Risk Framework

Risk Management applies equally across the key functional risk categories across an organisation comprise:  
*  Strategic (Board) – long term (e.g. 25 years) external focus
*  Enterprise (Executive Management) - medium/long term (5 - 10 years), internal
*  Operational (Management) - medium term, internal (3 – 5 years)                                                                                

 *  Project Risk – medium to short term (length of Project)

 

Periscope’s I.R.I.S software provides the essential elements needed to coherently manage Risk across an organisation.  IRIS allows the different risk categories to be managed individually at the different organisational levels and areas yet it allows coherent risk management and reporting due to its capability to link records

 

Key organisational areas that feed into to the strategy include:

  • HR/ OHS
  • Financial
  • IT
  • Asset management
  • EMS

 

Often, we find that rather than contribute to the overall strategy, the areas become silos.  Often it is not their fault because their local culture does not help them to communicate effectively.

 

Contributors to cultural silos include:

  • Legislation
  • Regulation
  • Codes of Practice
  • Internal reporting
  • The language (lingo – way we do things around here) within each Discipline

Once each risk category has been documented the next step is to implement and to report on risk controls. 

Risk controls (or Action Tasks), are the common denominator to an Integrated Risk Management system .  Unfortunately they are often overlooked because they do not work well in spreadsheets, (nor in project management software for that matter).

I.R.I.S presumes that the Task owner has the requisite knowledge, skills and experience to do action the Task.

The impact of controls on the Risk vary relative to each other, common categories include:

  • Critical – dramatically impacts
  • Significant – substantial impact
  • Important – recognised impact
  • Routine – marginal impact
  • Minor – kidding yourself

The significance of the impact of the control is based on confidence i.e. confidence that the overall internal control rating is effective, acceptable or inadequate.

Risks controls need to be actively managed with Tasks.  Tasks tell the user:

  • What (The Task Description)
  • Who (Task Owner)
  • When (Due Date (s)
  • Where (Site/Project Area, Discipline, Risk Category)
  • Why (Links to relevant risks, documents and related material)

 

We will now explore typical examples of each of the Risk Categories.


Strategic (Board) – long term (e.g. 25 years) external focus

Enterprise (Executive Management) - medium/long term (5 - 10 years), internal

Operational (Management) - medium term, internal (3 – 5 years)

Project Risk – medium to short term (length of Project)

Strategic (Board) – long term (e.g. 25 years) external focus

Strategic Objectives – often there are about 3 – 10 Strategic Objectives

For each Strategic Objective there may be 5 or so Strategic Risks

 

Key Strategic Consequence Categories that are commonly applied - regardless of the Functional Risk Category include:

 

  • Reputation – e.g. Pronged National Media Exposure
  • Occupational Health and Safety – e.g Multiple deaths
  • Environment – e.g. Prolonged irreversible damage

 

Strategic Risk Framework

Strategic Risks routinely comprise:

  • Financial – e.g. $50 M
  • Regulatory and Compliance – e.g Jail