#LOCKDOWN DAY 11: RISK MANAGEMENT NOTES ABMI ? Practice Guideline A6: Commitment to Competence

With the volume of information around us and the pace of change thereof, we are required in the interests of relevance to keep evolving. Organisations, much like humans should learn and evolve in order to perform optimally and build sustainability.

NB: We are completing the first of seven ABMI components today by discussing A6. In my next article I will move onto the B-series which focuses on Strategic Planning Integration.

Onto today's topic!!!

I must admit that in my first interaction with the subject of risk management I believed that, once the risk assessment is done, the work was done for the year. I progressively learnt that some degree of monitoring and evaluation was necessary, which led me to an eventual realisation, after researching the attribute-based maturity index, that, when broken down into composite elements, there can be as much as 93 specific streams of work that a risk manager should consider as part of their scope of work. For the risk practitioners and leadership teams I have worked with, breaking down risk management into manageable “bit-size chunks” has made it much easier to build capabilities, entrench them within the organisation and deploy them accordingly. Learning has also become more specific and focused on the actual aspects that require development.

It must also be noted that, the mere execution of risk management activities is meaningless if one leaves the organisation behind and doesn’t in doing all the transactional elements consider actual management of risk and achievement of desired outcomes. If you remember, during day 4 in this series I clarified that we should see the actual intent of all risk management activities as the actual “management of risk”. Organisations manage risk through their extended leadership, management teams and staff members. It is these teams that should be developed in order to enhance the management of risk within the organisation.

Key to effective development of organisations through people is to “speak their language” and ensure any message is delivered in a manner that allows the recipients to effectively apply what they have learnt.

WHAT ARE THE OPTIONS?

The determination of a risk management strategy is one of the areas in risk management in which there is little-to-no guidance given. Although the concept of common risk language allows for a non-conventional use of linguistic terms, the term risk management strategy has resulted in a varying degree of interpretation with some not in the end resembling a strategy. (ABMI Reference Library, 2018 edition, p54)

One may ask, how do we develop comprehensive risk management strategies? There are several options available which may include the following:

Option 1 - Develop the risk management plan based on previous knowledge:

I call this the informed guessing game.

Under this approach, the organisation develops its risk strategy and improvement plan on the basis of generally expected elements of risk management and the experience of the risk practitioner or advisor. This method will result in wider variance between plans generated by practitioners as they would rely on their experience and previously developed documents.

Option 2 - Develop the risk management plan based on a complete list of all possible risk management tasks:

This constitutes a shopping list approach.

Using this approach, all possible things that can be done from a risk management perspective are listed and scheduled into each month, quarter and financial year. This would seem like a tick-list approach as what the organisation is doing is checking periodically whether all things listed were done. It may in actual effect, be an inefficient allocation and application of organisational resources as not all areas require attention at any point in time.

Option 3 - Develop the risk management plan by adapting someone else’s plan:

Ok… I am sure you can name this approach. Let’s call it the “Copy, Paste” approach.

This method is notorious and the main reason why by extension even general organisational policies and business processes don’t work efficiently. As an auditor by background I have noted a common DNA in organisational business processes and in some instances realised that the writers even forgot to take out the name of the previous company from which the policy of procedure document was obtained for customisation. This method does nothing for you as it fails to consider your organisation’s unique circumstances and it is likely that the risk management plan generated as a result will result in un-coordinated and unnecessary improvement activities.

Option 4 - Develop the risk management plan based on a risk maturity/ as-is assessment:

This is the competency-based approach.

This approach would entail a detailed study of the status quo regarding strategy and risk management within the organisation. The study can be conducted using a structured as-is assessment or risk maturity assessment. The results of the study will inform the development of a structured risk strategy and improvement plan on a multi-year basis.

Recommendation:

I recommend that method 4 be followed on the basis of a bench-marked and complete risk management model. However, not all as-is/ maturity assessments are equal. A maturity assessment performed based on a thumb-suck approach will depend on the personal bias of the assessor and may not deliver envisaged value for the organisation. Organisations should follow structured, consistent, bench-marked and formally researched methods in conducting their as-is assessments.

Practitioners may elect from a range of approaches but we are all reminded that, the mere presentation of a checklist, no matter the source doesn’t constitute a credible as-is or risk maturity assessment unless it is backed by solid and formalised empirical evidence, research or a recognised risk management standard.

RISK MATURITY ATTRIBUTE STATEMENT:

The organisation is expected to have risk management improvement plans designed to enhance risk management capabilities and competencies progressively. This is in terms of the competence standards of the attribute-based maturity index (ABMI Reference Library, 2018 edition, p8).

Commitment to competence is intrinsically tied into the organisational risk culture and requires organisations to understand the current status of collective competencies and capabilities within the organisation and develop a plan of action to improve there for individuals, teams and the organisation.

KEY SUB-ATTRIBUTES OF A6: COMMITMENT TO COMPETENCE

Please note that in terms of the attribute-based maturity index there are 7 core components of risk management that comprise 26 primary attributes. These primary attributes are in turn split up into 93 sub-attributes. Below I analyse the sub-attributes of one of the 26 primary attributes. Keep coming back for more articles that unpack the other elements.

Some elements aren’t explained in full save for the focus item. All elements, however, are explained in detail in the ABMI Reference Library which can be obtained directly using a self-registered user profile on www.abmi.co.za

A:6-1 Objective-based risk strategy development

The organisation has developed a formal risk management strategy that responds to an as-is assessment or risk maturity assessment. The risk management strategy contains clear objectives and implementation plans.

A:6-2 Commitment of financial resources to support risk management strategy

The organisation ensures required resourcing for the implementation of the risk management strategy by budgeting for as well as availing the required financial resources to enable implementation of the risk management strategy.

A:6-3 Building organisational capability to support strategy

The organisation ensures implementation of the strategy through building capability by putting in place technical capacity building programmes that align with the strategy and its intents.

The organisation should ensure that it has sufficiently resourced its risk management function and that requisite authority is given to the risk management function to perform in terms of its appointed functions. Where this cannot be demonstrated, the organisation should demonstrate that alternative arrangements are in place to provide the required technical guidance and direction from a risk management perspective either through outsource or co-source arrangements. The organisation should ensure that there is a technical capacitation, on-the-job-coaching and facilitated training for both risk practitioners and relevant staff members designed to build an in-depth understanding and capability to implement relevant risk interventions that support organisational risk management as well as the risk management strategy. This is distinguished from risk awareness workshops and training where the focus is not primarily on building technical capabilities but on culture-building and promoting understanding. (**Extracted from the ABMI Reference Library, 2018, p56)

A:6-4 Monitoring of performance against risk management strategy

The organisation periodically monitors performance against the risk management strategy and reports the findings thereof to the governing authority.

A:6-5 Re-assessment and plan adjustment

The organisation performs an annual re-assessment or risk maturity assessment to evaluate the extent of implementation of the risk management strategy and puts in place required remedial action based on findings thereof.

CONCLUSION:

For additional context, register a free user profile via www.abmi.co.za and download our free ABMI Reference Library Preview document or explore additional value-added offerings. Good luck and feel free to share your views. We are all here to learn and no idea is unwelcome!!!