Enterprise Risk management is a disciplined approach that enables an organization to identify, evaluate, analyze, monitor, and mitigate the risks that threaten the achievement of the organization’s strategic objectives. Every organization is susceptible to risk in many different areas: operational, market, legal, environmental, reputational, brand, liability, financial, and property.
Introduction
Activities in Scouts Canada must identify and evaluate the risks to ensure the safety of youth and members, the delivery of planned outcomes, the preservation of asset value and property, protection of the environment and ensure all activities (‘projects’) are conducted within the law and regulatory requirements. Scouts Canada organizations at all levels must actively manage their risks and accurately inform the responsible commissioner.
This document will describe in detail how a consistent Risk Management procedure can deliver value, how it can be done both effectively and efficiently. This guideline is not intended for groups, sections or Scouting individuals.
Introduction to Risk Management
Risk Management is primarily about adopting a (structured) way of working, that ensures risks are identified, understood, agreed, communicated and acted upon in a timely and consistent manner. Risk Management delivers the most value when it is led and steered by the appropriate Scouting leadership (team) and actively used to support the decision-making process.
Risk Management has three main purposes: (1) Enabling better decision-making, (2) Protecting the value of past decisions by reducing the impact and chance of ‘negative’ events and (3) increasing the benefit and likelihood of ‘positive’ events affecting those decisions.
Risk management aims to focus attention on uncertain future events and prioritise them against current issues/opportunities. It adds value, not by listing obvious and common activities, but by providing a structured way to foresee the unexpected and be prepared for it. It helps keep track of future events that are not shouting for immediate attention, but which are important because they could have a major impact on the activity. In this way it helps leadership teams to be pro-active and prevents them from entering into a ‘fire-fighting’ mode.
Note: People are generally (too) optimistic about the downside a project / activity faces, or the effort required to manage it, and it is often not fully reflected in the plan. The pro-active management of risks is therefore often seen as a bureaucratic step. It is the job of leadership to champion risk management and ensure proper application.
Organizational Framework for Managing Risk
To enable this process, an organizational framework must be defined that addresses the (i) roles and responsibilities, (ii) identification, assessment and prioritisation of risks, (iii) documentation and (iv) communication.
i. Roles and Responsibilities
The following roles and responsibilities should be assigned, resourced and observed – together with clear deliverables, training requirements and time allocation as appropriate.
Decision-Maker (e.g. CEO, ED, RD) |
|
(Assigned) Risk Coordinator (e.g. Staff Member) |
|
Risk Owner (e.g. ED, RD, CK3 Member) |
|
Action Owner |
|
Team Member |
|
ii. Risk Identification, Assessment & Prioritisation
A comprehensive risk assessment goes beyond a safety checkup. It attempts to identify a complete range of potential outcomes that may impact success in many categories. It assigns a risk rating and enables the development of risk management strategies; develops skill and competency in hazard identification, risk assessment and management.
Risks have to be prioritised and ranked in a consistent and transparent manner against other items requiring project resources and management attention.
Risks must be assessed on their probability and impact on the plan and objectives and prioritised based on their severity. The risk assessment matrix is the primary tool to distinguish and prioritise risks.
To manage risks there are 7 steps that must be taken [as defined in the Risk Management Standards]:
- Identify: the risk is identified
- Assess: the risk is assessed and ranked against other risks [using the Scouts Canada Enterprise Risk Matrix – see APPENDIX]
- Plan: based on the risk assessment, responses are planned and approved [using the Scouts Canada Risk Hierarchy – discussed below]
- Implement: actions are executed, and responses put in place
- Monitor (review, appraise, re-assess): feedback is obtained, the risks, actions and responses are monitored for changes and effectiveness, and the situation is re-assessed
- Improve: if necessary, the plan to manage the risk is updated
- Close: as mitigation measures are effectively implemented close out the risk in the risk register.
Risk Management Hierarchy
When determining how to develop risk controls and actions, we use the standard risk management hierarchy of controls; in order of preference:
- First, we design controls that should eliminate possible hazards (sources of potential danger). e.g. we ensure our program is age-appropriate, or, we select a site for an activity which is not dangerous.
- Second, we use engineering controls, which reduce risk without human intervention. e.g. we use auto-locking belay devices when doing top-rope climbing and ensure a secure ground anchor.
- Third, we use administrative controls, which require human intervention to lessen the risk. e.g. we ensure all youth and scouters have a swim test before we go on a canoe expedition and ensure the expedition leaders are trained in flat-water canoeing.
- Lastly, we will use a personal protective equipment that should limit the severity of the consequence (for example, protective personal equipment to keep someone from getting hurt). e.g. we wear helmets for biking and tobogganing and safety glasses for repairs to camp equipment.
iii. Risk Documentation
Managing all the risk information, along with the tracking and reporting, requires a suitable tool. Scouts Canada utilises a standard risk register format that incorporates the following classification (in sequence):
No. |
|
Status |
|
Risk Category |
Or…When or where could this happen?
|
Risk Scenario |
Or… What could happen?
|
Risk Event |
Or… What might make this happen?
|
Risk Causes / Drivers / Triggers |
Or… What could be the result?
|
Impact / Consequence |
|
Impact Rating (Inherent) |
|
Likelihood Rating (Inherent) |
|
Inherent Risk Rating |
|
Current Controls & Mitigations |
Or… What are we already doing to keep this from happening?
|
Impact Rating (Residual) |
|
Likelihood Rating (Residual) |
|
Residual Risk Rating |
|
(Risk) Treatment Owner |
|
Risk Treatment Strategy |
Or… What can we do to reduce or eliminate this risk?
|
Impact Rating (Future / Target) |
|
Likelihood Rating (Future / Target) |
|
Future Residual Risk Rating |
|
iv. Communication
To make risk management happen in practice, it is important to communicate effectively and integrate ‘risk’ into normal management practices. The project / activity risk management plan should describe how this is achieved and serve as a support document for:
- On-boarding of new team members e.g. new Council Key 3, Senior volunteers or National Staff.
- Incorporation of risk management into standard regular meetings.
- Engagement with other stakeholders as appropriate and required.
The risk management plan should be as specific and practical as possible and focus on what the project will do to ensure their risks are managed.
For risk management to deliver value, the understanding gained by taking the risk though the risk management process needs to be communicated. Teams must decide on the following:
- How are risks made part of the decision-making process?
- How are risks integrated in plans and cost/schedule estimates/analysis?
- How are risks communicated up, down and across the organization?
- How are new risks identified, logged, approved and shared?
- How are risks tracked and deviations managed?
- How are risk responses and the residual risk approved and resourced?
- How are risk responses (actions) tracked and deviations managed?
- How are risks closed out (formal procedure/sign off)?
- How are people trained?