Chapter 9: Risk Management ** Flashcards
Organisational Risk Management
What is the definition of risk?
Effect of uncertainty on objectives
Organisational Risk Management
What are the four key risk categories?
- Operational
- Corporate
- Portfolio
- Strategic
Organisational Risk Management
What are the five steps and two ongoing processes in Our Risk Management process?
Steps:
1) Establish Context
2) Identify Risk
3) Analyse Risk Impact
4) Evaluate Risk
5) Take Action
Ongoing processes:
1) Communicate and consult
2) Monitor and review
Organisational Risk Management
The Risk Management Process
Ongoing process: Communicate and Consult
Tell me about it
Communicate and consult throughout all stages of the risk management process.
Regular communication and consultation helps ensure:
- stakeholders interests are considered
- your logic, thinking and judgement are checked
- creates support for future management of risks.
Organisational Risk Management
The Risk Management Process
Step 1: Establish Context
Tell me about it
Establishing context helps up see the wider picture.
We need to understand the:
Internal context: Things within Police that influence how we manage risk: - objectives - policies and processes - resources - knowledge and skill levels
External context: Things outside of Police - social environment - cultural environment - political environment - legal environment - relationships with stakeholders
Organisational Risk Management
The Risk Management Process
Step 2: Identify Risk
Tell me about it
We must identity a risk to be able to manage it and to prevent harm.
We are all responsible for identifying risks in our areas of responsibility. This can be done through standard processes like planning, debriefs, lessons learnt, or audits, or it could be ad hoc when you are carrying out your role.
Record risks in a way that can be used by yourself and others.
An unrecorded risk is as dangerous as an unidentified risk.
Organisational Risk Management
The Risk Management Process
Step 3: Analyse Risk
Tell me about it
Analysing risk involves working out two things:
1) level of risk
2) controls in place
Level of risk:
is determined using the Risk Matrix. It’s a table with ‘Consequence’ on top and ‘Likelihood’ on the side.
Depending on how likely something is to happen, and how serious it will when if/when it does, the matrix spits out a risk score.
Controls in place:
What controls are in place and how effective are they?
Are these controls likely to reduce the risk occurring or the consequences if it does occur?
Controls could include policies, SOP’s, training, supervision, IT systems and more.
Risk rating = likelihood x consequence
Organisational Risk Management
The Risk Management Process
Step 4: Evaluate
Tell me about it
After we know the risks and the controls in place, we must consider how comfortable we are with it and what action be taken.
We could:
- Act
- Monitor
- Accept
- Acknowledge that effective management is Achieved
You may need to escalate the risk to your manager or governance group if the risk can’t be managed with your level of authority or resources.
Organisational Risk Management
The Risk Management Process
Step 5: Take Action
Tell me about it
After risk evaluation, if we find that the existing controls are NOT managing a risk to an acceptable level of comfort, the risk owner or governance group must ACT or MONITOR the risk.
To do this, they prioritise a treatment or future action.
Treatments and/or future actions should be prioritised based on:
- level of risk
- assurance in the proposed treatments
- cost/benefits
- an ongoing assessment of our internal and external context.
Note:
Each District, group, sup-group/team, portfolio, programme or project/product is responsible for managing it’s own risk, or escalating those it cannot manage on it’s own.
The risk owner must monitor and review their decisions (act/monitor/accept/achieved) as often as is appropriate.
Organisational Risk Management
The Risk Management Process
Ongoing process: Monitor and Review
Tell me about it
Whatever we’ve decided after a risk evaluation (act, monitor, accept, achieved) the risk owner must monitor and review this decision as often as is appropriate for the level of risk and assurance we have.
Organisational Risk Management
Active Risk Management
What are the three lines of defence for managing risk?
1st line: all Police personnel
2nd line: management processes and controls
3rd line: internal audit and assurances