I have been reviewing a 2009 document from the UK Treasury department: Risk Management assessment framework: a tool for departments. While it is designed for government agencies, I like a number of things about it:
· It is based on seven high-level questions in three categories:
1. Leadership: do senior management and Ministers support and promote risk management?
2. Are people equipped and supported to manage risk well?
3. Is there a clear risk strategy and risk policies?
4. Are there effective arrangements for managing risks with partners?
5. Do the organisation’s processes incorporate effective risk management?
o Risk Handling
6. Are risks handled well?
7. Does risk management contribute to achieving outcomes?
· A maturity model approach is taken for rating each of the seven areas
· More detailed questions suggest areas that can be reviewed for each of the seven areas
The approach is similar in concept to my proposal
, which had eight questions. The more significant differences are:
· While both sets of questions address framework and process (what I call risk culture, policy, process, and controls), the UK framework asks (in the last two questions) for an assessment of the results – the effectiveness of the risk management program. Many people believe it is not possible to measure the effectiveness of risk management, because you can’t tell what would have happened if a risk had not been managed. I generally prefer to assess the adequacy of the process rather than try to evaluate the results – but, I will look for evidence of failures as they are strong indicators that the process is deficient
· My suggested questions break down the risk management process further, asking individual questions about each major aspect
· The UK document singles out partners, or the extended enterprise, for consideration
· My proposal has a question about effectiveness
I think some combination of the two that has no more than ten questions and uses a maturity model for evaluation would be great. One area I know both need enhancing is the independence of the risk management function, so that operating management are not able to interfere with the ability of top management and the board to obtain a complete and accurate picture of the organization’s risks.
I would appreciate your views.