Risk management policy
|Risk management policy|
|Methods and techniques|
Risk management policy is created by organizations (enterprises, public administration, schools and universities) to identify risks, help to reduce them and prevent incidents related to those risks. In case of incidents it should indicate ways of dealing with them and then reviewing them afterwards. The general idea is to continually improve all processes related to risk in order to strengthen the organization.
How to write risk management policy
The policy is usually a document that shows general activities in risk management and links to other documents - procedures, plans, check-lists - which contain detailed information. Therefore writing policy is part of implementation of risk management system.
1. Identify internal and external context of your work.
Describe what kind of work you perform, what people do you meet, what technology do you use, what are the regulations, etc. This will help you in next step.
2. Describe risks related to each element of the context description.
See those examples:
- contact with customers can lead to risk of information leak,
- using internet is an opportunity of hacker attack,
- requirement of having license can lead to problems when it gets outdated.
The risks are not something distant, invented. They are very close to you and you meet them every day. When you begin it's sometimes difficult to understand how easy it is.
3. Analyse all the identified risks.
Think how those risks may occur (causes) and how to prevent them (prevention, treatment). Is it possible to remove the causes? If yes, the risk is no more a problem. Remove risks that cannot happen from the list. But be careful - if in doubts don't remove.
Analyse all the past incidents and think how they were solved. Was the solution effective? How better deal with them in future?
4. Estimate the consequences of the risks.
Try to estimate how identified risks can impact on the organization. The higher the impact, the more important the risk is. Try to assess them in cash.
5. Estimate the likelihood of each risk.
What is the possibility of risk appearance. It is related to causes. Does it happen often or never happened. Use 5-level scale to describe likelihood (1 - almost impossible, 5 - happens many times a year).
6. Develop a treatment plan for all the identified risks.
Prioritize the risks based on likelihood and consequences. Think about your risk management strategy related to each risk. The treatment should be a detailed plan describing what to do to reduce the risk and what to do if the risk occurs. You should be prepared for each risk you identified.
7. Calculate the costs.
There are two types of costs in this step: costs of consequences (see step 4) and costs of preventive actions. You have to pay one way or another. Which do you prefer? It's a part of the strategy.
8. Set up monitoring system.
It is not enough to know the risks. You have to monitor them. Describe triggers which will activate your risk treatment plans. Define what reports should be prepared and how often. Create indicators describing improvements of risk management in the organization.
9. Write a report for top management or other stakeholders.
Describe all your results in more or less sequence presented above. This report is your risk management policy.
10. Train your employees.
In case of risk occurrence there is no time to train, read procedures or ask what to do. Each employee should know how to deal with risks that are typical for his/her workplace.
11. Revisit the policy at least once a year.
Preferably twice a year. Check levels of all indicators, find weak points, add new risks, update procedures.
- ISO 31000 - the ISO standard describes in detail risk management system
- Power, M. (2004). The risk management of everything. The Journal of Risk Finance, 5(3), 58-65.
- Miller, K. D. (1992). A framework for integrated risk management in international business. Journal of international business studies, 23(2), 311-331.
Author: Slawomir Wawak