The impact of the financial crisis on the investment decisions in the risk management development (Source: adapted from Accenture, 2009).
The financial and economic crisis has increased the preoccupations for the development of risk management over the last years. As a result an appropriate terminology of the risk, sustained by modern and efficient methods and management instruments was developed. Guides, methodologies and standards have been drawn up with the purpose of formalizing the risk management implementation and also the process, the organizational structure and the objectives of risk management.
The guides and standards not only provide information on the process to be adopted in risk management, but also contain advice on how that process should be implemented successfully.
The standards have as purpose the formalisation of the risk management process in order to improve their effectiveness, but they don't guarantee it. Once an organisation decides to adopt a standard for risk management, it also has to deal with some practical considerations in order to implement it successfully. These include, but are not limited to, the following: elaborating a plan for risk management implementation, designing an organizational structure for risk management with a greater level of specificity, making risk management part of the enterprise culture, determining all risks categories of the organization, establishing a group of criteria and indicators that measure risk management effectiveness.
2. Driving forces of integrated risk management
The risk management function has evolved to become a central area of business practice having the objective to identify, analyse and control causes and effects of uncertainty and risks in a company (EIU, 2007).
At present, organizations have come to recognize the importance of managing all risks and their interactions, not just the familiar risks, or the ones that are easy to quantify. Even apparently insignificant risks have the potential, as they interact with other events and conditions, to cause great damage.
The risk literature as well as the press popularised some concepts such as “strategic risk management”, “holistic risk management”, “enterprise risk management” and “integrated risk management” in order to designate a holistic approach of the risk management implementation in an organization. This approach moves away from the “silo” concept in which the different risks are distinctly administrated and sustains the idea that the risk management could create values in the organization.
Financial institutions use the notion “Integrated Risk Management” as a technique whereby all the risks of an open system, such as an organization, are taken into account and, furthermore, an attempt is made to optimize them as part of an all-encompassing approach (Müller, 1999).
We consider that Integrated Risk Management (IRM) is an explicit and systematic approach to managing all the risks from an organization-wide perspective. IRM supposes that the risk management system should be integrated in the organisation’s management system. This one should use working instruments, communication channels, and specific procedures adapted and correlated with the rest of the component elements of the organization’s management system.
Hillson (2006) mentions that IRM is a framework for organisational success because it addresses risks across a variety of levels in the organisation, including strategy and tactics, and covering both opportunity and threat.
Organizations have long practised various parts of what has come to be called integrated risk management. Identifying and prioritizing risks, treating risks by transfer, through insurance or other financial products, has also been common practice, as has contingency planning and crisis management. What has changed, beginning with 1999-2000, is treating the vast variety of risks in a holistic manner and elevating risk management to a senior management responsibility. Even if practices have not progressed uniformly within different industries and different organizations, the general evolution toward integrated risk management can be characterized by a number of driving forces.
First of all, there is a greater recognition of the increasing number, the variety, and the interaction of risks facing organizations. Hazard risks have been actively managed for a long time. Financial risks have grown in importance over the past number of years, especially in the last two years. New risks emerge with the changing business environment (e.g., foreign exchange risk with growing globalization, reputation risk with growing electronic commerce, information risks with the advance of technology). More recently, the awareness of operational and strategic risks has increased due to many cases of organizations destroyed by failure of control mechanisms or by insufficient understanding of the dynamics of their business. The accelerating pace of business, globalization, the financial crisis, all contribute to the growing number and complexity of risks and to the greater responsibility for managing risks on an enterprise-wide scale.
Another driving force is the growing tendency to quantify risks. Advances in technology and expertise have made quantification easier, even for the infrequent, unpredictable risks that historically have been difficult to quantify.
Organizations have become quite prepared to share practices and efficiency gains with others with whom they are not direct competitors. This is another important driving force for integrated risk management. Common risk management practices and tools are shared across a wide variety of organizations and across the world. Information sharing has been aided by technology but perhaps more importantly, because these practices are transferable across organizations.
Another force is representing by the attitude of organizations toward risk. The defensive posture towards risks is associated nowadays with the recognition of the opportunistic side and the value-creating potential of risk. While avoidance or minimization remains legitimate strategies for dealing with certain risks, by some organizations at certain times, there is also the opportunity to share, keep, and actively pursue other risks because of confidence in the organization’s special ability to exploit those risks.
Implementation of integrated risk management can produce a number of benefits to the organisation which are not available from the classical risk management system.
In February 2007, the Economist Intelligence Unit interviewed 218 managers in the entire world about their approach regarding the risk management and about the main provocations and opportunities in this domain. The interviewed people come from different industries and geographical regions like Asia, Australia, North America and Vest Europe. Approximately 50% from these ones represent companies with an annual income of more than 500 Million USD; all interviewed people have influence or responsibilities in matter of strategic decisions in the risk management domain in their companies and approximately 65% are top managers or executives.
Asked to identify the most important internal and external drivers to strengthen risk management in their organisation, respondent of the EIU survey mentioned on the first place the greater commitment from the board to risk issues and, respectively, the increased focus from regulators. Greater complexity of the value chain, recent risk event (such as profit warning, fraud or product recall) and adoption of enterprise risk management model are the others important internal drivers.
As regards the key objectives and benefits of risk management the respondents scored one factor above all others: protecting and enhancing reputation. This finding illustrates an important shift in the nature and scope of risk management. A decade ago, it is probable that the most popular answer to this question would have been avoiding financial losses, but today this option appears in a modest fourth place.
Instead, there appears to be a growing consensus that risk management is now expected not just to be a tool to protect the company from loss, but also to play a role in constructing and presenting the right corporate image to clients, partners and others (EIU, 2007).
A number of barriers can also be identified to the implementation of successful risk management frameworks. Despite acknowledging that investment in the risk management function has increased in recent years, respondents cite a lack of time and resources as being the biggest barrier they face. This may well be related to the next responses, which are the difficulty of identifying and assessing emerging risks and lines of responsibility for managing risk not sufficiently clear.
The organizations which intend to implement an integrated risk management system have to treat the implementation as a project itself that need clearly defined objectives, success criteria, time echelons and adequate resources, as well as monitoring and control during the implementation period. Before everything, there should exist a strong motivation for the implementation, based on the expected performance evaluation of the risk management system.
3. Effectiveness of integrated risk management
The evaluation of the risk management performance, respectively the measure in which it can be proven that the benefits of system use justifies the implementation costs is hard to be proven. As considered by McGrew and Billota (2000), the performance evaluation is made difficult by some factors. One important factor is that the acts of intervention during a risk management program may alter the outcome in ways we cannot separate and therefore cannot cost out. A second factor is response bias, respectively the tendency of individuals consistently to underestimate or overestimate risk, resulting in interventions that may be ineffective or excessively wasteful. But, before establishing the factors that influence the integrated risk management performance, it is necessary to clarify the terms in which it is recommended to evaluate this performance.
A lot of authors think that the goal of risk management is to support company development in order to achieve its objectives in the most effective way.
Starting from this approach it is necessary to explain the notion of risk management „effectiveness”. This is related to the efficiency and efficacy terms, but has a greater range of meanings.
Efficacy, effectiveness and efficiency reveal different aspects of the effect of an intervention. This nomenclature was originally developed in medicine by Cochrane (1972).
Efficiency describes the application of resources to inputs in order to generate outputs with minimal waste. Effectiveness, on the other hand, is not just about the ratio of input to output, but instead relates to the extent to which a measurable result is obtained. In management, effectiveness relates to “getting the right things done”. In the book “The effective executive” (1st edition 1967) Peter Drucker reminds us that effectiveness is an important discipline which “can be learned and must be earned”. Efficiency and effectiveness are often considered synonyms, but they mean different things when applied to process management. Efficiency is doing things right, while effectiveness is doing the right things (enotes.com, 2006).
A third related measure can also be defined, namely efficacy, describing the power to achieve the desired result, measured against defined objectives. Efficacy is the extent to which a measure produces a beneficial effect under ideal conditions, while effectiveness deals with the corresponding extent under everyday circumstances in the field. These concepts constitute a hierarchy. If efficacy lacks, there cannot be any effectiveness, which is a basic requirement for efficiency.
The relationship between efficiency, effectiveness and efficacy is more clearly, if we compare desired and actual outcomes (results) against objectives (Hillson & Murray-Webster, 2005). Efficiency supposes that an efficient outcome is obtained, but without fully meeting the required objectives. Effectiveness represents the situation when application of resources creates a definite result, but the result does not match the requirement. Efficacy appears when the actual outcome largely fulfils the desired objectives.
It is clear that risk management performance should be determined in terms of effectiveness (and efficacy) rather than efficiency, since the main purpose of risk management is to maximize achievement of objectives. Another argument is represented by the difficulties met when quantifying the effects of the risk management process in the organizations, compared with the efforts, generally easy to be measured.
As it resulted from the EIU study (EIU 2007), the lack of financial and time resources and the lack of support from the managers are important barriers in implementing an integrated system of risk management.
Hence, the actual financial crisis had as an effect the preoccupations growth for realising investments in the risk management implementation within the organizations. Thus, in the study “Managing Risk for High Performance in Extraordinary Times” published in 2009 by the Accenture company, 31% of the interviewed persons said that the investments growth in the risk management development is being debated and 23% said that they will grow in the following 6 months (Table 1).
|Answer||Percent of respondents|
|No real impact||13%|
|General budget constraints and cost cutting programs may reduce the level of investments in risk management||15%|
|The increase of the level of investment is currently in discussion||31%|
|The level of investment to develop risk management capabilities will be increased in the next six months||23%|
|The level of investment has already been increased||17%|
Regarding the potential benefits of the risk management investments, 48% from the interviewed ones appreciate that the investments growth in the risk management raises the profitability and sustainability, 37% consider that the capital assigning will improve, 27% that the crisis can be anticipated by means of the development of the early warning capacity (Accenture, 2009). The Accenture study is based on responses from more than 250 executives involved with their organization’s risk management capability from entire world.
One the other side, the ability to demonstrate the return on investment on the risk management effort is more than ever important as shows the survey conducted in 2008 by the Federation of European Risk Management Associations (FERMA) in collaboration with AXA Corporate Solutions and Ernst &Young across the 555 respondents representing companies from Europe. The survey revealed a continuing progress in managing the risk in the majority of European companies.
As a conclusion, the recent studies showed that the practitioners recognise the necessity of a risk management and its contribution to the increase of profitability. Also, it is worthy to mention that the investments in improving risk management increased and continue to increase, as the specialists indentified the difficulties standing in the way of a successful risk management and are looking for means to effectively integrate it in their organizations.
The keys to making this work include an aligned scope, coordinated infrastructure and people, consistent methods and practices.
In this context, the importance assigned to the standards that establish the general framework for implementing an integrated system of risk management is expected to grow.
4. Current trends in risk management standardization
The international community has developed a great number of documents in some way related to the standardization of risk management. These standards cover the general guidance for risk management, the terminology, requirements and tools.
The International Organization for Standardization (ISO), together with the International Electrotechnical Commission (IEC) is the leading organizations in the development of international standards (Avanesov, 2009). Some national standardization bodies and non-governmental organizations have also contributed to the development and use of standardized approaches to risk management. The acknowledged standards for general guidance in risk management are presented in Table 2.
|ISO/IEC||ISO 31000:2009 Risk management - Principles and guidelines||ISO 31000:2009 provides principles and generic guidelines on risk management and can be used by any public, private or community enterprise, association, group or individual. This standard is not specific to any industry or sector and is not intended for use as a certification criterion. ISO 31000:2009 has been received as a replacement to the existing standard on risk management, AS/NZS 4360: 2004 (in the form of AS/NZS ISO 31000:2009).|
|ISO/IEC Guide 73:2002 Risk Management - Vocabulary - Guidelines for use in standards||ISO/IEC Guide 73:2002 Risk Management provides standards writings with generic definitions of risk management terms. Its purpose is to contribute towards mutual understanding amongst the members of ISO and IEC rather than provide guidance on risk management practice. It was revised in 2009 together with ISO 31000:2009 Risk management.|
|ISO/IEC Guide 51:1999 Safety aspects - Guidelines for their inclusion in standards||ISO/IEC Guide 51:1999 refers to any safety aspect related to people, property or the environment, or a combination of one or more of these. The specific approach of this guide provides the risks analysis of complete life cycle of a product or service.|
|IRM/ AIRIMIC/ ALARM , London, UK||Risk Management Standard: 2002||This Risk Management Standard is the result of work by a team drawn from the major risk management organisations in the UK (IRM, AIRMIC and ALARM) based on the views and opinions of a wide range of other professional bodies with interests in risk management, during a period of consultation. The standard proposes a process by which risk management can be carried out s , and it is not intended for use as a certification criterion.|
|AS/NZS||AS/NZS 4360:2004 Risk management||AS/NZS 4360 (1995 first edition, 1999 second edition, 2004 third edition) is a generic guide for risk management so that it applies to all forms of organizations. The standard specifies the elements of the risk management process and describes how to develop, establish and sustain systematic risk management in an organization. AS/NZS 4360:2004 r epresent s the base for ISO 31000:2009.|
|JSA||JIS Q 2001:2001 Guidelines for development and implementation of risk management system||This Japanese Industrial Standard provides principles and elements for the establishment of a risk management system. These principles and elements are applicable to any types of organizations, and to any kinds of risks. This Standard is not intended for use as a certification criterion.|
|CAN/CSA||CSA Q850:1997 Risk Management Guidelines for Decision Makers||CSA Guideline CAN/CSA-Q850 is intended to assist decision-makers in effectively managing all types of risk issues, including injury or damage to health, property, the environment, or something else of value.|
|BSI||PD 6668:2000, Managing Risk for Corporate Governance||PD 6668:2000T elaborated by British Standards Institute provides the risk factor of corporate governance requirements and how an organization can implement effective risk management system.|
|BS 31100:2008 Code of practice for risk management||As a code of practice, this British Standard takes the form of guidance and recommendations. BS 31100:2008 has been drafted to be consistent with the general guidance on risk management given by ISO 31000 (in preparation at that moment)|
|BS 6079-3 Project Management - Part3: Guide to the management of business related project risk||This standard gives guidance on the identification and control of business related risks encountered when undertaking projects. It is applicable to a wide spectrum of project organizations operating in the industrial, commercial and public or voluntary sectors. It is written for project sponsors and project managers, either or both of whom are almost always responsible to higher levels of authority for one or more projects of various types and sizes. This standard offers generic guidance only and it is not suitable for certification or contractual purposes. It is not intended as a substitute for specific standards that address risk assessment in distinct applications, such as health and safety, or areas of technological risk.|
|ON||ON Rule series on "Risk management for organisations and systems"||ON Rule series on r isk management represent an ensemble of complexes guides with different objectives. T his guides refers to the terms and basics (ONR 49000), risk management (ONR 49001), guidelines for embedding in the management system (ONR 49002-1) , methodologies for risk assessment ( ONR 49002-2), crisis and business continuity management (ONR 490002-3) and the requirements for qualification of the risk manager (ONR 49003) . The present ONR essentially is in line with ISO 31000 "Risk management - Principles and guidelines" .|
Standards from table 2 are not exclusively focused on the management of certain categories of risks, but offers the most complete and complex approach of business risks because of their general character. The choice is also motivated by the possibility of applying them inside organizations both in public and private sector, in business or project management and by the world wide dissemination degree of contained information.
Next to the standards mentioned in table 2, which directly refer to the risk management, the organizations have at their disposal a great number of standards in relation with the risk management for different aspects of their activity. Among these we can find the ISO 9000 series for the quality management (especially, the most recent one, ISO 9004:2009 Managing for the sustained success of an organization - A quality management approach), the ISO 27000 series for the information security management, and the standards that refer to the health and safety (OHSAS 18000). Indirectly, all standards applicable in the activity of an organization are related to a certain risk type.
In the last years, the organizations confront a high number of risks and standards arisen from different spheres (safety, IT, market, etc.) and from internal or external business environment which harden their management process (see fig. 1).
Nikonov & Kogan (2009) consider that although the organizations administrate different risk categories, the structure of the risk management is the same everywhere and a unique standard can contribute to decreasing the risk of “too many risk standards”.
In order to eliminate the redundancy generated by the great number of standards, representatives of European risk management associations have disputed the need for an ISO standard since the idea was proposed over 10 years ago. Instead, they have promoted the idea of guidelines which are, in ISO terminology, less acute than standards. In the meantime, varieties of standards or standard-like documents (guide, framework, etc.) have been developed to address specific risk management areas and received wide acceptance.
In Europe, under the name of Risk Management Standard in 2002 appeared a guide carried out by a team of specialists who came from big organizations of risk management in United Kindom: The Institute of Risk Management - IRM, The Association of Insurance and Risk Managers – AIRMIC and The National Forum for Risk Management in the Public Sector - ALARM. Also, this standard is a result of the collaboration with a lot of other specialists from different domains, interested in risk management, during a long period of consultations and opinions exchange. The Federation of European Risk Management Associations (FERMA) has adopted the Risk Management Standard published in the United Kingdom in 2002. Versions in several languages of this pan-European standard of best practice in risk management are available free for risk managers.
The terminology which Risk Management Standard uses is the one defined by the International Organization for Standardization (ISO) in the document Guide 73 Risk Management - Vocabulary - Guidelines for use in standards worked out in 2002.
Risk Management Standard is not dedicated only to corporations and public organizations, but it can be used in any type of activity, on long or short term. It endorses the idea that benefits and opportunities don’t have to be seen only in the context of the activity itself, but also in relation with the multitude and the variety of the involved stakeholders. It is more and more known the fact that risk management is both interested in positive and negative aspects of the risk. The standard takes in consideration the risk in two perspectives - opportunities and threats.
This standard has not the mission to offer prescribed solutions or to establish a certifying process. By using it, organizations will possess an instrument with which they can measure the degree in which the risk management framework is implemented and functions.
In the approach of IRM/ AIRMIC/ ALARM risk management is seen as a central part of the strategic management in each organization. It represents the process regarding the means with which organizations relate risks associated with their own activities with the objective of obtaining benefits from each individual activity, but also from all the activities in the portfolio.
Concentration on an efficient risk management refers, according to this standard, to identifying and treating these risks. Its objectives are those of adding supplement value to all activities inside the company. This takes to understanding the positive and negative factors which affect the organization, increases the possibility of success and it also decreases both the probability of failure and the uncertainty regarding the fulfilment of the company.
Risk Management Standard endorses the idea that risk management should be a continuous process and in a continuous development in accordance with the strategy of the organization. This should take into consideration all risks which could affect the activities of the organization, based on past experiences, on present events and on estimations regarding the future.
The risks inside an organization can be generated both by internal and external factors but a great attention must be drawn to the fact that there are a lot of specific risks which could result from internal and external sources at the same time. Much further, it is recommended that this should be classified in strategic risks, financial, operational and hazard risks.
This standard is the only one which directly endorses the necessity of developing and supporting the human and company’s knowledge base.
At national level, Australia and New Zeeland became leaders in risk management with AS/NZS 4360:1999 Risk Management which represents the most complete approach and description of a risk management framework that can be applied in different areas and for a variety of risks. Because of its general character and the possibilities almost boundless of application, this standard imposed itself as one of the publications most quoted and applied both in private and public areas.
In 2004 a review of the Australian standard together with a guide for implementation (HB 436, Risk Management Guidelines—Companion to AS/NZS 4360:2004) and a series of handbooks meant for various domains in which risk management is applied was published.
Some of the changes from the 1999 edition include greater importance of embedding risk management practices in the organization’s culture and processes and greater emphasis on the management of potential gains as well as potential losses.
The standard of Australia and New Zeeland represented the model according to which a draft of the standard ISO 31000 for the risk management was elaborated and consulted in 2007 under the name Risk management — Guidelines on principles and implementation of risk management. The ISO 31000 standard did not materialize without some controversy. After only a month from its appearance to be consulted by the proposal FERMA, which manifested sustainability for the variant from 2002 of the standard IRM&AIRMIC&ALARM, elaborated a position paper named ISO Risk Management Standard Not Needed.
FERMA mentioned that an ISO standard would be too flexible for such an ample discipline as risk management, which is complex and varied in application. It also considered a disadvantage the substantial internal and external resources needed to implement and maintain the standard, which may have a serious effect on competitiveness, and considerable additional paperwork, without commensurate benefits.
In November 2009, the International Organization for Standardization published the new management standard intended to help organizations of all types and sizes manage risk across the enterprise with title ISO 31000:2009, Risk Management -- Principles and Guidelines. In parallel, ISO published Guide 73:2009, Risk management – Vocabulary, which completes ISO 31000, furnishing a set of terms and definitions in the domain.
ISO 31000 is realised by a team of experts from Australia and New Zeeland who were implied in elaborating the standard AS/NZS 4360:2004. This one was accepted and appreciated in numerous organizations in the entire world. For these reasons the differences between the two standards are minor and they resume to:
ISO 31000 makes explicit the principles of effective management, in AS/NZS 4360:2004 these were only really implicit;
ISO 31000 gives some aspirational goals for enterprise risk management in terms of a set of attributes in an annex;
ISO 31000 provides a lot more guidance on how risk management should sit within an organisational framework to be effective and how that framework can be created, maintained and improved.
Expected both by the business environment and by the specialists in the domain and theoreticians, the appearance of the standard produced numerous comments and modifications of the terminology or of the existing working documents.
Following the publication of the ISO 31000 in 2009 a new document „A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000” has been produced by AIRMIC, ALARM and IRM, which provide up to date guidance on the implementation of ERM in the context of the new ISO standard. IRM has decided also to retain its support for the original risk management standard because it outlines a practical and systematic approach to the management of risk and directly meets the needs of many smaller organisations worldwide, being free to download and also available in 15 languages.
The new guide published by the three organizations overtakes both the risk definition and the process’ stages of the risk management from the ISO 73:2009 and from ISO 31000:2009.
The definition set out in ISO Guide 73 is that risk is the “effect of uncertainty on objectives”. Guide 73 also states that an effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence.
In matter of the process stages of the risk management, the document „A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000” recognizes and sustains the structure proposed by the ISO 31000 guide and also found in AS/NZS 4360:2004 (see fig. 3).
In comparison with the 2002 variant of the standard elaborated by IRM/ AIRMIC/ ALARM, the new application scheme of the risk management is more simplified and has as important points the fact that it begins with the context establishment, and the monitoring and revision is part of each stage of the process as well as the communication and consulting with the implied stakeholders.
The advantage of the new document elaborated by AIRMIC/ ALARM/ IRM is that it explains from the practical point of view how the ISO31000 standard can be applied effectively in order to implement a structured approach of the risk management in an organization.
The ISO 31000 standard recommends the organizations and enterprises to elaborate and to implement a risk management framework which will be integrated in their general management system and constantly improved. The standard is a concrete document, which proposes to support the public and private organizations to develop their own risk management approach. The ISO 73 guide completes this approach, supplying the common terminology asked for avoiding the misunderstandings between the organizations in this context. Although they are not supposed to be certified, the two ISO standards attracted the business environment’s attention and of the experts in the entire world. These ones look for success modalities and factors for implementing some systems or the adaptation of the risk management’s existing systems according to ISO 31000:2009.
5. Key success factors for implementation of risk management standards in organization
The implementation of a risk management framework brings various benefits of the organisations. In the approach of IRM, AIRMIC and ALARM (2002), risk management protects and adds value to the organization and to its stakeholders, encouraging the organization’s objectives by:
providing an organizational environment which gives the possibility of carrying on the activities in a substantial and controlled manner;
improving the process of taking decisions, planning and making as a priority, by a complete and structured understanding of the business activities, the volatility and project opportunities/threats ;
contributing to an efficient allocation of the capital and organization’s resources;
reducing the volatility in the unimportant areas of the business;
protecting and improving the values and the image of the company;
optimizing the operational efficiency.
Peter L. Bernstein, author of the book “Against the Gods: The Remarkable Story of Risk” (1996), considers that risk management is necessary and useful, but not an absolute guarantee for the organisation success. He warns of the limitations of risk management and the possibility of increasing risk instead of managing it. In periods of stability, Bernstein suggests, we come to assume that stability is the natural order of things and forget about stock market crashes, hyperinflation, and massive price changes. If we do not expect things to happen, we do not build them into our risk management processes. Although at the moment when the book was published there weren’t any signs of a financial crisis, his affirmations were confirmed by its beginning. Finally, Bernstein warns that the sense of security that comes from having a risk management process in place may lead us to take risks we should not take.
Similarly, the implementation of a risk management standard produces benefits to the organization, but it can also be a failed process if a series of principles are not respected or if a key elements series of success are ignored.
Among the generated benefits, on the first position are the image and public relations improvement, as well as the stakeholders’ and clients’ trust in the organisations raise.
Generally, the risk management standards combine the best elements from the existent guides and methodologies in the domain and ensure flexibility and adaptability to the multiple aspects covered by risk management. In risk management, standards are preferred to laws since they require a consensus of all interested parties and do not represent just one point of view. Implementing a risk management standard into organisation, all parties will be able to speak a common language and communicate more effectively. More specifically, an ISO standard is seen as an appropriate tool to formalize the process and to harmonize over 60 existing standards dealing directly and indirectly with risks of any type (FERMA, 2007). It could also be a framework to help develop risk awareness and education. Finally, with a standard, the risk management profession could be perceived as more structured, and gain credibility and recognition versus other concurrent functions.
There are some principles and better practices that can be applied to ensure the success of risk management.
The risk literature (Dembo & Freeman, 1998) discusses a number of critical success factors which have the potential to influence risk management effectiveness. Critical success factors for successful implementation of an effective risk management program include: gaining executive support, integrating risk management into decision-making process, demonstrating value to the organization by creating efficiencies in procedures and controls, creating a common risk language. Although they do not refer to the adopting of a standard but to the implementation of a risk management system in general, we can affirm that the differences between the two situations are minor.
Fundamental to the implementation of risk management standards is a clear understanding of what these standards are, what they require, and what it means to adopt them. Failing this, organisations are unable to set concrete implementation targets or to measure progress in reaching those targets.
Risk management must be institutionalized, integrated and aligned with the operating model of the business. Effective integrated risk management departs from the fragmented and compartmentalized solutions already in place at many companies. It offers a holistic view of the enterprise, enabling the identification and understanding of a variety of risks, and then feeds that understanding into the growth engine of the company. Risk management exists to support, not suppress, the entrepreneurial spirit of a company. If inadequate coordination exists between risk management and performance management, executives may be improperly compensated for the risk/return outcomes of their decisions.
Companies that are more competent in managing risk have a higher frequency of risk reporting to different stakeholders. They are also more likely to have standardized risk reporting procedures.
The support and leadership from the executive management part is a success factor mentioned by all risk management standards. A frequent reason for not implementing a risk management framework is lack of support from executive management. The management team’s lack of interest in matter of implementing an integrated risk management system is caused by the difficulty of its performance, respectively the measure in which it can be proved that the benefits of using the system justifies the implementing costs. The single domain where there can be used measuring indices of the risk management performances is the one of disaster and security risks. The Risk Management Index, RMI, brings together a group of indicators related to the risk management performance of the country regarding disaster risk. These reflect the organizational, development, capacity and institutional action taken to reduce vulnerability and losses, to prepare for crisis and efficiently recover. In afaceri sau in proiecte performanta managementului de risc poate fi masurata doar prin eficacitatea strategiilor de interventie folosite.
The background and experience of the risk manager influence also the success of risk management. The application of international standards requires certain levels of capacity (appropriately qualified individuals), which depends on the availability of opportunities for relevant and adequate education, training and experience.
The quality of information and data is also critically important. Effective risk management depends on the information provided. An effective response to any particular kind of risk depends on rapidly and consistently gathering, aggregating and making sense of information from different sources. Management needs the right information, in the right granularity, at the right moment to assess risks and take action.
Most experts (Hillson, 1997, Artto & Hawk, 1999) agree that one of the most significant critical success factors influencing effective risk management implementation is the one most often lacking, an appropriate and mature risk culture.
This fact is also proved by the survey realised by EIU in 2007. Thus, for the question “Which element do you consider to be the most important to the success of the risk management in your organization?” the interviewed persons positioned on the first place the strong culture and risk conscience within the organization, followed by a well defined attitude towards the risk and by well defined monitoring systems and processes of the risk (Fig. 4).
Strongly bound to the risk culture within the organization is the implication of the employees in the functioning of the risk management system. The implementation of an integrated risk management system supposes that besides the ones who are directly responsible with the risk management activities (usually employees of the risk management department), all other employees of the organization should imply themselves in identifying the risks at their working places. As the risks are generated by events that will manifest in the future, their identifying is hard and anticipation capacity and imagination are often needed. Practically, besides the job’s specific attributions and responsibilities, these ones have to imply themselves in activities of identifying the risks. This one makes the task number higher, a fact that could be incorrectly reflected in reports or they could have a lack of content. If the ones are convinced to responsibly imply in such activities, the risk management effectiveness will grow. A motivating element could be represented by the contribution held by the risk management knowledge in their carrier’s evolution. It was established that more and more teenagers are interested to obtain knowledge and certification in the risk management, considering this fact to be a competitive advantage on the labour market. Under these conditions, if the firms invest more in training once with the implementation or during the development of a risk management system, than the personnel implication in the effective functioning of the system it’s expected to grow.
Another success key factor is represented by the adaptation of the organization to the risk management standard through correlation with other standards adapted within the organization. As Nikonov & Kogan (2009) was specifying, the existence of a great number of standards could complicate the activity of an organization. Generally, the firms which adopt a risk management standard are certified in the quality management and/ or in the information’s security management. In most cases these standards are implemented in different moments and by consulting different firms or accrediting and certifying companies without a careful planning of time and resources. Lack of human and financial resources is a significant impediment to the implementation of risk management standards. Cost-benefit considerations may constrain investments to support the implementation of standards, at least in the short to medium term. Mobilizing the necessary resources on a sustainable, long-term basis is a major challenge. A solution is represented by the establishment and following of an implementation plan sustained by the executive management, the implying from the firm’s part of the persons who know the situation of the already implemented standards and the use as possible of the same consultant (or the certifying firm, when it is the case).
Understanding the organisation, their culture, the staff morality and attitude will help the consultants to estimate the goal of the risk management system that they will develop.
In order to conform its already existing risk management system to a risk management standard an organization should go through some steps, respectively:
adopting a new model for the risk and risk management;
realising an analysis on the existing risk management framework in order to see in which measure they detain the necessary elements for the new model;
evaluating the risk management maturity in order to identify the necessary changes and improvements;
developing a strategy for implementing the necessary changes and for the sustainability of an effective risk management, estimation of the budget required;
implementing the strategy and, if is possible, validating the standards implementation through certification or audit.
The preoccupation for ensuring an effective risk management system shouldn’t end in the moment of the implementation. Once implemented, the risk management system must be continuously improved. Therefore, it is indicated to periodically create historic files in which the situation of indentified risks should be evaluated to a certain moment. In this manner a real situation will be compared with the estimated one: how big the estimated risk impact was compared to the real one, what effect had the applied treatment measures, how many risks from the identified ones were manifested or how many risks were manifested without being anticipated. Based on the comparisons there will be made proposals for the risk management improvement. ISO 31000:2009 mentions the importance of recording the risk management process because records provide the foundation for improvement in methods, tools as well as the overall process.
At the same time, the risk management system must be continuous updating to reflect the changes and revisions of the standard because it is updated regularly to keep up to date with recent developments or the lesson learnt from major event like ecological, economical or financial crisis.
In the research „Managing risk in perilous times. Practical steps to accelerate recovery”, a report written by EIU in 2009 are examine the lessons that have been learnt from the current financial crisis. The report proposes some practical lessons that could help to address perceived weaknesses and improve the effectiveness in risk management. Although the research is primarily directed at financial institutions, they also highlight ways in which these lessons could apply to other industries. According the EIU report, the financial crisis has demonstrated that some institutions have found it difficult to identify and aggregate risks at a firm-wide level. In the traditional approach, risks are treated in isolation and there is no clear, overall picture of the interaction between them. This problem may be address by a firm-wide approach to risk, respectively the integrated risk management. Equally important is the need to implement standardised definitions to identify and manage risk that should facilitate communication and sharing of information across business lines and geographical boundaries.
The need of standardization in risk management is justified by the efforts to develop and introduce, during the last few years, integrated risk management frameworks inside the organizations. The financial crisis has underscored the fact that significant improvements in risk management organizations and capabilities are required. The business community and also the experts recognize that the risk management standards have an important role in improving the effectiveness of integrated risk management. In the same time, a great number of standards directed and undirected related with risk management is perceived like an obstacle in increasing the effectiveness. In this context, the creation of an ISO standard for general guidance in risk management, although without intention for use as a certification criterion (like majority of the risk management standards), is seen as an appropriate tool to formalize the process and to harmonize the best practices at international level. The latest surveys carried out demonstrate the orientation of practitioners toward standardised approaches and an increasing investment to develop risk management capabilities. Through the implementation of this standard, the organizations are able to evaluate their own practices in the risk management domain depending on a recognised referential at international level, offering rigorous principles for an effective management. Business executives will be positioned to assess their company’s risk management process against a standard, and strengthen the process and move their enterprise toward established goals.
At the organisational level, risk management standards enhance transparency. They identify weaknesses that may contribute to vulnerability, promote market efficiency and discipline. The scope and application of such standards need to be assessed in the context of an organisation’s overall development strategy and tailored to individual organisation circumstances.
Several interrelated key success factors for the successful implementation of risk management standards were identified. A successful implementation requires support and leadership from executive management, a strong culture of risk management into organisation, resources and time planning, a correlation of the risk management standard with others standards during implementation process, a continuous improvement and updating on the latest developments.