Risk Management – Defining Scope, Context and Criteria

A lot of thought and effort goes into identifying the risks an organisation or project is exposed to, and then considering the amount of risk involved. However, an essential step in the overall process is to first establish the scope, context and criteria for your risk management activities. As set out in the Standard, the purpose of this is to customise the risk management process and thereby enable effective risk assessment and appropriate risk treatment throughout your organisation. This involves defining the scope (i.e. determining where you will apply your risk management process) and understanding the external and internal context the process operates within. These things essentially form the foundation upon which your risk management process is built and relies on.

Scope

On the surface, defining the scope of your organisations risk management activities is straightforward. The classic example most Council’s utilise is to apply the risk management process at three levels – strategic, operational and project. However, down the track difficulty often arises from the age-old issue in local government of what is strategic and what is operational?

When working with Council’s I try to encourage the approach that strategic risks are those that may impact upon the organisations ability to deliver and implement its strategic direction (as per its Corporate Plan). I generally suggest that Council’s align their strategic risk register with their Corporate Plan (or equivalent in other States), so that it is focused on addressing issues which may disrupt the long-term objectives elected members have for their community.

Operational risks then are those which may impact upon the viability of Council’s administration in safely and sustainably delivering services, and achieving objectives associated with its business units. These risks may relate to the effective and efficient use of Council’s resources and have the potential to impact on or disrupt day-to-day operations of the Council.

Finally, project risks are those that are attached to specific projects being undertaken by the organisation and which may hinder project delivery.

Each level that the risk management process is to be applied at will have its own reporting requirements and should be monitored by the appropriate person(s) to ensure that the process is operating as intended.

Context

Understanding the context essentially means that Council’s should have a good knowledge of the internal and external environment within which they operate and are trying to achieve their objectives. This is important because without having this information, Council’s may fail to identify risks relevant to their activities or manage them insufficiently.

To emphasise the importance of this, I have an embarrassing example from my own experience of a time where I failed to understand the context of my environment when considering a risk. A couple of years ago, on my travels between visiting Council’s, as I pulled into a town in outback Queensland I started to slow down in accordance with the road signs. In a 60-zone entering town, I saw a police car parked on the opposite side of the road at the end of the street. Although not necessarily thinking of it this way in the moment, I did a quick risk assessment by reviewing my speed (which was under 60 already) and decided to treat the risk further by reducing my speed to 50kph. Sure enough, I was pulled over anyway. The Officer politely asked if I knew I had just driven through a school zone. I was baffled. I had no idea. I had focused so much on the presence of the police vehicle that I’d not noticed the school zone sign as I passed it. I failed to understand the context of the environment I was in and as such did not adequately assess the level of risk.

Criteria

Council should prepare supporting information which allows consistent evaluation of the significance of risk to support decision making processes. At a minimum this should include:

• The type of uncertainties Council may be exposed to;
• How consequence and likelihood will be defined and measured; and
• How the overall level of risk is to be determined (i.e. a risk matrix based on consequence and likelihood).

When working with Council’s to improve their Risk Management Framework, I encourage them to include a table which includes a list of the various types of risk they will assess matters against as part of their process. These categories may include:

Additional information should be included to support consistent evaluation of the consequence and likelihood of a risk from eventuating, which can then in turn be considered against a risk matrix to determine the overall amount of risk involved by producing a risk rating. For example:

Council’s risk criteria should also specify the amount of risk it may or may not take in pursuit of its objectives. This refers to your organisations risk appetite and risk tolerance, which will be discussed at length in my next blog.

For further support with developing, reviewing or improving your risk management processes, LGMS member Council’s should contact their Regional Risk Coordinator. The RRC program is a key feature of your membership and our teams’ mission is to assist you with the development, implementation and review of your approach to enterprise risk management.