Risk Scope, Context & Criteria
This article is the tenth of fourteen parts to our risk management series. The series will be taking a look at the risk management guidelines under the ISO 31000 Standard to help you better understand them and how they relate to your own risk management activities. In doing so, we’ll be walking through the core aspects of the Standard and giving you practical guidance on how to implement it.
In previous articles we’ve looked at the core elements of the risk management framework, as well as the role of leadership and commitment, integration, design, implementation, evaluation and improvement more specifically. We’ve also briefly looked at the risk management process in a general sense, and we’ve also honed in on the importance of communication and consultation in that process. In this article, we’ll be delving into how to approach and determine the scope, context and criteria of your risk management process.
Defining the scope, context and criteria of your organisation’s risk management process is essential to establishing a strong and robust risk management framework. Part and parcel to this strong and robust framework is having a risk management process which is tailored and customised to your organisation, which will then allow for your organisation’s best chance at efficiently and effectively identifying and treating risks. In achieving this, your risk process’ scope, context and criteria need to be properly structured, and in this article, we explore how to achieve this.
The scope of your risk management process refers to the breadth of risk management activities that you are willing and seeking to address. For example, you may choose to cast a wide net of risks to be captured, or you may choose to focus on the most prominent and severe risks within your organisation, however it is advisable that you take a balanced and realistic approach to doing so. When determining scope, you will also need to turn your mind to your risk process’ objectives, and whether those objectives align with the broader organisational objectives of your organisation. At the highest level, this may include consideration of long-term, strategic objectives, whereas at the lowest level, this may include consideration of day-to-day operational objectives. Consideration of these objectives together with the risks which are contained in your scope are two of the fundamental aspects of properly establishing the scope of your risk management process. However, a more detailed approach can be taken which requires consideration of the following:
- Expected outcomes of the risk process: this refers to your anticipation of the result may arise from the risk occurring. This requires you to actively consider what those outcomes may be and to contemplate the strategies which are available to mitigate them. It is not enough to just set the scope and move on; you also need to be prepared to react to that risk in the form of say, for example, the formal identification of the risk, a response, and then an evaluation of the risk and its response as a whole.
- Time and location: the time and location of the scope refers to those risks which may, or may not occur, at a certain point in time and at a certain location. With regards to time, this may involve a periodic assessment of risk performance in a select area of your organisation, such as in a specific location. You will typically find that the question of time and location in your risk assessment will be dictated by your organisation’s objectives per quarter, for example, and for different organisational locations.
- Inclusions and exclusions: Inclusions and exclusions refer to the matters which are by choice addressed or not addressed by your risk management process. For example, you may choose to exclude extremely low risk activities from the scope of your risk management process as it is not actually necessary to manage the more severe and concerning risks within your organisation.
- Risk assessment tools and techniques: this refers to the selection of risk assessment tools and techniques which are to be included in your scope to best manage the risk you’re addressing. A common example would be the provision of a risk matrix to determine the likelihood of the subject risk occurring.
- Resources, responsibilities and records: when scoping out your risk management process, you will need to identify the resources, the allocation of responsibilities, and the records required to be kept in the management and mitigation of that risk. Decisions such as these need to be made in response to the realistic availability of resources – human, time, or otherwise – within your organisation.
- Intersection with other projects, processes and activities: in circumstances where you may have multiple risk management scopes, such as those on specific projects, you need to ensure that they are consistent and that they are as complementary as possible. This is required in order to minimise the potential for complacency through having a strong, coherent and robust scope to address and manage the risk at hand. In essence, any scope introduced should not conflict with the rest of your organisation. Consistency is key.
As has been consistent throughout the course of the nine articles preceding this one, gaining a proper understanding of the internal and external environment in which your organisation operates is key to both defining and achieving its risk objectives. Thus, the application of the risk management process should be done in a manner which reflects the true nature of the organisation’s internal and external environment in order to avoid inconsistency or incohesion.
Gaining a solid and well informed understanding of both internal and external environments is critical for three key reasons. The first is that, as we’ve touched on above, risk management occurs in the context of the objectives and activities of your organisation. Without a solid understanding of this reality, you risk having an incoherent and out of touch risk management process which may fail to meet its purpose. Secondly, internal factors, surprisingly enough, can be a source of organisational risk. Such risks may be known or unknown, so it is critical to have a solid understanding of your organisation internally to both monitor and detect such risks. Thirdly, the purpose and scope of the risk management process may be interrelated with the objectives of the organisation as a whole. These objectives can occur in respect of your organisation’s strategy, operations, or projects, for example. Together, these three factors can help give you a strong understanding of your organisation’s internal and external context, of which is critical to your risk management activities.
Organisations should specify the quantum and type of risk that they are prepared to take on through creating a risk criteria. In making such a criteria, organisations need to give consideration to their values, objectives and available resources, and the outcome of this consideration needs to be made consistent with other organisational risk practices enshrined within relevant internal and external policies and statements concerning risk management. Other matters to consider in your definition of a risk criteria is to consider your organisation’s obligations (such as under legislation or to external stakeholders) and the views of your key stakeholders, both internal and external.
Beyond this, the ISO Standards require you to give consideration to the following elements (at the very least) when determining your criteria, being (1) the nature and type of uncertainties that can affect outcomes and objectives; (2) how you will define positive and negative consequences and likelihood of risk occurrences; (3) the role and influence of time in response to the risk; (4) consistency in your choice of how the risk is to be measured; (5) what the criteria is for determining the level of risk; (6) whether there any combinations or sequences of multiply occurring risks which could influence the satisfaction or non-satisfaction of the risk criteria; and (7) the capacity of your organisation to respond to those risks. These elements all together should be considered to ensure you create and have the advantage of a well-rounded risk management criteria.
On the whole, you should take a holistic and well-rounded approach towards how you determine and understand your organisation’s risk scope, context and criteria. Without such an approach, you pose the threat of an inconsistent and fragmented risk management process, of which may fail to identify and manage risk. This can possibly result in an increased threat of risk to the organisation, and for these reasons, you need to take a conscious and staged approach to determining this area of the risk management process through purposefully defining the scope of your risk management activities through ascertaining a holistic and insightful understanding of your organisation’s internal and external environment, and determining your risk criteria with reference to your organisation more broadly together with the nature of the risk being assessed. These elements of scope, context and criteria all together are critical for providing a solid foundation to your organisation’s risk management activities.
If you have any stories – good or bad – about how you’ve approached the scope, context and criteria of your risk management process within your organisation, I would love to hear them.
If you’re looking to improve your risk management process and would like some guidance or a conversation to help you on your journey, please contact me. I’m more than happy to guide you.
About the author
Peter is the Founder and Director of Holtmann Professional Services, a global provider of executive coaching, business excellence consulting and career path development. Peter has 20 years of experience in executive roles and has been the President and CEO of a global non-profit. Peter has written for many journals and blogs, is a keynote speaker and is a champion of prosperity through excellence of leadership.
If you are interested in working with Peter, please reach out to email@example.com.