Risk Management
Overview of Risk Management
What is Risk Management?
Risk Management (RM) is a tool to assist organizations in achieving goals and objectives. The ISO standard defines risk management as "coordinated activities to direct and control an organization with regard to risk" (CAN/CSA – ISO 31000-10, Risk Management – Principles and Guidelines, p. 2). The BC Risk Management Branch expands on this definition by identifying risk management as "efforts to understand and mitigate risk, reduce uncertainty and better meet or exceed goals and objectives" (BC Risk Management Guideline for the BC Public Sector, 2012). Traditionally, risk management has focused on specific categories of risk (silos) and how a particular risk might affect one aspect of organizational health (ASHRM, Risk Management Handbook for Health Care Organization, 5th Edition, p. 2). This approach of looking at risk in isolation, almost always avoids the opportunity to identify and manage risks from a "big picture" perspective.
Enterprise Risk Management (ERM), as distinct from traditional RM, is a structured and disciplined approach to managing risk in the achievement of the organization’s overall goals.
ERM signifies: 1) the management of risk not only in conventional hazard categories, but in the full spectrum of strategic and operational risk; and 2) the adoption of risk management throughout the organization. It is essentially a decision process for managing uncertainties, and gives policy and resource allocation decisions a defensible basis (BC Risk Management Guideline for the BC Public Sector, 2012).
Effective ERM involves a commitment to quality control across all aspects of an organization’s operations, including local, regional and corporate services. It includes consideration of the organization’s particular objectives, context, structure, processes, functions, practices, services and assets. This means ensuring the capacity of the organization to identify, evaluate, reduce, eliminate, transfer, manage or avoid risks in all areas. The capacity includes the knowledge, behaviours and systems to "recover" from a lapse in quality to address actual and potential risks (e.g. claims and complaints) and to make improvements to avoid similar problems in the future.
The advantages of comprehensive and robust ERM include:
- A shared awareness of
- The ability to treat the incidence and impact of the risks that do materialize.
- The likelihood and potential impacts of the risks materializing and
- The extent and categories of risk regarded as acceptable
- The nature and extent of the risks and opportunities faced by the organization
- Concrete reasoning for decisions made before, during, and after risks and opportunities materialize
- Regular review of effectiveness of the risk assessments / treatments
- Appropriate assessment of the cost of risk treatment relative to benefit of managing the risk
- Regular and ongoing monitoring and reporting of risk
There continues to be evolution in the mechanisms and paths through which operational systems, information exchange and the monitoring of risk actually takes place within and between agencies. Considerable effort is now directed toward the design of systems that tie RM to quality improvement as well as with other related functions such as consumer satisfaction, utilization management, quality assurance, worker safety and health, asset protection and crime prevention throughout the organization.
There is no one best way to achieve this improved integration. Solutions will be organization-specific, vary with resources, local circumstances, expertise, unique programs and the philosophy or ethos of the entity. These changes in context and responsibilities showcase the ongoing need to adapt RM and ERM efforts.