This chapter critically reviews existing literature in the area of risk governance and related frameworks in the private and public sectors. It presents various views and perspectives on risk governance definitions and frameworks, culminating in the development of a maturity model for risk governance in the public investment projects. It concludes with a summary of the main issues and research gaps identified from literature and the emerging research questions that will guide the present study.
Risk has invariably existed in the society for a long time; however, its growing complexity has led to the evolution of risk management strategies to control its effects. The capacity to understand the development of risk and manage risk is a critical ingredient for the success of organisations and the society. In recent years, the government’s role and efforts in risk regulation and management have intensified. Public sector organisations manage and control risks at multiple integrated levels through policy, legislations, regulatory tools/regimes, feedback loops, and rules (van Asselt & Renn 2011). The different levels represent dynamic subsystems in the public sector that provide interfaces for interaction between the public and state actors. Therefore, effective management of risks relies on the interactions, learning processes, and communication among the various stakeholders acting at the federal or local level.
Risk can be difficult to frame in definitive terms. Its definition is marked by a diversity of perspectives and principles for its detection, evaluation, and management (van Asselt & Renn 2011). In spite of the diverse definitions, risk remains a key consideration in public and public sector projects. van Asselt and Renn (2011) distinguish between simple and systemic risk. While simple risks have clear causes or effects and involve minimal uncertainty levels, systemic risks are complex and are shrouded in uncertainty/ambiguity. In fact, one of the risk definitions often used is the one given by the International Organisation for Standardisation, i.e., risk is “the effect of uncertainty on objectives” (ISO 2015, p. 13). Therefore, uncertainty is a key component of risk. Uncertainty often results from complexity. The complex social issues and multiplicity of stakeholders in the public sector context increases uncertainty. The concept of uncertainty means that a risk does not conform to the known principles of causation. Firm-specific uncertainties may be related to R&D, employee/managerial behaviour (strikes), or operations – labour and input supply (Hopkin 2012). In the public sector, uncertainty may come from state policies related to expropriation and nationalisation as well as conflicting stakeholder values and interests. Social and economic policies can also increase uncertainty and risk levels in a country.
The introduction of the concept of risk governance in organisations was meant to support structures for predicting and managing systemic risks that are characterised by high-level complexity, ambiguity, and uncertainty. In the private and public sectors, a myriad of regulatory, social, and organisational pressures influence risks. Risk governance frameworks give a blueprint on how to identify, assess, and manage risks to realise organisational objectives. This literature review involves a synthesis of the existing risk governance frameworks in a bid to develop a maturity model applicable in public sector organisations or projects. It begins with a review of risk governance definitions followed by a descriptive analysis of various frameworks and the development of a maturity model. A summative assessment of the main issues and research gaps identified from literature is provided at the summary section.
Risk and Uncertainty
Theorists have attempted to define risk and to develop working models for risk management since the 1950s (Prpic, 2016). Economist Frank Knight, the founder of the Chicago School is often credited with this effort (Besner & Hobbs, 2012).
However, defining risk and what it really entails has been a challenging task. For example, Holton (2010) points out that risk theorists such Knight and Markowitz have not provided a clear definition of risk, and this ambiguity has continued since the 1950s. Besner and Hobbs (2012) for example, point out that Knight considered risk to be an event that could have an impact that can be quantified and measured, whereas uncertainty itself is the source of the risk, reflecting an objective interpretation of risk. On the other hand, Holton (2010) argues that Markowitz focused on the subjective aspect of interpreting risk by basing it on the judgement of decision makers in assessing the likelihood of risk and the resulting variation in expected outcomes.
Alternatively, Sciotte and Bougault (2008) define risk as an identifiable event with negative consequences, while Hubbard (2009) defines it as the chance of an unfortunate event multiplied by the cost that results if such an event occurred, which effectively means that risk is equivalent to the expected loss arising from an event, but such a definition is clearly focused on the financial cost of the outcomes that arise in the event that the risk materializes.
Risk may also be defined as the chance of the occurrence of an uncertain event that is associated with outcomes could be either positive or negative (Reding, 2013). Traditionally, risk was limited to negative outcomes whereas positive outcomes or opportunities were not treated within the context of risk management (Ward & Champan, 2013).
Although risk assessment is often biased toward negative outcomes, the fact is that events with negative outcomes can impose a loss on a project and events with positive outcomes, if missed, can also result in lost opportunities (Wieczorerk-Kosmala, 2014). Additionally, the perception and measurement of risk is often based on perceptions and some degree of judgment, which makes it subjective, but it may also be quantified in objective ways (Simona-Iulia, 2014).
Dealing with risk is inevitable in any project, regardless of its size, and any attempt to manage risks requires understanding how risks are perceived and measured before they can be controlled or mitigated (Aaron, Clemons & Reddi, 2005). Hence, regardless of the context or the nature of a project or its size, risk management is a process that involves the identification, assessment, evaluation and mitigation and/or prevention of risks (Mazareanu, 2011).
Moreover, although it is not unusual for certain risks to receive more attention than others, it is generally agreed that risk management should be based on a holistic approach, a complex approach that involves understanding the interrelatedness between risks and their various impacts, but so far, the majority of approaches have focused on identifying risks separately and addressing their outcomes individually (Wu & Seco, 2009).
Governance and Risk Governance Definitions
The Standards of IIA define governance as “the combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organisation toward the achievement of its objectives.” (IIA, 2011)
OECD has introduced another definition which is “Corporate governance involves a set of relationships between a company’s management, its board, its shareholders. Corporate governance provides the structure through which the objectives of the company are set and the means of attaining those objectives and monitoring performances are determined.”(OECD, 2004) while OCEG defines governance as: “Governance is the culture, values, mission, structure and layers of policies, processes and measures by which organisations are directed and controlled. Governance, in this context, includes but is not limited to the activities of the board, for governance bodies at various levels throughout the organisation also play a critical role. The tone that is set, followed and communicated at the top is critical to success.”
A risk, in general terms, connotes the uncertainty or unexpected ‘adverse’ outcome of a situation or activity. The scholarly literature on risk governance explains the processes and frameworks for managing risks based on diverse definitions of risk governance. Klinke and Renn (2012) define risk governance as a comprehensive risk-handling process for addressing the “complexity, uncertainty, and ambiguity” aspects of a risk (p. 274). It entails an evaluation of the totality of regulations, processes, and systems involved in the risk data collection, analysis, and risk-based decision-making. Therefore, it extends beyond the traditional risk analysis to include normative principles on how public and private actors can manage risks.
Renn, Klinke, and van Asselt’s (2011) definition of risk governance follows a technocratic approach. They define it as the organisational structure and policymaking process that guide or control the regulation or mitigation of risks at the group, societal, national, or global level (Renn, Klinke & van Asselt 2011). This definition is based on the shift from centralised decision-making to multi-level public administration that characterise modern governments. In another article, van Asselt and Renn (2011), extending on the International Risk Governance Council’s [IRGC] definition, describe risk governance as the application of core principles/concepts of governance in risk-based decision-making extending beyond formal (probabilistic and regulatory models) to include informal processes. The definition is informed by the inadequacies of risk probability models in managing public risks. It includes formal and informal systems for dealing with complex, uncertain, and ambiguous risks. In this article, the concept of governance primarily relates to policy development by government actors. However, since various stakeholders are involved in the management of the society, including nongovernmental organisations and the private sector, the definition has been expanded to include a diversity of actors/roles.
The phrase risk governance is utilised in a prescriptive and in a descriptive context. Decisions about risks involve diverse players, regulations, political systems, and organisational structures – aspects pertaining to governance. Risk decisions are the outcome of the interaction between many players. From a governance perspective, the societal factors that precipitate outcomes characterised as risks need to be analysed for effective mitigation. For Flemig, Osborne, and Kinder (2015), risk governance is both a normative and prescriptive process. They define it as a hybrid of “an analytical frame and a normative model” that guide risk decisions (Flemig, Osborne & Kinder 2015, p. 16). This decision-based risk governance differs from the technocratic approach in the sense that it assigns the decision-making role entirely to politicians.
Brown and Osborne’s (2013) definition of risk governance follows a different approach. They define risk governance as transparent engagement with the “nature, perceptions, and contested benefits of a risk” in complex situations (Brown & Osborne 2013, p. 199). This means that all relevant stakeholders in the public service are involved in the decision-making process. This transparent approach has been adopted in the modern public sector to enhance accountability. In addition to inclusive decision-making process, risk environment is characterised by regulations and best practices to enhance accountability in the public sector. Therefore, Brown and Osborne’s (2013) definition fits within the transparent risk management approach adopted in democratic systems.
Clearly, an appropriate conceptualisation of the concept of risk governance should encompass a global view of risks that emerge in public investment projects. It should go beyond the traditional concepts of risk management or analysis to include decision-making processes related to a particular project. In this regard, Brown and Osborne’s (2013) definition fits well within this description, as it points to decision-making processes in a complex environment, such as the public sector. From a descriptive perspective, an appropriate definition must capture the totality of stakeholders, standards, procedures, and processes involved in making risk decisions. Considering the fact that risk governance goes beyond simple descriptive management of public risks, a satisfactory definition should include the normative elements or rules on how to manage risks in the public sector. It should involve all actors working in a transparent decision-making process. The adopted definition for this paper is that of Brown and Osborne’s (2013) who define risk governance as genuine engagement with the “nature, perceptions, and contested benefits of a risk” in complex situations (p. 199). The authors point out that this definition fits well with the characteristics of the public sector risks, i.e., complexity, ambiguity, and uncertainty.
Risk Governance Frameworks
Various epistemological premises and ideas contributed the development of risk governance as a concept. While the positivistic/realist view relies on the assumption that a risk is assessed based on some ‘real’ standard, while the social constructivist approach considers risk a “social process”, not as a distinct entity (Renn 2011, p. 71). These ideas helped advance the principles and frameworks for managing contemporary risks. The conceptual use of the term ‘risk governance’ emerged in recent literature exploring policy development in the public/private sectors (van Asselt & Renn 2011). It is used within the context of public/private governance or development that has roots in the political science field. In this context, ‘governance’ stresses the role of non-state actors in the management and organisation of societal issues (van Asselt & Renn 2011). This approach challenges the classical policy perspectives that followed a hierarchical power model centred on the government.
In the governance view, collective binding decisions are produced in “complex multi-actor networks and processes” (Jonsson 2011, p. 126). This means that multiple social actors are involved in governance. Besides the state, the other social actors include nongovernmental organisations, private institutions, expert groups, etc. In this regard, power/capacity to organize and manage society is shared among the different actors. Governance can be considered a descriptive and prescriptive term. The descriptive sense of governance relates to the complex interplays between various social actors, structures, and processes (Jonsson 2011). In contrast, the prescriptive definition relates to the model/framework for the management of societal issues. The normative use of governance emphasises on transparency, involvement, and accountability.
The normative-descriptive ideas also apply to risk governance. The word ‘governance’ is utilised in “a normative and descriptive sense” (van Asselt & Renn 2011). The argument here is that while the regulation/management of simple or systemic risk problems follows the governance framework, risk decisions emanate from interactions between stakeholder groups. The ‘governance’ view gives a framework for examining and describing the factors precipitating risks. However, the unpredictable nature of risks calls for multi-stakeholder collaboration to adequately address and manage them. In the collaborative frameworks, new risk management principles and approaches are proposed in line with the prescriptive/normative perspective (Renn 2011). Therefore, risk governance is a blend of an analytical framework and prescriptive exemplars.
The usage of the term ‘risk governance’ has its roots in the lessons learnt from the TRUSTNET undertaking, which developed a model that included collaborative processes in decision-making (Renn 2011). TRUSTNET was a European Union interdisciplinary network established to develop the criteria for determining best practices in the governance of hazards. It comprised 80 experts drawn from regulatory agencies in industrial and medical fields across Europe. The network developed the concept of risk governance and the first model. Later, this notion was used in literature as an alternative paradigm to the traditional concepts of risk analysis and management by advocating for multi-stakeholder roles, processes, and systems (van Asselt & Renn 2011). However, the risk governance was originally used to mean an all-encompassing system of “risk identification, assessment, management, and communication” (van Asselt & Renn 2011, p. 433). This view is consistent with the IRGC’s definition of the notion of risk governance. The IRGC (2015) incorporates the governance principles of “transparency, effectiveness, accountability, equity, and fairness” into its definition of governance framework (p. 12). The aim is to create effective collective actions to mitigate the effects of emerging risks.
The purpose of sound risk governance is to reduce the unequal risk distribution between different public/private institutions or social groups through multi-actor processes. A risk governance practice also creates consistent and uniform approaches for similar risk assessment and management (Renn 2011). Unlike the traditional approach of risk analysis that focused on high-profile risks, risk governance gives adequate consideration of high-probability risks irrespective of their profiles. It also involves risk trade-offs through effective regulations and policies. The approach also takes into account public perceptions, resulting in high public trust in the system.
Brown and Osborn’s (2013) Framework
The risk governance frameworks provide an approach for the analysis and management of risks within the public service or the private sector. Brown and Osborne (2013) suggest a risk governance model for managing risks related to innovation in the public sector. The framework links three management approaches and three innovation types (Figure 1). The first type is the evolutionary innovation, whereby institutions utilise new “skills or capacities” to meet specific user needs (Bernado 2016, p. 14). The second type is the expansionary innovation, whereby the current skills/capabilities are used to meet expanding user needs. The last one is total innovation, in which new capabilities/skills are developed to address new user needs (Brown & Osborne 2013). The authors offer three risk governance approaches, namely, technocratic, decisionistic, and transparent methodologies. The technocratic model is only applicable in evolutionary innovation. In contrast, the decisionistic model provides a framework for evolutionary and expansionary innovation. The transparent risk governance model can accommodate all the three types of innovation.
Figure 1: Risk Governance Framework for Public Service Innovation
|Risk governance approach||Technocratic (risk minimisation)||Decisionistic (risk analysis)||Transparent governance (risk negotiation)|
|Type of innovation|
The IRGC’s Framework
Another risk governance framework is the IRGC’s model that consists of five related phases. The phases include pre-assessment, appraisal, characterisation and evaluation, management, and communication (Figure 2).
The model separates risk analysis from the understanding of risks. Risk appraisal is essential in understanding the nature of risks. In contrast, the implementation of risk decisions requires risk management. The framework begins with pre-assessment, whereby the risk is defined to facilitate its appraisal. The pre-assessment phase involves a set of questions that give the baseline data for risk assessment and mitigation. More importantly, it reveals the factors that precipitate the risk and the associated opportunities (Bernado 2016). It also brings out the risk indicators and patterns that help inform the risk management approach. The governance shortfalls that occur during this phase include failure to detect risk signals, perceive its scope, and frame it appropriately.
The risk appraisal phase is where facts and assumptions are developed to make a determination if a situation portends a risk and how it should be handled. The appraisal involves scientific approaches, including estimating the probability of occurrence, and risk-benefit analysis based on stakeholder concerns (Bernado 2016). The process ensures that policymakers consider stakeholder concerns and interests when making the decisions. The next phase – characterisation and evaluation – involves the consideration of societal values in decisions related to the acceptability or tolerability of the risk. At this stage, risk mitigation measures are identified for risks considered acceptable or tolerable (van Asselt & Renn 2011). However, if the risk is intolerable, the initiative is halted. The failure to address the issue of inclusivity, transparency, and societal values/needs, and timeframes precipitates risk governance problems.
The fourth phase is risk management. It entails the development and adoption of strategies or activities that help mitigate, avoid, or tolerate the identified risk. In this stage, multiple options are developed and the best one selected for implementation. The risk management processes entails the “generation, evaluation, and selection” of the best risk mitigation strategy (van Asselt & Renn 2011, p. 445). It also entails evaluating the potential impacts of the selected risk mitigation option. The final phase of the IRGC framework is the communication of the risk management decision. Effective communication helps create awareness among stakeholders. It also enables them to understand the stakeholder role in risk governance (van Asselt & Renn 2011). The communication should inform the stakeholders/actors about their specific roles in managing the risk.
The IRGC’s framework has been adopted across multiple industries. In this model, an iterative process of communication cuts across the four phases. The IRGC framework is criticised for being one-dimensional. The model depicts risk governance as an additive process with distinct phases. However, researchers argue that the process is rather iterative, with steps like risk assessment and management not clearly delineated (Flemig, Osborne & Kinder 2015). Moreover, since various actors interact and influence each other, risk governance cannot follow a logical sequence.
In the IRGC framework, risk communication remains the unifying factor of the five phases of the model. The IRGC expanded the new framework by introducing deliberation and engagement, suggesting a bipartisan process between the actors. Another significant aspect of the revised model is the emphasis on institutional capacity and resources. The organisational resources/capacities considered in the new model include finances, social capital, human resources, and technological capabilities (Flemig, Osborne & Kinder 2015). It also includes the consideration of the actor network, political and regulatory culture, and the social climate.
The Modified IRGC Framework
Renn, Klinke, and van Asselt (2011) propose a modified IRGC framework that includes the normative and descriptive aspects of risk governance. The proposed model comprises five stages, i.e., “pre-estimation, interdisciplinary risk estimation, risk characterisation, risk evaluation, and risk management” (p. 237). The modified framework is illustrated in Figure 3 below. The pre-estimation stage involves the testing of multiple problems as possible risks. It entails an exploration of societal/community and political agencies and the public to identify factors ‘framed’ as risks. The screening also explores the culturally constructed risk candidates. Therefore, the pre-estimation stage is a multi-stakeholder process that brings together government agencies, industry actors, consumers, and various interest groups.
The second stage, risk estimation, entails the scientific evaluation of risks through risk assessment and concern (societal issues) assessment (Renn 2011). Various approaches can be used in risk estimation. Examples include probability of occurrence, extent of damage, ubiquity, reversibility, etc. The third step, risk evaluation, involves the quantification of the societal effects of a risk and its probability of occurrence. The risk profiles are evaluated based on their level of acceptability (Renn 2011). Low risk situations or activities are considered highly acceptable. Risk management is applied to risks considered tolerable. It entails a suite of mitigation measures to reduce the adverse consequences of a risk. Risk communication/participation entails educating the masses through interactions to disseminate information related to the risks (Renn 2011). The aim is to build trust relationships in risk management through multi-actor inclusion.
The cyclic process of risk governance occurs in a logical sequence of five phases: pre-assessment, appraisal, characterisation and evaluation, risk management, and communication (Roeser et al. 2012). The individual phases and their specific components are described below.
The pre-assessment phase is the screening stage of the risk governance process. Here, the actors consider diverse issues related to a specific risk. In addition, the different stakeholders review the risk indicators and practices at this stage. The main components of the pre-assessment phase include “problem framing, early warning, pre-screening, and the determination of scientific conventions” (Roeser et al. 2012, p. 51). The purpose of risk framing is to explore the multi-actor perspectives and establish a common understanding on the risk issues. Based on an agreed risk frame, the signals or indicators of the risk/problem can be monitored.
Early warning helps identify indicators that confirm the existence of a risk. It entails an exploration of institutional capabilities for monitoring early warning signs of a risk within an organisation (Rossignol, Delvenne & Turcanu 2015). Pre-screening encompasses preliminary analysis of risk candidates and prioritising them based on probabilistic models. It also entails identifying the appropriate evaluation and management route for each risk candidate. It is followed by a determination of the main “assumptions, conventions, and procedural rules” required for the assessment of the risk (Rossignol, Delvenne & Turcanu 2015, p. 137). The stakeholder emotions related to the risk issues are also considered in this step.
Risk Appraisal Phase
The purpose of risk appraisal is to create societal standards or scientific thresholds for a risk. It also gives a knowledge base for identifying an appropriate risk mitigation or containment approach. Its main components include risk assessment and concern assessment (Roeser et al. 2012). Risk assessment identifies the cause-effect relationship of a risk as well as its probability of happening. It may involve risk identification and evaluation to estimate its severity. The objective of concern assessment is to explore the stakeholder’s anxieties and fears related to the risk (Roeser et al. 2012). It also illuminates the socioeconomic impacts of a risk based on stakeholder perceptions.
This phase involves estimating how acceptable or tolerable a risk is to the stakeholders. Therefore, the two components of this phase are risk acceptability and tolerability. A risk problem considered acceptable has lower adverse impacts on health/environment than a highly unacceptable one (Karlsson, Gilek & Udovyk 2011). This means that the risk does not require mitigation efforts. On the other hand, a tolerable risk has significant trade-offs between benefits and adverse effects. As a result, specific mitigation measures are adopted to reduce the negative effects. Characterisation helps generate an evidence base from the outcome of the risk appraisal phase. In contrast, evaluation involves a consideration of extraneous factors relevant to the risk.
The risk management phase involves the development and application of mitigation actions geared towards averting, diminishing, or retaining risks. It proceeds through a six-step process that culminates in an optimal option for risk management. The first component involves the formulation of an array of options for addressing the risk (Roeser et al. 2012). This initial step relies on the acceptability-reliability considerations relevant to the specific risk. The next step involves the evaluation of the options based on specified criteria, e.g., sustainability or cost-effectiveness (Karlsson, Gilek & Udovyk 2011). Thirdly, a value judgment based on the weights assigned to each criterion is applied to the options. Subsequently, the best option(s) is chosen for further consideration in the fourth step. The fourth and fifth steps cover the execution of the best risk management strategy and monitoring and evaluation of its impact on the reversibility of the risk.
Risk communication is an ongoing activity during the risk governance process. Its aim is to enlighten non-participating stakeholders regarding the risk decisions emanating from the preceding phases (Roeser et al. 2012). Additionally, risk communication helps support informed choices by stakeholders based on the consideration of societal/individual interests, fears, values, and resources (Roeser et al. 2012). As a result, conflicting perspectives are managed to arrive at a consensus risk management strategy for the institution. Effective communication is also required between policymakers and experts/assessors to avoid bottlenecks related to communication lapses.
The OCC’s Risk Governance Framework
Another existing framework is the one proposed by the Office of the Comptroller of the Currency [OCC] for risk governance in the financial industry (Figure 4). This model is intended to help the board/management of banks to establish an institutional risk culture, promote compliance with the risk appetite, and create a risk management system for the identification, measurement, and control of risks (IFC 2012). The OCC’s framework comprises of three additive steps – risk management system, risk appetite, and risk culture. It takes into consideration the various risk categories common in the financial sector. Examples include interest rate and price, which portend a significant risk to an institution’s financial performance.
Banks use different risk governance models depending on the nature of its operations and corporate strategies. In banks, the board/management oversees the formulation, execution, and evaluation of a risk governance model through independent assessments. Subsequently, based on the outcomes of the assessment, some or all of the elements of the model are reviewed to enhance its efficacy. In this structure, the institution’s senior management does the role of maintaining the framework and managing factors related to the defined risk appetite (Polk 2014). It also regularly informs the board about the institution’s risk profile and potential risks. The specific components of this framework are described below.
In the OCC’s framework, risk culture covers the institutional “values, attitudes, competencies, and behaviours” that define the bank’s risk governance practices and decisions (Polk 2014, p. 14). It is, therefore, a subset of the organisational culture. The board plays a critical role in creating a sound risk culture through enhanced risk awareness and communication of the acceptable risk levels to the staff. This ensures that the employees make decisions that conform to the defined risk appetite or acceptable risk thresholds. Besides the board, the bank’s senior management promote a positive risk culture through staff incentives and sanctions for unacceptable behaviour (Polk 2014). The management is required to identify and address risk-taking behaviour or actions that go beyond the minimum thresholds.
In the OCC’s framework, risk appetite is considered an important element of sound risk governance. It entails the “aggregate level and types of risk”, which the board and the senior managers can assume to realise the institution’s strategic goals or objectives (Polk 2014, p. 13). However, a bank’s risk appetite must not exceed its capital or liquidity level. The establishment of a risk appetite involves concerted efforts from the board, senior managers, supervisors, and front-line staff. Furthermore, its execution requires effective interactions between the various stakeholders involved in the management system. Information about the bank’s risk appetite should be conveyed throughout the institution to ensure that risk decisions are aligned with the acceptable risk thresholds. The risk management and front line units should track, evaluate, and report the risks based on the risk appetite policy.
Risk Management System
The third component of the OCC framework is the risk management system. It encompasses policies, processes, and staff involved in the identification, measurement, tracking, and management of risks (Polk 2014). The nature of a bank’s risk management system depends on economic conditions that the organisation operates in and the complexity of its organisational structure. It entails three defensive structures. The first defensive structure involves “the frontline units or business units that create risk” (p. 46). The frontline/business units are the primary risk takers, and therefore, they must operate within the accepted risk appetite thresholds. The second defensive structure is the internal risk management (IRM) unit, which oversees the risk taking activities of the frontline units (IIA 2013). The IRM also recognises, measures, and tracks emerging risks and participates in risk decision-making in the bank (IIA 2013). Ordinarily, the IRM comprises of the credit officer and/or credit review manager. The final defensive structure in this framework is the audit unit, which facilitates external validation. It implements internal controls to ensure effective risk governance within the institution.
The International Finance Corporation (2012) extends the OCC’s risk governance framework by including the concept of conflict of interest. The elimination of possible conflict of interest situations is essential for effective risk governance in the financial sector (IFC 2012). It entails separation of duties, independent management of activities, and adequate revenue control systems in the bank. Effective communication is also required in staff education, deliberations, and reporting of risks in financial institutions.
IPCC Risk Governance Model
The Inter-governmental Panel on Climate Change’s [IPCC] (2012) developed a model for managing risks related to natural disasters. The key components of this model include methods for reducing risks and for managing the residual risk related to environmental hazards. The reduction of risks focuses on minimising vulnerability, hazards, and exposure (IPCC 2012). It also entails sharing or transferring the risk through mutual/reserve funds, financial insurance, and social capital.
In the public sector, risk vulnerability is reduced through society-level actions such as access to essential services, improvement in community security, and increased participation in decision-making. On the other hand, the reduction of the exposure levels to natural risks can be achieved through land use planning, incentive mechanisms, and ecosystem management, among others (IPCC 2012). The risk reduction phase of the IPCC framework also entails pooling or transferring of risks. This requires interventions like reserve funds, insurance cover, and social networks.
The second phase of this framework comprises the management of residual risks/uncertainties. The natural risks are managed through effective preparation and response and the enhancement of the capacity to deal with surprises (Hooper 2014). In this regard, the government can manage residual risks by implementing early warning systems, post-disaster support, flexible decision-making systems, and adaptive learning, among others. The IPCC model is illustrated in figure 5 below.
Risk-enabled performance management (REPM) Framework
Private sector organisations are shifting to performance-based approach to the management of risks. The risk-enabled performance management (REPM) focuses on value creation by supporting robust decision-making and the identification of business opportunities, while minimising uncertainties or risks (Palermo 2011). Therefore, using the REPM framework (Figure 6), organisations can achieve risk-enabled performance as opposed to simple identification and measurement of risks. In this way, the firm can obtain additional value from its risk management initiatives – a benefit that may not possible when the focus is on risk avoidance or minimisation alone. In the REPM framework, multiple business processes and components interact to create value for the organisation. The main components of this framework include strategic oversight/planning, business-level planning, operational execution, and monitoring and compliance.
This component focuses on a range of board or senior management-level activities that triggers the development of a risk-enabled organisation. The strategic oversight function entails establishing risk governance “structure, roles, and responsibilities” of each individual within the organisation (Palermo 2011, p. 9). This role is achieved through delegation and performance evaluation. It is also incumbent upon the executive leadership to specify the appropriate risk appetite for the organisation. In this way, the capital allocation and investment decisions can be aligned with the acceptable risk thresholds. The oversight role also entails the identification of emerging risks and performance management to realise the value of the risks.
It encompasses the conversion of business strategies into plans and budgeting. The organisation can use planning tools to analyse the “types and levels” of each risk inherent in a given investment (Palermo 2014, p. 328). In this way, the organisation will create a basis for risk-based investment and budgeting.
This step covers the implementation of strategic plans from the previous stage. The operational reviews should consider the identified risk limits and appetite in evaluating performance (Palermo 2014). The risk tolerances indicate how well the firm’s operations are aligned with the established risk appetite. Another dimension of operational execution is the re-evaluation of risks linked to operational activities. The aim is to minimise possible ‘surprises’ or uncontrollable events in organisational operations.
Monitoring and Compliance
This phase entails audit and compliance measures. It involves the alignment of the “monitoring processes with the risk profile” to detect redundancies and inadequacies in the monitoring function (Palermo 2014, p. 331). An in-depth evaluation of the risk profile and the deployed monitoring measures can reveal issues or problems that could precipitate costly risks. Thus, the approach reduces costs and improves the efficacy of risk surveillance. The REPM framework was shown to give a clear risk profile of a power plant and facilitate more efficient budgeting for risk mitigation programs.
Enterprise Risk Management Framework
The enterprise risk management (ERM) supports effective management of uncertainty in organisations. It entails a comprehensive model for the identification, measurement, prioritisation, and management of risks that threaten business activities or operations (PWC 2015). The ERM framework involves the development of a portfolio view of risks based on organisational operations at all levels, including enterprise-level, division/subsidiary, and business-level processes. The senior management first explores the interrelationships among risks before formulating a portfolio view from a business unit level and entity level (PWC 2015). The ERM framework comprises eight interrelated components. They include internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring (PWC 2015).
A focus on the internal environment creates a risk management philosophy that leads to an increased recognition that both anticipated and unanticipated events may happen (Karim 2011). An internal environment focus also helps define the organisational risk culture and the actions that affect it.
The formulation of business objectives should involve a risk strategy. Such an approach establishes an organisation’s risk appetite, i.e., the board- and management-level view of the acceptable risk levels. Through objective setting, the management can align risk tolerance with the established risk appetite.
The event identification step helps distinguish risks from opportunities. Risks involve events that impede the attainment of the business objectives, while those with a positive effect constitute the opportunities for strategic action (PWC 2015). Event identification is critical in each decision level, when implementing process or system changes, and for new projects. The initial risk identification process helps identify a risk profile for the organisation. Thereafter, more risks are identified for inclusion in the risk profile, as the event identification step becomes a part of the organisation’s culture.
Risk identification entails the identification of the incidents, whether internal or external, which could impede strategy. It also addresses the internal and external factors that affect an organisation’s risk profile. The risks are grouped based on their sources for easier root cause analysis and assignment of mitigation responses (Ng 2015). The major sources of risk include political influences, decision-making, human capital, natural events, and regulatory issues. The other sources of risk may be fraud, supplier factors, technology, and competitive pressures.
The assessment of the identified risks is the second step of the ERM framework. The assessment allows the management to formulate appropriate risk responses based on the likelihood/probability of occurrence and anticipated impact – using a risk rating scale (Ng 2015). The likelihood rating ranges from highly certain to unlikely to occur. In contrast, the risk impact rating focuses on the effects of each risk, including financial costs, missed operational milestones, regulatory breaches, failure to meet strategic objectives, and managerial staff turnover. A risk map is constructed from the results of the assessment.
Risk assessment gives a comprehensive picture of how potential risks may influence objectives. Therefore, the assessment focuses on the likelihood and impact and involves both qualitative and quantitative techniques. The risk is measured on an “inherent and residual basis”, taking into account the predefined time and objective horizons (Ng 2015, p. 14). The aim is to inform future actions or risk responses.
In this step, the entity identifies and develops responses to each identified risk. In this regard, the organisation considers multiple options based on its “risk appetite, cost-benefit analysis of the risk, and the degree to which a response will reduce the risk impact or likelihood” (Domokos et al. 2015, p. 8). After an analysis of a suite of risk/response options, the organisation selects and implements an optimal response to mitigate the risks. In this case, the organisation’s inherent and residual risks are measured during the execution of the risk response to achieve the desired risk level. Inherent risks differ from residual ones in the sense that they occur prior to the execution of any risk control or response.
The response options include the portfolio of management actions aimed at controlling or preventing the risk. The management can choose to mitigate, exploit, accept, transfer, or avoid a risk. Risk mitigation encompasses actions taken to minimise the likelihood of occurrence or impact of a particular risk (PWC 2015). Mitigation activities may include budget controls, forecasts, enhancing accountability, staff motivation programs, and building appropriate skill sets (Andreeva, Ansell & Harrison 2014). Risk exploitation allows an entity to leverage on opportunities presented to grow through activities such as strategic alliances, business portfolio expansion, innovative product development, and organisational restructuring.
The management can also choose to accept the risk impact and probability of occurrence. Risk transfer, as a response option, involves activities meant to shift the loss/impact to other parties. It can be achieved through outsourcing, insurance coverage, and hedging (Andreeva, Ansell & Harrison 2014). Risk avoidance involves activities meant to prevent hazards from occurring. They may include ceasing operations, divestiture, or reducing the scale of operations.
This step involves an ongoing process of tracking and reviewing the risk profile and responses (Mathews & Kompas 2015). The aim is to ensure that the management of risks occurs as planned, determine the relevance of the risk responses being executed, and track the impact of the activities on the risk profile. In addition, the control activities can inform new response plans for emerging risks. Risk monitoring comprises diverse methodologies for review, assurance, and auditing risks. The assurance techniques involve post-implementation reviews, performance appraisals, and quality reviews, among others.
The measurement of a response option should involve its efficiency and effectiveness (Walker, Tweed & Whittle 2014). In this case, efficiency indicates the execution costs related to finance/budget and time. In contrast, effectiveness indicates the extent to which the responses minimise the risk impact or probability of occurrence (Walker, Tweed & Whittle 2014). To achieve a higher level of response efficiency and effectiveness, the control activities should be incorporated into the current business processes at all levels of the organisation.
Information and Communication
This step involves reporting the risk in terms of its status and related responses. Various employees play different roles in the ERM process. The board plays a role in policy design and ERM framework development while the management oversees the implementation process. Having a risk reporting structure helps address issues that affect the response plan being executed. It helps staff responsible for various ERM activities to obtain pertinent information to effectively carryout their roles. The internal reporting process involves the operational staff, management team, senior leadership, and the board. In contrast, external reporting involves the communication of the risk profile and responses to the stakeholders.
The efficacy of the ERM elements is monitored regularly to determine the impact on the risk profile. The ERM monitoring may involve ongoing control activities or independent evaluations, such as audits and reviews.
Integrated Enterprise-Risk Management Framework
The banking sector faces unique challenges that pose a threat to growth. The integrated enterprise-risk management (ERM) framework provides a new approach to risk in the banking industry, which is structured around five dimensions. It places the responsibility of developing the ERM capabilities at the hands of a firm’s board. The five core dimensions of the integrated ERM framework include “risk transparency and insight, risk appetite and strategy, risk-related business processes and decisions, risk organisation and governance, and risk culture” (Brodeur et al. 2010, p. 1). The recommended actions in each of the five steps are described below.
Risk Transparency and Insight
Most firms have adopted risk identification processes for an early detection and prioritisation of risk events. The companies produce annual risk reports cataloguing the most significant risks and their likelihood of occurrence and impact. The only downside to this approach is that they omit company-wide risks, fail to reveal the causes of the risks, and overlook the multiplicity aspect of risks (Lamarre & Pergler 2009). A robust risk identification mechanism should uncover the root causes. The main components of risk transparency and insight proposed under the integrated ERM framework are risk taxonomy, a prioritised risk heat map, risk insight and foresight, risk models, and risk reporting.
Risk taxonomy entails creating common vocabulary for the risk types experienced or likely to occur (McNeil 2013). The rationale is to facilitate risk identification and classification for effective management and control. A prioritised risk heat map sorts the risks based on their potential impact, level of preparedness, and likelihood of occurrence (McNeil 2013). One recommended strategy for building a robust heat map is through adequate risk estimation that takes into consideration all the risk drivers. A good heat map can also be generated if a transparent and coherent approach is taken in naming and classifying risks across all the business units. In addition, besides likelihood and impact considerations, other variables – preparedness and lead-time –should be taken in account when constructing a risk heat map.
Another element of the first dimension of this framework is risk insight and foresight. It entails using scenario testing, indicators, and stress tests to explicate high priority risks at the board level (McKinsey & Company 2013). Firms often use these methods to explore up to five risks that are significant to business operations. Constructing risk models can also provide a basis for business decisions for organisations. The subsequent step entails compiling insightful reports on key risks to illuminate the key actionable measures. Well-designed and integrated risk reports should highlight the board’s assessment of the risks, including the tradeoffs considered and the decisions made to facilitate consistent information flows across the organisation (McKinsey & Company 2013).
Natural Ownership, Risk Appetite, and Strategy
This step entails deciding on the risks an organisation owns, its risk capacity, risk appetite, and risk strategy. A firm’s risk appetite depends on its risk capacity, which describes a company’s ability to “withstand a risk when it materialises into actuality”, while staying clear of undesirable effects or constraints (Brodeur & Pritsch 2008, p. 12). The determination of risk capacity depends on the type of risk and may involve Monte Carlo simulations or discrete scenarios that would then help predict future trends. The risk appetite indicates how much risks a firm will take based on its capacity (McNeil 2013). From its risk appetite, a company can determine the risks it can own. Risk ownership describes the risks a firm has the capacity to control and exploit in order to realise its competitive goals (McNeil 2013). At the same time, a firm needs to define the risks it wants to mitigate, transfer out, or avoid at this point. Based on the risk appetite and ownership, a risk strategy for the company is formulated. The strategy represents a coherent message or affirmation of the risks that the company has decided to take or transfer. It is normally adapted in the organisation’s strategic plan and communicated to the shareholders.
Risk-related Decisions and Processes
This step entails the integration of risk considerations related to strategic planning, resource allocation, and financing in risk-related decisions and processes (Brodeur et al. 2010). A firm’s strategic choices should reflect its risk appetite/capacity. Strategic planning considers the risk assumptions and uncovers the return/risk tradeoffs inherent in a project. Resource allocation gives key personnel the green light to take risks based on the established risk appetite. On the other hand, financing or hedging decisions by the board would depend on the defined risk capacity and potential impacts. In the banking sector, the quality of risk-related decisions/processes depends on how well the liquidity risk is managed in the organisation (Brodeur et al. 2010). Therefore, in banks, risk-related decisions are aimed at managing and controlling liquidity risks.
This integrated ERM dimension encompasses three elements: risk-related decisions, risk optimisation, and risk processes. Risk-related decisions entail the grounding of risk in all business decisions, as opposed to working to meet regulatory requirements. Similarly, risk optimisation must also be embedded in all strategic decisions to achieve favourable return/risk tradeoffs. In addition, the core business operations of the firm must be risk-based to ensure risk-informed responses and actions across all levels of the organisation.
Risk Organisation and Governance
The role of risk oversight belongs to a firm’s board. In the risk governance structure, the board collaborates with the line managers and risk officers on risk issues and ensures that the ERM program is optimised for the specific risks that the firm faces. The oversight role also includes the evaluation of risks through the board-risk committee interactions and dialogue (Pergler 2012). The aim is to remove bureaucratic processes that impede effective risk governance. An ERM organisational model may involve a risk officer reporting to the firm’s chief executive officer and leading teams tasked with the management of various risks affecting the organisation.
The basic components of an ERM organisational model include risk archetypes, risk organisation, and risk-function profile. Risk archetypes entail defining the mandate of an ERM function within the finance unit to introduce risk thinking in managerial processes (Beckers et al. 2013). Risk organisation involves the design of enterprise-wide processes, including risk policies/guidelines and resource allocation. Creating a risk-function profile can help the risk team obtain traction in a firm’s businesses. It entails a clear allocation of duties and obligations of the risk taking personnel and risk management unit.
Risk Culture and Performance Transformation
The final ERM dimension focuses on risk culture and performance. Risk culture emerges when decision-making behaviours that involve an evaluation of risk/benefit tradeoffs become the norm in the organisation. It is defined as the “norms of behaviour for individuals and groups within a company that determine the collective willingness to accept or take risks” (Brodeur et al. 2010, p. 5). Appropriate risk norms should be embedded within the organisation through corporate-level processes and governance.
A cultural survey or diagnostic can help determine the flaws in a firm’s risk culture, necessitating the need for a change. Mikes (2011) provides four strategies for effecting a sustainable cultural change related to risk in an organisation, namely, fostering conviction/understanding among employees through incident reviews, role modelling by supervisors, talent and risk skill development, and establishing formal structures/processes for performance appraisal and compensation. According to Mikes (2011), the process of achieving a high-level risk culture change encompasses four steps: diagnostic risk culture, target risk norms articulation, development of multilayer initiatives, and ongoing monitoring of risk governance in the organisation. Therefore, the risk culture journey culminates in positive risk norms being embedded in all organisational structures and processes.
Risk IT Framework
Public organisations and private enterprises face IT risks in addition to strategic, operational, and market risks, among others. Poor IT security in organisations increase the likelihood of business risks related to cyber threats. The management of such risks is critical to the success of an organisation. The adoption of IT brings immense benefits to an entity; however, it also comes with risks.
Since IT lies at the heart of operational efficiency, IT risk is regarded like other enterprise risks that impede the achievement of strategic goals (Deloitte 2014). In most organisations, the management team does not handle IT risks, but delegate this role to the IT department. The risk IT framework (Figure 8) helps businesses integrate IT risk governance into the ERM to support risk-based decisions. The framework also highlights the nature of the risk as well as the organisation’s risk appetite and tolerance to facilitate appropriate risk responses. Therefore, it supports risk-aware decisions by organisations.
The risk IT framework is founded in six core principles that support risk governance in the organisations. The organisation must continuously connect the risk responses to the business objectives, align the management of the risk to its ERM, balance the risk costs and benefits, enhance risk reporting, establish top leadership risk appetite, and incorporate these processes into the day-to-day business activities (Deloitte 2014). The risk IT framework contains three components or domains, namely, risk governance, risk response, and risk evaluation (Svata & Fleishmann 2011).
This risk IT domain ensures that risk management practices are integrated with the business processes for enhanced risk-based performance. Risk governance encompasses three processes, namely, integration with ERM, formulation of risk-based decisions, and establishment/maintenance of a common risk view (Svata & Fleishmann 2011). The goals of risk governance are to achieve acceptable risk appetite and tolerance, enhance role clarity in IT risk management, promote risk awareness, and establish a risk culture in the organisation.
In the risk IT framework, risk appetite is defined as the “broad-based amount of risk” that an entity can accept in pursuing its mission (Svata & Fleishmann 2011, p. 51). In contrast, risk tolerance means the acceptable variation around organisational objectives (Svata & Fleishmann 2011). These two concepts help an organisation establish a coherent view of the risk at all levels. However, they are subject to changes in technology, firm structures, and macro environment factors. Therefore, a firm should continually evaluate its risk portfolio to determine its risk appetite at different times. On the other hand, risk tolerance can be influenced by mitigation costs. Indeed, in some cases, the cost impact of mitigation can go beyond its resources, resulting in a higher risk tolerance (Svata & Fleishmann 2011). Thus, the cost-benefit trade-offs determine the risk levels that an enterprise is willing to tolerate.
The framework also defines the responsibilities of the people involved in IT risk governance. Various individuals are charged with the responsibility of managing IT risks. The board, chief executive officer, and chief risk officer as well as the personnel drawn from enterprise risk committee play a role in risk governance. In contrast, accountability applies to individuals who allocate resources or authorise specific actions, e.g., the board. Besides establishing responsibilities and accountabilities, risk governance enhances risk awareness and communication in the organisation. Risk awareness entails the recognition of risks for a specific management action. In contrast, risk communication enhances the discussion around risks to increase the management’s understanding of its effects for appropriate responses. An open risk communication practice enhances risk awareness among stakeholders and increases transparency in risk governance.
The goal of the risk evaluation component of the risk IT framework is to identify, analyse, and provide “IT-related risks and opportunities” in the organisation (Flemig, Osborne & Kinder 2015, p. 6). It entails three processes, namely, analysing the risk, establishing an institutional risk profile, and collecting data. The goals are to highlight the business impact and develop risk scenarios. The evaluation entails converting IT risks into business risks. It requires the IT and the business teams to develop a mutual understanding of the risks that need management. The stakeholders must have a basic understanding of the risks impacting the business objectives. In this regard, the IT person should know the impact of the identified IT risks on strategic objectives. Similarly, the management should understand the IT-related risks that affect business processes (Flemig, Osborne & Kinder).
Risk evaluation helps define the link between anticipated IT risks and their impact on operations through the expression of such risks in business terms. The methods prescribed in the risk IT framework for risk evaluation include the balanced scorecard, COSO ERM, and the COBIT information criteria (Potts & Kastelle 2014). Risk scenarios are important in IT risk governance. The scenarios are utilised in risk analysis to determine the likely impact of a risk to the organisation. Two complementary methods are used to develop the risk scenarios: a top-down approach and a bottom-up approach. The latter utilises generic scenarios to develop improved scenarios tailored to the organisational realities, whereas in the former approach scenarios are derived from the business objectives.
The purpose of a risk response is to address IT risks in a cost-efficient way and according to the organisation’s priorities. The essential processes in this domain of the risk IT framework include risk management, reaction to risks, and risk articulation (Svata & Fleishmann 2011). This step encompasses the definition of a risk response and identification of the key performance indicators (KPIs) based on project objectives. The KPIs indicate whether an organisation is likely to face a risk that outstrips the established risk appetite. The choice of the KPIs is dependent on micro and macro environment factors, the size of the organisation, and the prevailing regulatory regime (Svata & Fleishmann 2011). The KPI selection process should involve stakeholders to achieve buy-in and support. Further, the selection should involve consideration of the major performance indicators and root causes. The selected KPIs must meet the following criteria: optimal business impact, high sensitivity, and reliability (Claudia, Tehler & Wamsler 2015).
The reason for providing a risk response definition is to align the identified risk with the established risk appetite (Claudia, Tehler & Wamsler 2015). This implies that defining a response will ensure potential residual risk falls within the acceptable tolerance threshold. The possible risk response options include avoidance, reduction/mitigation, sharing/transfer, and acceptance. The choice of the risk response option depends on its cost (capital, wages, and operational costs), the significance of the risk as shown in a risk map, the efficacy and efficiency of the response, and the organisation’s capacity to execute the response (Hooper 2014). Therefore, an entity should prioritise the response options based on the above criteria and select the optimal risk response.
Development of a Maturity Model for Public Risk Governance
The maturity model developed in this paper is intended to give a framework for the auditing risk governance and its influence on public project objectives/outcomes. Internal audit activities are important in identifying cases of non-adherence to the risk governance framework by the staff across all departments. The adopted maturity model comprises of five interrelated domains: strategies, interdisciplinary risk appraisal and insights, risk decisions and process implementation, risk organisation and governance, and review of risk development and decisions. Just like in the IRCG framework, risk communication occurs throughout the five phases of this model. This requires public organisations to establish a risk culture, adequate financial and technical capacity (resources), appropriate risk appetite levels, and risk ownership. The model is based on existing frameworks, namely, Integrated ERM model, the modified IRGC model, and the OCC’s framework. The description of each domain and its determinants is given below.
Strategies: make sense of the present and explore the future
Institutional strategy defines the strategic direction of a firm with regard to its business operations and projects to realise the set objectives. A risk management strategy is “a policy statement of the attitude of the organisation to risk” (IRGC 2012, p. 4). The purpose of developing a risk strategy is to achieve four goals: define the risk management approach, outline the institutional risk management modality, give the action plan for enhancing the institution’s risk maturity, and outline the processes/steps of risk management review (IRGC 2012). A risk management strategy communicates a coherent message or affirmation of the risks that the firm is willing to pursue or transfer. It is incorporated into the company’s strategic plan and is implemented in an integrated way.
Success in risk governance can be achieved by using a single approach in managing risks – a risk strategy cascaded down to all levels. A risk strategy is a critical component of the overall risk governance model. The risk management strategy adopted for public institutions contains six essential elements or determinants as summarized in Table 1 below. The first one is a risk management policy that defines the governance structures and accountabilities in the organisation (OECD 2014). The second element is the risk management methodology, which is a structured method for operational risk evaluation and mitigation. An example of a risk management methodology is the “operationally critical threat, asset, and vulnerability evaluation” (OCTAVE) methodology common in the IT sector (OECD 2014, para. 8). The third element includes risk management tools/techniques. Such tools allow risk managers to evaluate uncertainty by developing risk metrics, priorities, responses, and monitoring activities.
The fourth determinant of a risk strategy is risk champion. Effective risk management requires experts in specific areas of the risk management processes to offer leadership and direction. The individual may not be the risk owner, but he/she helps increase risk awareness within the organisation. Establishing a team of risk champions is essential in creating a risk culture in the organisation (OECD 2014). The fifth element of a risk strategy is risk management training. The IFC (2012) states that training programmes on the risk process helps prepare managers, employees, and partners on how to address common risks and create risk champions. It ensures due diligence and best practices are embraced in dealing with business risks. The sixth element is the risk assurance statement. According to IFC (2012), organisations can build confidence/trust in with their clients, stakeholders, and regulators through risk assurance state.
A risk management strategy is developed based on a firm’s risk ownership goals. Based on its risk appetite, a firm may select the risks it is willing to embrace. The ‘owned’ risks are the risks that the organisation is “equipped to manage and exploit competitively” (IFC 2012, p. 7). The firm also determines the risks to mitigate, insure, or avoid based on scenario planning. Based on the risk appetite and ownership, a clear strategy/policy is developed to guide risk management processes. The policy should describe the risks that the firm will embrace and those it will transfer or avoid. The board should be involved in the development of the risk strategy statement, which is then communicated to all stakeholders.
Table 1: Determinants of the Strategy Domain
|1. Risk management policy||Defines the risk governance structure and accountability|
|2. Risk management methodology||Risk evaluation and mitigation|
|3. Risk management tools||Risk metrics for evaluating uncertainty and responses|
|4. Risk champions||To offer leadership and direction|
|5. Risk management training||Preparation of managers and employees|
|6. Risk assurance statement||Build stakeholder trust/confidence|
Risk Appraisal and Insights
Most firms have risk identification mechanisms for identifying and appraising risks unique to their industry or sector. They develop an annual risk report that lists the most significant risks and their respective likelihood of occurrence and impact. Based on the IRGC framework, facts and assumptions pertaining to a particular risk are determined during the risk appraisal phase. The process entails estimating the probability and impact of each identified risk (Bernado 2016). A risk appraisal process should be comprehensive in order to capture not only the main risks, but also their root causes or risk drivers. Based on the integrated ERM framework, the main elements of the risk transparency and insight stage, which are adapted as the determinants of the risk appraisal and the insights domain of the maturity model, include risk taxonomy, risk insight and foresight, risk ownership, and risk appetite (McKinsey & Company 2013).
Risk taxonomy is the first step in appraising risks related to each project objective or outcome. It involves a classification of risks that a firm faces in its operations. The focus should be on the risks that could affect the realisation of a specified objective or outcome. From an audit perspective, such risks should be identified and defined in terms of triggers/drivers and impacts for effective management and control (McNeil 2013). A risk matrix can be used to classify the risks in a way that enhances the knowledge of the probability and impact of each risk to facilitate the development of effective risk responses for reducing or preventing their occurrence.
The second determinant is risk insight and foresight in relation to threats to firm operations. It gives an organisation the ability to map or delineate the potential impact and probability of a risk related to a specific activity or operation. The probability of occurrence may range from low (unlikely) to very high (almost certain) while the impact of the risk could be minor, moderate, major, or critical. The impact and probability of occurrence of a risk linked to a project objective/outcome should be scored to allow risks to be compared. The key methods firms can use to map out and prioritise risks inherent in project objectives/outcomes at the board level include scenario testing, indicators, and stress tests (McKinsey & Company 2013).
Risk ownership is another determinant of a firm’s appraisal and insight into the risk management process. Risk taking is a key feature of any organisation. However, a firm needs to define its risk appetite to ensure that the risks taken match its resources and capacities. It also needs to select the risks that it can pursue in a realistic manner. These are the risks it ‘owns’, i.e., it can exploit competitively based on its capacities or resources. Risk ownership is defined as the capacity of a company to control and exploit certain risks to achieve the set competitive goals (McNeil 2013). Therefore, a firm should have adequate insight into the dynamics of the project before execution to ensure that its operations minimise the exposure to risks it does not own. Further, the organisation should define not only the risks it intends to own, but also those that need to be insured or avoided.
Another determinant of this domain that should be considered in auditing risk governance is the organisation’s risk appetite. It can be defined as the thresholds of risk – level and type – that the board can assume to achieve the goals or objectives of a project (Polk 2014). Risk appetite depends on the firm’s risk capacity. In auditing the effectiveness of risk governance structures, the appraisal of the organisation’s risk appetite in relation to the each risk management activity is necessary to determine if the risks assumed are consistent with its risk capacity.
Table 2: Determinants of Risk Appraisal and Insights
|1. Risk taxonomy||Classification of risks|
|2. Risk insight and foresight||Likelihood and impact of risks|
|3. Risk ownership||Risks a firm is willing and able to take|
|4. Risk appetite||Acceptable risk thresholds|
Risk Decisions and Process Implementation
The quality of internal controls and decisions are the hallmarks of an effective risk governance process. Effective risk governance requires the integration of various risk considerations and tradeoffs to realise project objectives/outcomes at minimal risk exposure (Hopkin 2012). From an audit perspective, the key considerations in assessing risk-related decisions and process implementation and compliance with the framework include strategic planning, financial and technical capacity, risk culture. These are the determinants of the effectiveness of the risk-related processes and decisions.
Strategic planning is related to risk governance. Typically, strategists make decisions based on assumptions about the risks associated with specific project objectives/outcomes. If the assumptions are too narrow, many risks will not be captured in their strategic decisions. According to UNECE (2012), strategic decisions or choices must be anchored in “risk transparency and insight” and must reflect the organisation’s risk appetite (para. 13). Therefore, the auditing process should evaluate the accuracy of the assumptions included in the strategic plan, the acceptability of risks owned or transferred as planned, and the appropriateness of the risk/return tradeoffs.
Financial and technical capacity is a key determinant of an organisation’s risk resilience. It depends on the capital allocation process by the senior management to enhance the capacity of staff to take risks or make investment decisions. Typically, such decisions involve a serious consideration of the “trade-off between risk, return, and flexibility” (UNECE 2012, para. 16). In auditing the organisation’s financial/technical capacity in the context of risk governance, some key considerations include whether the risk decisions are consistent with the risk strategy, the effect of the decisions on risk capacity, and the capability of the firm to respond quickly to residual risks or opportunities.
Risk resilience in volatile economic conditions can also protect the firm from risks that fall outside the purview of its financial or technical capacity. Risk capacity depends on the financing decisions related to the project or operation. Financing decisions, including taking long-term loans, have a direct impact on the risk capacity of the organisation. A firm’s financial structure determines its capital needs and cash flows. Thus, the focus of the audit should be on whether the board is knowledgeable about the risk ramifications of the financing decisions to the project objectives/outcomes.
Institutional risk culture is another determinant of risk decisions and process implementation. Risk culture encompasses the values, capabilities, and behaviours that shape an organisation’s risk governance practices and decisions (Polk 2014). It describes the norms of behaviour in an organisation that determine “the collective willingness to accept or take risks” and the capacity to understand and respond to company risks (McKinsey & Company 2013). From this definition, it is clear that risk culture is a component of the organisational culture. An organisation’s risk culture can be determined through surveys. Once the survey report has been received, the board can undertake to change the risk culture.
Achieving a sustainable cultural change in the organisation may involve multiple strategies. Fostering understanding among employees on the accepted risks is one way of initiating a cultural change. The specific actions may include incident reviews to enhance employee understanding of the “risk errors and near misses” to build a positive risk culture (McKinsey & Company 2013). A second approach involves role modelling. Supervisors and peers can help set professional behaviour that involves considerations of risks in making decisions (McKinsey & Company 2013). Well-designed training programs and workshops can also help develop skills and competencies in relation to risk. Cultural change can also be achieved through formal mechanisms like formalised risk escalation processes and the inclusion of aspects of risk in performance appraisals.
The senior management plays a role in promoting a risk aware culture through a compensation structure, which rewards risk-taking behaviour that matches the organisation’s risk appetite (Polk 2014). An audit of the risk governance framework should focus on the flaws in risk culture. Overall, the factors that hamper the development of a risk culture in a firm fall into four domains: denial of risk, ambiguity of risk, risk avoidance, and detachment from risk (McKinsey & Company 2013). Management behaviours that are indicative of denial of risk include overconfidence and the fear of sad news. On the other hand, poor communication, unclear tolerance, lack of insight, and inadequate tracking of risks indicate risk ambiguity. Slow response and indifferent attitude towards risks are signs of detachment, while the subversion of the established risk processes indicates a culture of risk avoidance. Optimal risk oversight is crucial in preventing high-risk activities that may affect project objectives and outcomes. The leadership and commitment from the senior management is required to “translate risk strategy into operational objectives and assign management responsibilities in the organisation” (Beckers et al. 2013, p. 16). The management should promote accountability and staff appraisals in order to enhance efficiency throughout the organisation.
Table 3: Determinants of Risk Decisions and Process Implementation
|1. Strategic planning||Reasonable assumptions about risks|
|2. Financial and technical capacity||Financial and technical resources available|
|3. Risk culture||Risk aware culture at all levels|
Risk Organisation and Governance
The board has an oversight role in risk organisation and governance. From the integrated ERM programme framework, risk organisation and governance is seen in how the board works with line managers and risk officers in a project to address specific risks. It is the organisational ERM model for optimising all risk types through risk reports, evaluation, and mitigation (Carawan 2016). The determinants of the risk organisation and governance domain include the board’s risk oversight role, board-management interaction, and ERM organisational model.
The board’s role in risk oversight covers the assessment of various risks through interactions with the risk committee and line managers (Pergler 2012). Therefore, when auditing the risk governance structure of a firm, the focus should be on who is responsible for risk oversight. In most firms, the senior management considers risk oversight a sole responsibility of the audit committee of the board. However, this perspective fails to take into account the significance of risk oversight to a firm’s performance (Pergler 2012). It is also indicative of the casual manner in which risk processes are handled by the firm. A true ERM is required to eliminate bureaucratic processes in risk governance and promote board-risk committee interaction.
The involvement of directors in risk evaluation is the hallmark of oversight. The board should hold a discussion of risk and develop the risk management policy that all employees should follow. Besides board involvement in risk processes, having a separate risk committee can help cultivate a risk aware culture in the organisation. However, even with a risk committee, the ultimate body charged with the role of risk oversight is the board. For this reason, the composition of the board is critical. A mix of backgrounds will help provide a diversity of views on the risks (Carawan 2016). Additionally, a board culture that encourages collaboration and interaction with line managers is required for effective risk oversight. Therefore, the board’s skill mix, culture, and involvement in risk issues should be the focus of any audit activity.
Board-management interaction also determines the efficiency of risk organisation and governance in a company. The aim is to promote synergy and understanding of the various risk issues by the management. Besides interacting with the line management, the board should dialogue with the risk officers who have the best understanding of the risks. One characteristic of the board with a high-risk awareness is its focus on specific risk issues as opposed to generalities related to risks. Such a board also discourages bureaucratic risk processes. The directors interact directly with the management and risk officers to gain insights into the risks.
The third determinant of the risk organisation/governance is the ERM organisational model. The ERM function may be structured in various ways depending on the “nature of business, its risks, and its mandate” (Domokos et al. 2015, p. 9). The risk organisation/governance structure may involve a department headed by a risk officer who reports directly to the chief executive officer of the company. The staff working in this department may deal with varied risks, such as financial, market, and operational risks (Domokos et al. 2015). The specific roles of these employees may include financial analysis, risk-return reporting, and involvement in risk-return discussions at all levels. Therefore, the key considerations when auditing the ERM function include the reporting structure and the teams in the risk department involved in different risks related to the project.
A company may also choose to establish the risk function in the finance department. The roles of such small ‘risk group’ include leading the risk governance processes through risk reporting, measurement of risk exposures, championing risk strategies/policies developed by the board, and initiating discussions around risks at all levels of the organisation (McKinsey & Company 2013). The team driving this group should comprise risk champions who report to the chief risk officer. An optimal ERM model should be one that utilises existing capabilities across business units to develop an integrated perspective on risks (McKinsey & Company 2013). Therefore, in auditing risk governance in a firm, evaluating the chosen ERM model in the context of best-practice risk management could give an idea of the robustness of the risk processes.
McKinsey outlines eight principles of creating a model ERM process in an organisation. These principles could provide a basis for evaluating the robustness of an organisation’s risk management process during an audit activity. First, the top management must demonstrate strong commitment towards risk governance. The board should provide a central oversight of the risk governance throughout the organisation, including all business units. The separation of responsibilities related to the risk process is another best-practice principle. In particular, the policy setting function should be separate from the risk identification and management unit (Andreeva, Ansell & Harrison 2014). Besides, accountability requirements of the staff at all levels and organisation’s risk appetite and policy should be stated in an explicit manner. Another best-practice principle is risk ownership at the unit level with the risk champions at each unit engaging in discussions to develop an integrated view of risks. Incentive programs should also be tied to risk-return decisions of the employees or line managers. This approach will help create a risk aware culture in teams involved in various projects.
Table 4: Determinants of Risk Organisation and Governance
|1. Board risk oversight role||Dedicated risk committee to guide risk processes|
|2. Board-management interaction||Dialogue between the board and senior management|
|3. ERM organisational model||Risk governance structure and reporting format|
Review of Risk Development and Decision
The review of the risk governance framework helps indicate emerging risks that require new approaches and decisions. It is the responsibility of the board to review risk development processes and decisions. Risk development and decision comprises three elements/determinants: risk identification and assessment, risk responses, and risk review.
Risk identification and assessment involves the determination and prioritisation of significant risks by the management. The central goal is to define the risks that are important to the organisation based on the set criteria. The board makes four kinds of decisions related to risk identification and assessment, namely, choosing the significant risks among options, prioritising the risks, allocating resources/finances, and comparing the outcomes of different units/projects (Hopkin 2012). Decisions touching on the type of risk governance framework to use involve consideration of various alternatives. The decision to use a particular framework is often based on specific criteria. The availability of resources, cost-return tradeoffs, and management commitment are key considerations in such decisions. In auditing a firm’s risk identification/assessment methodologies, the issues to evaluate include whether the risk identification approach gives an exhaustive list of risks and the criteria used to rank risks.
A review of the risk responses can help determine if the risk governance actions are consistent with the risk management objectives of the firm. One of the risk management actions is the transfer of risks to a third party, such as insurance firms, capital markets, contractors etc. (Gates, Nicolas & Walker 2012). The risk response must involve reasonable economic cost. Usually, organisations use a risk matrix to apportion resources. A risk matrix comprises of four quadrants, each containing specific risks and their impacts and probabilities (Gates, Nicolas & Walker 2012). In cases of resource constraints, only high-impact risks are addressed. In this way, risk mitigation actions are prioritised based on the severity and probability of each risk.
Risk review is another key component of risk development and decision-making. The context in which risk decisions are made is not static. New data or facts may come up forcing companies to reconsider past decisions. Therefore, risk review helps tract the selected risk mitigation actions and identify emerging risks.
Table 5: Review of Risk Development and Decision
|1. Risk identification and assessment||Prioritisation of risks|
|2. Risk response||Risk management actions|
|3. Risk review||A review of past risk decisions and processes|
Risk communication is a core element of the maturity model described. It entails educating the stakeholders on risks to promote their involvement in risk governance. Effective risk communication allows a firm to utilise the opportunities that come with exposure to risks. Nottingham (2014) outlines four factors necessary for an improved risk communication capability: clear risk governance roles, an integrated view of risks, risk appetite statement, and risk reporting and dialogue. Effective risk communication begins with clarity of risk governance structure. Firms should ensure that the allocation of roles is well defined at the board level and management level and the organisational structure facilitated risk dialogue (Nottingham 2014). The board plays the role of oversight. For this reason, the board, through a dedicated risk committee, should support the capacity of the managers to identify, evaluate, and mitigate risks by acting as a reservoir of information. On the other hand, the management’s responsibility is to develop and execute risk mitigation actions to manage the identified risks in liaison with the chief risk officer.
Having an integrated view of risks enhances the understanding of the relationship between risk-return tradeoffs and business objectives. It entails having a common “definition of risk, business objectives, value drivers, and strategy” relevant to the risks (Nottingham 2014, p. 5). A clear risk appetite statement also contributes to effective risk communication. It entails a quantitative and qualitative expression of the risks that a firm has decided to take. The statement promotes risk communication throughout the firm and informs interactions between the board and the management. Further, having a reporting structure that promotes risk governance in the organisation is important. This approach can help track organisational performance relative to the set risk appetite.
Issues Learned from Literature
|Issues raised in literature||Theoretical argument||Research gaps||Emerged Research questions|
|Stakeholders or actors in risk governance||An important theme emerging from the frameworks reviewed relates to the stakeholders involved in public or private sector organisations. Good risk governance depends on how relationships/interactions among the stakeholders are harnessed into collective actions in risk identification, assessment, analysis, response, and monitoring (Arena, Arnaboldi & Azzone 2010). Different stakeholders are mentioned in the frameworks in the context of the public sector, including national/local government, the private sector, civil society, communities, etc.||Although the frameworks reviewed specify the key steps in risk governance, the description of the actors or stakeholders and their interactions in risk management is limited.||– Who are the specific stakeholders or actors involved in risk governance in the public sector? |
– What are the stakeholder relationship dynamics or interactions inherent in risk governance, especially risk decision-making processes?
– How does positive or negative power dynamics affect risk decision processes?
|The appropriate risk appetite based on the risk capacity of an organisation||The frameworks reviewed (OCC, REPM, ERM) affirm that the risks an organisation is willing to take should not exceed its risk appetite (IIA 2013). It requires a confirmation of financial implications of a particular risk strategy, possible constraints during execution, and risk integration into strategic planning. These elements constitute a firm’s risk capacity.||Given that any risk process should consider the risk/return tradeoffs, it becomes evident that the risk appetite threshold should exceed an organisation’s risk capacity. It is not explicitly explained as to what extent the risk appetite should exceed the risk capacity to realise the full benefits/opportunities of a risk, while safely avoiding its negative impacts.||– What is the risk appetite threshold that a public sector organisation can establish to profit from identified risks without experiencing dismal surprises? |
– What level of uncertainty can public sector organisations accept in exchange for risk advantages given their altruistic/societal foundations?
|Risk communication and reporting||Communication, as a critical component of risk governance, recurs in most of the frameworks reviewed – IRGC, modified IRGC, ERM, and Risk IT frameworks. Effective communication is essential in risk governance activity (Renn 2011). The intent of risk communication and reporting is to educate and inform stakeholders to achieve trust in the process. Good risk reports by the board or the management lead to enhanced risk transparency.||One main challenge with risk communication and reporting that is lacking in literature is how to identify and meet the expectations of the stakeholders through the communiqué or risk reports. Given the diversity of backgrounds of the stakeholders, misjudgements in communications can cause mistrust that can hamper responsible governing of risks.||– How can meaningful interactions among stakeholders with different backgrounds be realised in the context of public investment projects? |
– What specific elements should be included in risk reports to support information flows that are consistent with the diverse risk interpretations?
|Embedding a positive risk culture in the organisation||One area that has been the focus of the studies reviewed is the establishment of a risk culture in the organisation. It is noted that a consistent risk culture across the organisation is a critical aspect of risk governance: it ensures that operations or decisions fall within the established risk thresholds or appetite (IFC 2012; Polk 2014). Certain leadership activities, such as risk anticipation, can help change mindsets to cultivate a positive risk culture.||In the literature reviewed, the common assumption is that risk culture is an intangible aspect of risk governance. This makes it difficult to measure improvement in risk culture or change from the baseline. Further, it is not clear from research the indicators of a positive risk culture in organisations.||– What set of leadership interventions should be considered to cultivate new risk mindset and culture in public organisations? |
– What assessments or measurements can be used to determine an organisation’s risk culture?
In this chapter, a systematic review of scholarly literature on risk governance has been done. Although risk governance definitions vary widely, they all feature multi-actor involvement and transparency/accountability principles. It can be conceptualised as multi-stakeholder network/process for evaluating and managing public risks. Risk governance provides a framework for the involvement of all actors in responsible management of risk problems. The major risk governance frameworks reviewed in this research include the Brown and Osborne’s (2013) model for public service innovation, IRGC model, modified IRGC framework. Risk governance is a cyclic process comprising five interconnected phases that culminate in an optimal risk management option for an identified risk. The adopted risk governance approaches in public service organisations in countries such as the UK focus on the institutionalisation of risk analysis tools to support policy/decision rationales and accountability. The identified issues of risk governance in the public/government sector include the communication/inclusion of multiple stakeholders, multidisciplinary knowledge/experience integration, routines, and flexibility of regulatory approaches.
The review has examined eight existing frameworks of risk governance in various sectors. The first one is the Brown and Osborn’s (2013) framework, which is applicable in the public sector innovation. It links technocratic, decisionistic, and transparency to different possible formulations of innovation, i.e., evolutionary, expansionary, and total innovation. Evidently, this framework is too simplistic to cater for the diverse multi-actor processes involved in public sector risk governance. The second framework reviewed is that provided by the IRGC. Its five phases – pre-assessment, appraisal, characterisation and evaluation, management, and communication – provide a foundational theoretical lens for risk governance across all sectors. However, clearly, the framework is too linear to reflect the iterative and integrated nature of public sector decision-making. Nevertheless, it provides a good starting point for the development of a more integrated framework of risk governance. To avoid the problem seen in the earlier IRGC model (linearity), the modified IRGC framework by Renn, Klinke, and van Asselt (2011) involves a cyclic process. It also introduces the element of multi-actor inclusion in the pre-estimation stage.
The problem seen in the IRGC framework also occurs in the OCC’s framework, which is meant for corporate risk governance in banks. This framework involves additive steps of establishing a risk management system, risk appetite, and risk culture that proceed in a logical sequence. In contrast, the IPCC model highlights a host of activities for reducing natural risks and managing residual risk events. The REPM framework centres on value creation for the organisation through oversight/planning, business-level planning, operational execution, and monitoring and compliance of corporate risks. In contrast, the ERM framework focuses on the unit-level and entity-level business risks that threaten a firm’s operations. The risk IT framework gives integrated activities for risk governance, risk evaluation, and risk response to help organisations make risk-aware decisions. The maturity model developed is based on elements of the integrated ERM model, the modified IRGC model, and the OCC’s framework, attuned to make it a useful tool for auditing risk governance in the public sector. The five main domains of the maturity model include strategies, interdisciplinary risk appraisal and insights, risk decisions and process implementation, risk organisation and governance, and review of risk development and decisions. The domains and their respective determinants have been described. The main advantage of the maturity model is that it can be applied in auditing risk governance frameworks and decisions that affect business objectives/outcomes. Thus, it is a useful tool for decision-making processes in risk management in organisations.
Four key issues or themes emerge from the literature reviewed. The first one is the diversity of stakeholders and breadth of their interactions in a public risk environment. The appropriate risk appetite for organisations is another issue evident in literature. Effective risk communication/reporting that reflects the diversity of stakeholder backgrounds and interpretations is another key issue in this research. Finally, the challenge of embedding a new risk mindset or culture comes up as a significant issue in risk governance literature.
Andreeva, G, Ansell, J & Harrison, T 2014, ‘Governance and accountability of public risk’, Financial Accountability and Management, vol. 30, no. 3, pp. 342-361.
Beckers, F, Chiara, N, Flesch, A, Maly, J, Silva, E & Stegemann, U 2013, ‘A risk-management approach to a successful infrastructure project: initiation, financing, and execution’, McKinsey Working Papers on Risk, vol. 1, no. 52, pp. 1-18.
Carawan, M 2016, Risk governance framework: assessment and reporting. Web.
Domokos, L, Nyeki, M, Jakovac, K, Nemeth, E & Hatvani, C 2015, ‘Risk analysis and risk management in the public sector and in public auditing’, Public Finance Quarterly, vol. 1, no. 1, pp. 7-15.
Gates, S, Nicolas, J & Walker, P 2012, ‘Enterprise risk management: a process for enhanced management and improved performance’, Management Accounting Quarterly, vol. 13, no. 2, pp. 1-11.
Hopkin, P 2012, Fundamentals of risk management: understanding, evaluating and implementing effective risk management, Kogan Page Publishers, London.
International Finance Corporation [IFC] 2012, Standards on risk governance in financial institutions, International Finance Corporation, Washington DC, Washington.
International Risk Governance Council [IRGC] 2012, An introduction to the IRGC risk governance framework. Web.
McKinsey & Company 2013, Practitioners guide to transforming ERM infrastructure, McKinsey & Company, New York, NY.
McNeil, AJ 2013, ‘Enterprise risk management’, Annals of Actuarial Science, vol. 7, pp. 1-2.
Nottingham, L 2014, Risk communication: aligning the board to c-suite, Oliver Wyman, New York, NY.
Organisation for Economic Co-operation and Development [OECD] 2014, OECD recommendation on the governance of critical risks. Web.
Pergler, M 2012, ‘Enterprise risk management’, McKinsey Working Papers on Risk, vol. 1, no. 40, pp. 1-17.
Polk, D 2014, Risk governance: visual memorandum on guidelines adopted by the OCC, Davis Polk & Wardwell LLP, New York, NY.
United Nations Economic Commission for Europe [UNECE] 2012, Risk management in regulatory frameworks: towards a better management of risks. Web.