Following on from our podcast chat, there are very few topics in risk management that elicit responses as quickly as “Frameworks”. Comments range from complete acceptance, through to complete rejection. In fact, our most recent podcast chat elicited a response of “BS” from one of the risk management community’s more outspoken contributors. Everyone’s entitled to an opinion, although we’d prefer to see it delivered with a little respect.
As a starting point, it must be said that a Risk Management Framework must be developed to meet the specific needs of an organisation, reflecting culture, maturity, and (importantly) the underlying business itself. There is certainly no “one size fits all” Risk Management Framework, but there is definitely a set of bookends in which a Framework can be developed for all organisations. It’s just a matter of what you put in between the bookends that matters.
Other than my past roles in the finance sector, in all risk management roles I have held I have had to develop and implement the Risk Management Framework and function. This doesn’t mean “improve” or “build”, it means develop from the ground up. In doing so, much guidance comes from the Board, often through the Audit & Risk Committee, that sets the expectation of what is required. This is not always clear, and it’s not always optimal, often reflecting the Board’s limited hands-on risk management leadership experience during their executive career. But, consistently among the guidance is the requirement for development of a Risk Management Framework. Something tangible that outlines the objectives, the mechanics, the functionality of risk management for all to see, and to embrace.
Unlike other disciplines (Economics comes readily to mind) in risk management we can’t just fall back on assumptions – “now let’s assume we all understand everything there is to know about risk management, so we don’t need to have a framework”.
So, whilst respecting everyone’s right to an opinion, its unlikely that any organisation embarking on a journey to expand their risk management capability will do so without a framework. The question then is “what should it look and feel like?”
ABM has developed a Risk Management Framework that we believe will work for all organisations. We believe it needs to be comprehensively detailed, but delivered in an effective way that makes it simple to apply – we do this through a digital platform easily accessible to everyone. It must contain some key elements – Risk Policy (notably for listed entities), Principles, Appetite, and Standards. And it’s the Standards that contains the details of what gets done, and how. It’s highly adaptable, and scalable, and we’ve worked with many clients who have embraced it and made it work, building as they grow their capability and maturity.
Of course, the question of whether an organisation does, or does not want a Risk Management Framework will come down to the organisation itself. It shouldn’t be too hard a decision to make, and for many its probably not even a question they would consider. For those organisations, the questions are about how to effectively implement the framework as part of the commitment to risk management effectiveness, not whether they do / don’t have a framework.
If your organisation is in the camp that wants to improve its risk management effectiveness and sees the Risk Management Framework as a key element of that objective, we would love to hear from you and work with you to achieve it.
From risk comes opportunity.