Introduction to IRM’s risk management standard
This Risk Management Standard is the result of work by a team drawn from the major risk management organizations in the UK, including the Institute of Risk management (IRM).
In addition, the team sought the views and opinions of a wide range of other professional bodies with interests in risk management, during an extensive period of consultation.
Risk management is a rapidly developing discipline and there are many and varied views and descriptions of what risk management involves, how it should be conducted and what it is for.
Some form of a standard is needed to ensure that there is an agreed:
- Terminology related to the words used
- The process by which risk management can be carried out
- Organisation structure for risk management
- The objective of risk management
Importantly, the standard recognizes that risk has both an upside and a downside. Risk management is not just something for corporations or public organizations, but for any activity whether short or long-term. The benefits and opportunities should be viewed not just in the context of the activity itself but in relation to the many and varied stakeholders who can be affected.
There are many ways of achieving the objectives of risk management and it would be impossible to try to set them all out in a single document. Therefore it was never intended to produce a prescriptive standard which would have led to a box-ticking approach nor to establish a certifiable process.
By meeting the various component parts of this standard, albeit, in different ways, organizations will be in a position to report that they are in compliance. The standard represents best practices against which organizations can measure themselves.
The standard has wherever possible used the terminology for risk set out by the International Organization for Standardization (ISO) in its recent document ISO/IEC Guide 73 Risk Management – Vocabulary – Guidelines for use in standards.
In view of the rapid developments in this area, the authors would appreciate feedback from organizations as they put the standard into use (addresses to be found on the back cover of this Guide). It is intended that regular modifications will be made to the standard in light of best practices.
What is the Risk?
Risk can be defined as the combination of the probability of an event and its consequences (ISO/IEC Guide 73). In all types of the undertaking, there is the potential for events and consequences that constitute opportunities for benefit (upside) or threats to success (downside). Risk Management is increasingly recognized as being concerned with both positive and negative aspects of risk. Therefore this standard considers risk from both perspectives. In the safety field, it is generally recognized that consequences are only negative and therefore the management of safety risk is focused on the prevention and mitigation of harm.
What is the Risk Management?
Risk management is a central part of any organization’s strategic management. It is the process whereby organizations methodically address the risks attached to their activities with the goal of achieving sustained benefits within each activity and across the portfolio of all activities.
The focus of good risk management is the identification and treatment of these risks. Its objective is to add maximum sustainable value to all the activities of the organization. It marshals the understanding of the potential upside and downsides of all those factors which can affect the organization.
It increases the probability of success and reduces both the probability of failure and the uncertainty of achieving the organization’s overall objectives. Risk management should be a continuous and developing process that runs throughout the organization’s strategy and the implementation of that strategy. It should address methodically all the risks surrounding the organization’s activities past, present, and in particular, future.
It must be integrated into the culture of the organization with an effective policy and a program led by the most senior management. It must translate the strategy into tactical and operational objectives, assigning responsibility throughout the organization with each manager and employee responsible for the management of risk as part of their job description. It supports accountability, performance measurement, and reward, thus promoting operational efficiency at all levels.