1.4 Risk management approaches

The coordination of the risk management process should be centralized: the risk office analyses and draws up information related to each process phase, and proceeds with strategic planning, in coordination with the organization’s board.

The risk committee, with the risk manager playing the role of coordinator, sets up the criteria to select the most relevant information coming from the risk management information system (selective approach). Significant risks in terms of impact or strategic level are reported by the office supporting the risk manager on a regular, specific and exceptional basis. The risk manager gives directions on translating strategies into risk management objectives, and monitors their achievement by divisions/offices and managers within their own competence. The risk manager therefore finalizes the information received, by adapting it to the organizational context (down to the any single office level), in order to correct possible deviations from strategic priorities.

Risk register development involves detailing organizational risks (corporate as well as project and operational ones), and setting up specific risk registers on particular topics (work health and safety, fraud, IT security, environment, etc.).

Three kinds of approach can be followed for involving management and stakeholders in identifying risks:

• Top down-approach: the decision-making process is centralized at governance level. This approach can show two modes: a) Full top-down mode, where the business units’ risks are listed at department level, meaning that heads of unit cannot add risks themselves at unit level. There is no need of risk escalation, except at departmental level. b) Prevailing top-down mode, where a corporate risk register is directly created from a detailed operational risk register.
• Bottom-up approach: the decision-making process is done at management level. Operational risks are identified by any staff member while performing his or her daily work (e.g., in order to encourage the staff to be more active in defining non-conformities, an opportunity to register them online has been provided).
• Mixed approach: the board entity states the criteria (top-down) by which the heads of unit identify and manage risks (bottom-up). Risks may be viewed and assessed throughout the organization at any level (e.g., group, program, office, project, etc.). In order to set the framework, the hierarchy of risks on which attention is focused corresponds to the enterprise, operational and project levels.

Such approaches are not mutually exclusive, and a combination of approaches to the management of processes is desirable to achieve effective integration of risk management at any level within the organization.

These risk management approaches are also a way of cutting across the organization hierarchy and overcome organizational barriers.

The figure below outlines the risk management process according to the top-down perspective; it also highlights the information flows related to decision-making processes, according to the different roles involved.

Figure 2: risk management according to the mixed (top-down and bottom–up) approach

Source: Adapted from Australian Bureau of Statistics, risk management framework

In order to identify risks, the adoption of a suitable tool or method is needed. Two of the most commonly used methods are as follows:

• Commissioning a risk review: A designated team (either in-house or from outside) considers all the operations and activities related to the organization’s objectives, and identifies the associated risks. Such a team should conduct interviews with key staff at all organizational levels, in order to build a risk profile for the whole range of activities. (However, it is important for this approach not to undermine line management’s awareness of their own responsibilities in managing the risks that are relevant to their objectives.);
• Risk self-assessment: Each level and part of the organization is invited to review its activities, and to contribute its diagnosis for the risks it faces. This may be done through paper documentation (with a framework for such a diagnosis set out through questionnaires), but is often more effectively conducted through a workshop approach, with facilitators helping groups of staff to work out the risks affecting their objectives. A particular strength of this approach is that ownership of risk is better established when the owners themselves identify the risks.