Consulting
Project Management
Programme Management
Business Analysis
Smartcards
Risk Management
Software Testing
Procurement
Resources
PRINCE2™ Maturity Model
Intro to M_o_R®
PRINCE2™ Intro

How well do you manage risks?

How well are you and your organisation managing risk? Good risk management practice occurs when underlying risk management principles have been applied well. A healthcheck is a starting point for understanding how well you or your organisation is currently managing risk, and for identifying areas where your use of risk management might be improved. We invite you to answer the following healthcheck questions to gauge how effectively you or your organisation is managing risk.

Scoll Methods supports the Office of Government Commerce’s Management of Risk (M_o_R®) guidance that recommends using 12 risk management principles to structure any healthcheck assessment. Thus, the following questions cover only a part of each of the 12 risk management principles. If you want to know more about the 12 risk management principles, book one of Scoll Methods’ M_o_R® courses.

If you can respond to a question by saying ‘yes’, you or your organisation are already applying one aspect of the principle that is being assessed by the healthcheck. A negative response indicates that you or your organisation is not using the principle as well as you could. The more questions that you can answer in the affirmative, the closer you are to applying risk management good practice. Clearly, in order to gain a realistic assessment, it is important that you answer the questions objectively.

Within the healthcheck questions set below, the term ‘Risk Management Policy’ is used. Depending upon the size of your organisation, this may mean a single policy or a collection of policies used by different operational units in your organisation. Risk management principles can be applied to the organisation as a whole, or to any specific organisational activity (e.g. a particular programme, project or operation). In order to remain brief, the following questions often refer to the risk management principles applied by an organisation. However, you can apply each question to any programme, project or operational activity or initiative.

Organisational context

Consideration: your risk management practices should reflect the context of your organisation and the nature of the organisational activity to which you are applying risk management.

  • Have you conducted and fully documented an external analysis of the organisation or organisational activity (e.g. using PESTLE analysis, industry analysis [e.g. Porter’s 5 forces], scenario planning or environmental scanning)?
  • Do you have a Risk Management Policy? Does it explicitly describe how it reflects the organisational context?

Stakeholder involvement

Consideration: your risk management practices should involve all major stakeholders.

  • Do you have and use a mechanism for including stakeholders in the identification and assessment of risk?
  • Have you identified stakeholder perceptions and attitudes towards risk? Have you documented and reviewed this?

Organisational objectives

Consideration: you should undertake risk management against clear objectives.

  • Have you clearly documented specific, measurable, achievable, relevant and time-bound (i.e. SMART) objectives for your organisation or organisational activity before starting to identify risks?
  • Has your organisation’s senior management team defined levels of acceptable risk to objectives? Does your senior management team regularly review these acceptable levels of risk?

M_o_R approach

Consideration: your organisation or organisational activity should develop a risk management approach that reflects its objectives.

  • Do you have an overarching Risk Management Policy governing how your organisation implements risk management? Does it clearly describe which activities you should routinely subject to risk management, key risk management roles and responsibilities, and your organisation’s risk appetite and risk-bearing capacity. Has it been tested by your organisation’s senior management team to see if it fully reflects the nature and extent of the risks facing your organisation?
  • Do you have a procedure in place for identifying when risks have exceeded acceptable levels of risk exposure? Do you have a pre-arranged channel for automatically escalating ownership of critical risks that exceed these acceptable risk exposure levels to more senior management for decision-making?

Reporting

Consideration: your organisation’s governing body should receive, review and act on risk management reports.

  • Have you defined and agreed a regular risk reporting process? Is it clear how it will be used, when and by whom? Is it clear who will create and disseminate reports, and what the reports will contain?
  • Does your governing body have a funding mechanism in place to finance risk responses (e.g. a contingency fund, new opportunity budget or controlled release of budgets to activities)?

Roles and responsibilities

Consideration: your organisation should establish clear risk management roles and responsibilities in terms of leadership, direction, controls, ongoing risk management, reporting and reviewing.

  • Has your senior management team formally communicated the risk management responsibilities of managers to all managers within the organisation? Does your senior management team regularly communicate with managers regarding risk management? Has your organisation made it clear who has responsibility for compiling, circulating, testing and maintaining your organisation’s Business Continuity, Security Management, and Health and Safety Management Plans.
  • Do all of your organisation’s staff-members understand that they have a role to play in risk management? Do you include specific responsibilities in their job description? Do you reinforce good risk management through line manager behaviours and reward systems? Does your organisation’s formal performance appraisal system explicitly consider risk management?

Support structure

Consideration: you should establish a risk management support structure for the organisational activity being assessed.

  • Do you have dedicated part- or full-time individuals assigned to a central risk function (e.g. portfolio office, programme office, project office or business office)?
  • Is your central risk function formally linked to the risk management processes across the organisation? Does your central risk function have the mandate, skills profile and funding available to assess and improve your organisation’s risk management?

Early warning indicators

Consideration: your organisation should establish early warning indicators for critical business activities as part of proactive risk management to provide information on the potential sources of risk.

  • Have you clearly defined all critical business systems? Do you have a balanced set of inward-and outward-looking early warning indicators for your critical operational business systems, programmes and projects?
  • Do your decision-makers regularly examine concise and easy-to-read reports about early warning indicators? Do your decision-makers have the authority to take corrective action in response to the reports?

Review cycle

Consideration: your organisation should regularly review the risks it is facing, and the policies, processes and plans it is adopting to manage those risks.

  • Do you review the effectiveness of your Risk Management Policy and processes on a regular cycle? Have you defined a process for scoping and conducting the reviews?
  • Do you report the findings of reviews to policy, process and plan owners? Do you discuss significant control failings or weaknesses identified and discussed in the reports? Do you discuss the impacts of and responses to failings or weaknesses?

Overcoming barriers to Management of Risk

Consideration: your organisation should recognise and respond to the barriers preventing it from implementing risk management.

  • Do your middle and junior managers believe that your senior management team adequately supports risk management? Does your organisation provide an adequate budget for embedding and executing risk management practices?
  • Do you have risk management training, tools and techniques ready for your staff to use? Do your staff-members know how to access them? Do you regularly assess risk management training needs? Do you have risk management orientation, induction and training processes in place for all staff (from junior staff- to senior management team-members)?

Supportive culture

Consideration: your organisation should establish the right culture for supporting risk management throughout your entire organisation.

  • Does a member of your organisation’s management board own risk management? Does your senior management team demonstrate commitment to risk management (e.g. through its policy, level of effort or actions, and promotion of a climate of trust so that risks can be openly shared and discussed without retribution)?
  • Are risk management competencies part of an individual’s performance evaluation and critical to their career progression in your organisation? Does your organisation’s formal performance appraisal system support and reward good risk management?

Continual improvement

Consideration: your organisation should develop strategies to improve its risk management maturity.

  • Has your organisation nominated a person or team as responsible for improving risk management for the organisation, or programme, project or operational activity?
  • Do you review risk management practices against a maturity model to determine the level of maturity you have attained? Have you prepared an improvement plan to assist you in progressing from your current risk management practices to the next level of risk management maturity?

 

How well did you do? If you could not answer many of the questions positively, you have some work to do to apply good risk management practices. Reduce your risk; come on one of Scoll Methods’ M_o_R® courses or use one of Scoll Methods' consultants to help you with this.