In our experiences in consulting and in seminars on the Balanced Scorecard, we received requests to include the topic of risk management. Although it is mandatory for any public or private organization, it is mainly critical for companies in the government sector, which are obliged to include this element both in their control systems and in strategic planning and operational plans.
Dr. Kaplan, in his book Strategy Maps, includes a section dedicated to the topic from the perspective of Internal Processes, pointing out, among others, the importance of reducing the cost associated with financial distress, as well as reducing the risk for stakeholders and of course reduce the cost of monitoring. A company must manage both financial risk, as well as operational risk and technological risk. Risk management is already included in many companies as one of the objectives of their Balanced Scorecard. Many countries have even created specific laws to compel government institutions to include risk management in their management practices.
Since 1999, there is an Australian standard or AS / NZS 4360: 1999 on Risk Management that some companies have used for the implementation of this issue. This standard is intended to provide a generic guide for the establishment and implementation of the risk management process, which involves both identification, analysis, evaluation, treatment, and communication, as well as risk monitoring.
Risk management has been recognized as an integral part of good management practices, hence the importance of establishing a series of definitions that allow it to clarify the different aspects of this methodology. This standard has 32 definitions. One of the aspects he recommends is to consider one of the techniques used in continuous improvement processes, such as Failure Mode and Effects Analysis (FMEA): a procedure by which potential failure modes are analyzed in a process or system.
The need for an organizational risk management policy and support mechanism is established in order to provide a structure to carry out the risk management program, which is similar to what is established in the ISO 9000 Quality standards.: 2000 or to ISO 14000: 2004 environmental standards.
For people who have experience in the implementation of ISO Management Systems, they will find similar requirements, in fact it seems an homologation of those standards, even the rest of the structure is quite similar, in topics such as
1. Planning and resources
1.1 Management commitment
1.2 Responsibility and authority
1.3 Resources
These aspects are similar to the mentioned norms, so it is not worth extending.
2 Implementation program
The standard contains an appendix where 6 steps are established to implement an effective risk management system within an organization, the following are the indicated steps:
Step 1: Need to have the support of senior management
Step 2: Development of an organizational policy
Step 3: Communicate the policy defined in point 2
Step 4: Manage risks at the organizational level
Step 5: Manage risks at the program level, project and
Step 6: Monitor and review
Despite the norm allows to combine or omit certain steps, nevertheless, it is convenient to analyze all the suggested ones. In future articles we will expand these six steps.
Like other management standards, a review is established by the top executive of the organization, to ensure that an evaluation of the risk management system is carried out together with the rest of the elements that are established.
Some of the elements that stand out in the standard are:
a) Establish the strategic, organizational and risk management context in which the rest of the process will take place.
Here the most important aspect is related to the need to establish criteria against which risks will be evaluated.
b) Identify what, why and how risks can arise.
c) Determine the existing controls and analyze risks in terms of consequences and probabilities. This is the point where the AMEF technique is applied, with which the potential risks are evaluated.
Another aspect to highlight is that in addition to evaluating the risks, it is important to establish what treatment will be given, through a risk management plan.
To define the basic parameters within which risks must be managed, an essential element is to establish the context, within which are:
1. The strategic context
It was born from the definition of the SWOT analysis (Strengths, Opportunities, Weaknesses, Threats) of the organization in its relationship with the “stakeholders” or interested parties.
2. The organizational context
It is more related to the strategic plan than to our understanding it forms a single context with the previous point, as we consider it within the Balanced Scorecard methodology.
3. The risk management context
It considers risk management as a process, and raises the need to define the scope and limits of an application of the risk management process, define the project or activity, and establish its goals and objectives. It is necessary to define the extension of the project, as well as the scope and breadth of the risk management activities to be carried out. Something like establishing a procedure or an action plan.
Identification of risks
The identification of risks posed is none other than the application of the AMEF or FMEA methodology and another series of suggested techniques, many of them used in Kaizen continuous improvement processes, or in statistical techniques and the application of statistical process control. Some analysis techniques are described in the ISO 10017 standard, which can be obtained from the entity responsible for issuing standards in your country. In our article "Tools for Continuous Improvement" some of them are described.
As any decision implies the need to consider sporadic but severe risks, it may require security measures that are not necessarily justifiable with strictly economic reasoning, this is valid when there is a risk against people or the environment.
The negative impact of risks should be reduced as much as is reasonable. If the level of risk is high, but it could result in excellent business opportunities, acceptance of the risk should be based on an evaluation of the costs of your treatment and the costs of rectifying the potential consequences versus the opportunities that could arise from taking the risk. A cost benefit analysis is recommended in these cases. A good recommendation is to make a combination of options to reduce the likelihood of risks, reduce their consequences, and transfer or retain some residual risks.
The standard sets out how to establish treatment plans and recommends documenting how the selected options should be implemented, identifying responsibilities, the program, the expected results, the budget, performance measures and the review process.
It establishes that the plan includes a mechanism to evaluate the implementation of the options against performance criteria, individual responsibilities and other objectives, and to monitor the critical points of implementation.
