, at critical moments.
Risk assessment (ISO 31000 5.4.2)
The guide recommends conventional risk registers. It asks managers to describe each risk in a way that clearly shows how a specific year-end outcome might be reached through the effects of uncertainty (HB 436 2.4 How risks should be described). Managers assess each risk as a scenario that includes any recovery and response actions that would be taken in response to an unplanned event.
The guide for managers shows three systematic pathways to identifying risks. The first pathway is by looking at the potential outcomes for the work unit, other than the planned outcomes. In other words, managers search for effects on objectives by looking back from the affected objective, up-stream toward possible events, mistaken assumptions, and hazards. Managers also work forward from hazards and events toward potential effects on outcomes. The guide suggests further sources for risk identification. Those will be familiar to risk specialists.
The how-to guide explains ‘uncertainty’ to include events that may or may not occur. The guide version of ‘uncertainty’ also includes assumptions that may or may not be correct. These two branches of uncertainty make a simplified picture of ‘uncertainty’ as used in ISO 31000, particularly ISO Guide 73 1.1, Note 5: Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of, an event, its consequence, or likelihood. The meaning is not exactly the same, but close.
The work on objectives and consequence criteria makes ‘risk categories’ unnecessary. In Clear Lines on Audit and Risk, ‘risk categories’ are an attempt to fill the space that remains when objectives and stakeholder perspectives are not given enough attention.
Risk analysis (ISO 31000 5.4.3)
Managers are prompted to recognise established controls explicitly first. Only then does the manager consider the likelihood of the risk resulting in an unplanned year-end outcome. The manager has already set out potential unplanned outcomes for each objective. The manager may already know the particular outcome linked to a risk, but may revise that relationship at any time. The likelihood for ‘a risk’ is the likelihood of the linked outcome being reached, as a result of that risk (HB 436, 2.1 The level of risk is expressed as the likelihood that particular consequences will be experienced…). In the common case that an imagined event might have a range of possible consequences, that likelihood may be much lower than the likelihood of the risk event. The likelihood assessment also takes into account any actions that would be taken after it is known that an event has occurred, or after it is known that an assumption is invalid.
In bow-tie analysis, the likelihood may be assessed for the major event in the centre, not for the further consequences flowing out on the right (nice YouTube on Bow Tie). That’s a useful interpretation for bow-ties, but not for risk in business planning around unit objectives. The quote from HB 436 (paragraph above) would have been intended for Enterprise Risk Management.
Risk evaluation (ISO 31000 5.4.4)
Evaluation is the comparison of assessed risk with acceptable risk. In the how-to guide, risk is evaluated at the unplanned outcome level, rather than at the level of individual risks. Managers classify the overall likelihood of a defined outcome as acceptable or not. Individual risks are not acceptable or unacceptable in themselves, but contribute to the likelihood of an outcome, which may be acceptable or not.
In line with the point about level of risk (above), the manager evaluates risk judgementally. If the manager can’t do that, they refer the evaluation to the management hierarchy above.
Each level of management will have regard to total stakeholder expectations. If they don’t have any such regard, they are already acting irresponsibly, and a bit of risk work isn’t going to change much.
The risk evaluation concludes that the current untreated (or later, treated) risk is acceptable, unacceptable, or needs referral to the next higher management level. There is no need to assume that a board is involved. The how-to guide for managers does not cover formal risk appetite or tolerances, but it recommends that managers respect any authoritative risk acceptance criteria that may have been set for work units.
Risk treatment (ISO 31000 5.5)
The manager guide recommends the usual classes of risk treatment based on avoiding, taking, changing, or sharing the risk. At macro level, managers change the risk profile by changing strategies. At the micro level, they change the risk profile by implementing or removing controls.
The effect of a control is to alter the likelihood that the identified consequential outcome will be reached. The control changes the likelihood of the event, or changes the link between the event and the outcome that might follow.
The guide explains that improving the expectation on one objective nearly always involves worsening expectations on another. If the manager does something to improve the expectation of achieving specific benefits (maybe revenue), there may be a detrimental effect on the expectations for minimising costs, or on some other objective. These trade-offs are familiar in management, even before uncertainty is considered. They also apply when uncertainty and unpredictable outcomes are taken into account.
The method understands an ‘improvement’ to be an increase in the likelihood of a good outcome, or a decrease in the likelihood of a bad outcome. The outcomes are all set out in advance, spread out from most to least desirable. As the likelihoods of the outcomes move up or down, the planned or forecast outcome – that is, the particular outcome currently considered the most likely – can shift through the range of defined outcomes.
The guide reminds managers that selecting a risk treatment is meaningful only if the treatment is actually implemented and maintained over the period. As a result, managers may add risk treatments to the original business plan, as strategies or activities. Managers are also reminded to establish accountability and monitoring for controls and risk treatments.
Risk Based Outcomes Forecast
Managers assess likelihoods for individual risks, as usual. The how-to guide also includes a step to assess likelihood for a specific outcome. The outcome likelihood can be assessed regardless of cause, or by taking all potential causes (individual risks) into account.
The total likelihood of a defined outcome should equal the total of the likelihoods of risks that have that outcome as a consequence. The total likelihood of each defined outcome can also be estimated directly. The reconciliation of the likelihood estimates may be highly productive in pushing the overall risk assessment toward reality.
A table of customised outcomes with a total likelihood for each of outcome can be called a risk-based outcomes forecast, supporting confidence or concern around the achievement of the business plan. The manager can revise it continuously through the year, and use it for regular ‘boss’ conversations around past and future unit performance.
In this way, business planning and risk are closely connected at the beginning of the year, and remain connected all the way through to performance review when the year is over. As ISO 31000 says, risk management is part of decision making (Section 3, Principle C).