TAGS: Approach; Statistical risk; Quality framework.

Risk management is essential to achieve the organization’s strategic outcome, and such fulfilment can only be reached by ensuring that risk is included as a routine in all significant decision-making. This means that risk management should be part of the organization’s culture, embedded in every organizational process, including production and supporting processes.

This requires an agreed approach, integrated with corporate strategy, that outlines exposures, issues and potential problem areas: integrated risk management should result in a system that is a part of the regular organizational performance review, where the organization not only looks at performance and events, but systematically identifies important gaps, variations and exposures, in order to get ahead of (mitigate) their possible impact.

From a practical point of view:

a.    Risk management should not be seen as a separate system, existing independently from the way in which the organization manages itself, makes decisions, allocates resources and holds people accountable.

b.    Risk management cannot take place at some levels if that means excluding other ones.

c.    Risk management cannot take place in only a few parts of the organization.

According to the holistic approach, risks should be viewed and assessed at any level in the organization. They should be a major consideration in approving proposals for investment, and integrated into tools for project management and performance monitoring. Accordingly, they should be integrated into key accountability documents, and internal strategic and project planning.

The most advanced statistical organizations have developed integrated models, based on an enterprise-wide perspective of risk, adopting standardized terms and concepts to promote effective implementation across the organization.

In these systems, all aspects of internal control are developed through a risk-based approach, built on the following criteria:

a.    Policy positions reflect the risk appetite of senior management, and are developed to guide the behaviour of empowered staff in managing the risks that they face in performing their assignments.

b.    Governance arrangements ensure transparency and accountability in decision making, by promoting strong leadership, sound management, and effective planning and review.

c.    Planning and reporting provide great opportunities to document goals and related risks.

d.    Assurance activities are a part of Internal audit, aimed at verifying that risk management within an organization is run consistently with international standards and established practice[1]whilst giving due consideration to the importance assigned to the organization’s objectives.

e.    Organizations should align risks to internal controls to ensure that, where possible, each risk has controls, and that each control addresses these risks.

Such NSOs have adopted an integrated risk management framework by identifying – in addition to general risk management – a specialized risk management which addresses persistent risks (for example, fraud, work health and safety, Information and Communication Technologies (ICT) security and disclosure risk)^[2]. They also put a strong focus on managing statistical risk, defined as the possibility that one or more of the production process components fail to meet the quality standard established, so resulting in a lower statistical output quality or integrity. Given that statistical risks are unavoidably managed at all levels (strategic, operational and project ones) within a NSO, it is worth noting that even when they are managed separately, they should eventually be integrated into an organizational risk framework.

Considering the strong connection between quality and risk[3], risks can be treated by applying quality management, especially at operational level.

Indeed, risk management and quality management are similar, in that:

• Quality management usually defines requirements, and assesses whether and when they are met (through review, audit, etc.). If requirements are not met, correction actions are implemented;
• Risk management identifies threats (risk sources) that can affect objectives. If risk level is too high, mitigating measures are implemented.

Even though a lot of general quality frameworks exist in literature, applications of continuous quality improvement approaches among NSOs are still limited.

In implementing their framework for statistical business process quality improvement, NSOs should pay particular attention to:

• Extracting key elements and possible relations for a general quality framework of statistical processes from these existing models;
• Adopting a common vocabulary for quality and risk management.

A first step in implementing a quality framework, independent of the standard adopted, is to design process flow map(s), in order to identify the points where product and process quality can be measured.

Process mapping can help to understand how a system works, and identifies how a system interacts with other systems and processes.

Another key step is to identify the statistics quality demands from users with respect to the process under consideration[4]. Quality demands should encompass both quality criteria, and demands related to risks. A process is in control when quality criteria are met and risks are acceptable.

NSOs could use the Generic Statistical Business Process Model (GSBPM) as a guide to map the activities of statistical processes. This ensures that all steps of a statistical process are included for monitoring purposes: For example the "Collect" phase of the GSBPM includes any activities related to obtaining data. Considering the recent adoption of the Generic Activity Model for Statistical Organizations (GAMSO), which extends and complements GSBPM by adding other activities which are needed to support statistical production, it would be useful to introduce this standard in order to support implementation of an entire risk management system.

In particular, according to the GAMSO model:

• The risk management governance system and the corporate risk management (i.e. the overall risks that can affect the NSO’s strategic objectives), could be placed within the “Strategy  and Leadership”  activity area, under “Govern and Lead”;
• The statistical risk management, related to the identification and monitoring phases of the risk management process, could be placed within the capability management activity area, under “Plan/Monitor capabilities”. These kind of risks, which could impact on data quality, are often connected with the correct application of statistical methodologies and production standards;
• Referring to the identification and treatment of organizational risks, the operational risk management connected to supporting activities (i.e. Finance, Human Resources, ICT), can be placed in each sub-area of “Corporate support”. In this activity area, there are also specific types of risks (i.e. fraud risks);
• The management of operational statistical risks at the business level, is a routine activity under the responsibility of the risk owners, with regard to the identification and treatment phase, in order to ensure statistical quality and successful delivery.
  

  ---