2.4 Risk Management
What is risk?
Fundamentally, risk is uncertainty of outcome. Risks are described in terms of the potential events that could impact on your intended outcomes, together with the potential causes and effects. The situations we encounter as we deliver our work inevitably contain a degree of uncertainty, and in aiming to fulfil our objectives, there is a chance that various things could happen that could cause us to fail. The consequences when a political finance oversight body fails to deliver are significant. Not only will your institution lose credibility but confidence in the integrity of the electoral system could be undermined. The ‘things that could happen’ constitute risks, and we should seek to manage these to optimise our chances of a good outcome. Risks can stem from a wide variety of sources, such as change, legal challenge, financial factors, errors and so on. For an example of the risk management approach by the UK government, see their "orange book".
Oversight of political finance can be a particularly risky endeavor, as it includes overseeing and potentially seeking sanctions against powerful political actors, who have the power of altering the legal mandate of any public institution tasked to oversee political finance.
Why should we manage risk?
Good risk management allows you to:
- Have increased confidence in achieving desired outcomes
- Effectively constrain threats to acceptable levels
- Take informed decisions about opportunities and changes
Some level of risk is inevitable and no successful organisation can be completely risk-averse. The server supporting your electronic filing system may go down or you may fail to identify a potential breach of the political finance law when reviewing a campaign finance election report. It’s important to realise that risk management is not about attempting to eliminate all risk. Rather, it is an approach to our work that enables us to consider risk whenever we are making decisions, beginning a new piece of work, or performing our day-to-day jobs. For example, you might have considered server failure when developing your electronic filing system and made provision for a back-up server in the event of such a contingency. Or, you may have included a secondary review of campaign finance reports to guard against the potential risk of failing to identify breaches. Risk management should be an intrinsic part of your organisation’s governance, integrated into the way you work and the way you think. It shouldn’t need to be an ‘extra’ process.
Evaluating potential uncertainties in the course of things is preferable to having to manage unexpected impacts – a risk-based approach will, in the long run, save you time, as it will reduce the number of unexpected issues that arise.
What elements make up risk management?
Risk management starts with a good risk culture – an awareness across the organisation that it is important. Risk management should be seen a positive approach that can enable you to identify and assess risks during planning, and to learn lessons when issues have arisen, so that risk management in relation to future, similar, situations can be improved. Openness, constructive challenge, and willingness to learn from issues should be promoted across the organisation.
You may also find it useful to enshrine your approach to risk in a formal risk management framework.
Other elements include risk identification and assessment, and a risk register to record the information. A risk register is an important way of capturing the main risks you face, and the controls you have in place to help you mitigate them. The risk register also enables you to share this information regularly with your board, and to give you a clear view at any given time of the relative status of your risks and controls.
Risk management framework
Your risk management framework should set out your approach to risk management, including the methods you use to identify, record and manage risks. It should also state how you have culturally embedded risk management as a way of thinking about all aspects of your work. Your board should have oversight of the risk framework and should decide the overall level of risks that the organisation is willing to take – this is referred to as the risk appetite.
Your risk framework should also indicate how risks can be escalated within the organisation, i.e. elevated onto the risk register, regardless of where they are first noticed and who has noticed them. Risk management is a collaborative endeavour and requires the involvement and understanding of all of your staff.
In larger organisations, risk management may also happen at team level as well as corporate level. It’s important that you are clear about your own approach and ensure that the different levels of risk management are coherent and can speak to each other – for instance, an operational-level risk identified within one team may take on more prominence and need to be escalated onto your corporate risk register for a period of time.
When introducing risk management into an organisation, it may be helpful to establish an internal risk management group to assist with risk process development, awareness raising, internal training and ongoing implementation and monitoring. It may also be worth appointing a senior manager as your ‘risk champion’ to ensure that risk management becomes an embedded cultural norm.
Risk identification may occur through general day-to-day recognition of new risks, but it is also a good idea to conduct a regular review. It is usually sufficient to do this exercise internally, but you may also benefit from commissioning an external risk review from time to time (perhaps in relation to individual electoral events).
A workshop involving a diverse range of staff will give you a wider and more comprehensive view of your risks. A good place to start is your corporate strategy, since risks should relate to objectives. Consider what the potential risks to delivering your objectives might be.
It may also be a helpful prompt to consider some common categories of risk, and to use the PESTLE model to consider external risk factors that may have a bearing on your work (see Risk identification tool.pdf).
Risks should relate to objectives – what are you trying to do? What might happen that could get in your way?
You will find that you have some generic risks with the potential to affect all of your objectives – for instance cyber security threats, financial risks, or staff capacity and capability risks. Other risks will relate to a particular objective.
Once you have identified your risks, consider carefully how to state each one. The risk is the potential event leading to an impact, not the impact itself. However, you should also specifically state what the potential impacts would be if the risk occurred. Make sure your risk statements are not simply the opposite of the objective (failure to achieve the objective). You need to state what, precisely, could cause you to fail.
For instance, if your objective is to catch a flight to get to an important conference, your risk statement should not say ‘failure to arrive in time’. A correct statement could say ‘missing my flight makes me late, with the effect that I miss all or part of the conference’. This risk is clearly stated, and can be controlled, for example by ensuring that you set off in plenty of time for the airport.
In the world of political finance regulation, an example of a risk statement might be: ‘We may anger powerful politicians by taking strong enforcement action against them, resulting in accusations that our oversight body is politically biased and should be abolished.’ The control mechanisms could include publishing a clear enforcement policy, having written procedures in place for staff to follow, implementing solid communication and stakeholder engagement strategies.
A useful formula for writing your risk statements is:
There is a risk of X (an event), caused by Y (a causative element), resulting in Z (the impact on your objective).
Risk assessment and scoring
The likelihood and impact of the risk materialising should be considered for each risk. It is also useful to think about the inherent (raw) risk and compare this to the residual risk:
Inherent risk is the exposure arising from a risk before any action has been taken to manage it.
Residual risk is the exposure arising from a risk after effective controls have been put in place to manage it.
It is usual to use a 1-5 scoring system for the likelihood and impact of each risk, where 1 is very low likelihood or impact, and 5 is very high. The two scores are multiplied together to get an overall risk score, which can then be rated as low, medium or high (see Risk scoring matrix.pdf).
Using the example of the risks arising from taking strong enforcement action against powerful politicians, you might rate the likelihood at 4 with the impact of the risk at 3. This would give an overall inherent risk score of 12, which would rank as a high risk.
Scoring risks is not always an exact science – for instance it is easier to make a quantitative judgement about a financial risk, compared to a reputational risk. The quality of the conversations you have about each risk, and the effectiveness of the control measures you put in place, are more important than the score.
Similarly, the score itself is not the end of the story. For each risk you should also consider what level of risk would be acceptable (sometimes called the risk tolerance or risk appetite). This will vary from risk to risk, and will depend partly on what degree of risk your organisation is willing to accept, since risk-taking is sometimes essential when pursuing ambitious outcomes. In the example of taking enforcement action against potentially powerful politicians, one could argue this is an inherent risk in overseeing political finance regulations and that failure to act because of that risk would undermine the institution’s legitimacy. As such, it is within your risk tolerance.
If your residual risk score exceeds the tolerance you have set for the risk, you will need to consider further controls. It is also worth noting that your residual risk score should be lower than your inherent risk score since effective controls should reduce the score. If this is not the case, it is worth re-looking at your inherent and residual risk scoring and reviewing whether the controls you have listed are relevant.
Risk controls and mitigations
Controls to lessen the likelihood or impact of the risk should be added to your risk register, and each control should have a clear owner who will ensure the relevant actions are taken. There are four main ways of managing risks – known as the four Ts:
- Tolerate the risk – in other words, the organisation can live with this risk, and you will put no measures in place to mitigate it.
- Treat the risk to constrain it to an acceptable level – by taking actions that reduce either the likelihood or the impact.
- Transfer the risk – for example, you may be able to take out insurance against the risk, or move the risk to an external supplier.
- Terminate the activity giving rise to the risk – thus removing the risk completely.
Typically, most controls will be aimed at treating the risk. In our enforcement action scenario, there are a number of controls that could be instituted to reduce the risk. As noted earlier, you could publish an enforcement policy that sets out the criteria used when taking enforcement action. You most certainly will want to have written procedures in place to guide staff in their work and require staff members to declare any possible conflicts of interests in matters assigned to them. Good stakeholder engagement will enable you to convey how you work and your commitment to impartial decision-making. And a well-considered communication strategy could help deflect the impact of accusations of bias and counter the calls for the institution’s abolishment.
Once you have identified controls for each risk, these should be reviewed and evaluated regularly for effectiveness – an activity known as risk assurance. Your reviews should consider the status of the controls listed and should include fresh consideration of the residual risk score against the tolerance level you have set for the risk.
You may also have heard the term ‘Three lines of defence’. This refers to the different levels at which risk management activities occur within an organisation:
First level: management and internal control measures, owned and implemented by management
Second level: risk management or oversight functions that ensure effective risk management is in place
Third level: internal audit, independent from management, to evaluate how effectively the organisation is managing its risks.
There is also external assurance, which sits outside of the organisation – for instance, external auditors, or independent regulatory or accreditation bodies that provide scrutiny.
These levels of risk management may be useful to bear in mind when you are considering what controls you could put in place to manage each risk.
General Risk Register
Your general risk register should be a living, dynamic document that is regularly reviewed and updated. The design of your risk register is a matter of choice, but it should contain:
- Delineated, well stated risks, and information about the possible causes and impacts of the risk materialising.
- An inherent risk score for each risk, assessing the likelihood and impact of the risk if no controls were in place.
- A list of the controls or mitigations in place for each risk.
- A residual risk score for each risk, assessing the likelihood and impact of the risk with effective controls in place.
- A tolerance score (or risk appetite) for each risk, stating the level of risk the organisation is prepared to tolerate without instituting further controls.
- An owner for each control.
You may also choose to add some management commentary about the current status of each risk, especially when submitting the latest version of your risk register to your board or audit committee for consideration.
Risk should be removed (or marked as closed) once the risk has passed or the level of risk has decreased to a very low level. Some organisations remove risks as soon as they reach a ‘low’ score (4 or less); however, if your organisation’s risks are volatile, it may be wise to retain low-scoring risks for a period of time in case the score increases again. For an example of a general risk register template (see Example of risk register layout.xlsx).