Why is a Risk Management ‘framework’ important? 

No matter what the business decisions or activity, there is inherent risk at every step of the way.  A business needs to manage its risks because they have a direct impact on the rewards. Generally, the greater the risk, the greater the possible returns, but taking a ‘long shot’ to achieve a high return can also backfire and result in a financial catastrophe.  You don’t want the long shot to be the parting shot!

By developing what is known as a ‘Risk Framework’, you are understanding of the types and levels of the risks you are always taking.  Rather than gambling with risks and the possible outcomes without any proper consideration of whether you have the appetite to take that risk, a risk framework helps with a far better understanding of the risks being considered and promotes better informed decision making.

It is also helpful because in most organisations, there are usually positions that are likely to be either risk averse (like the cost centres of budgeting or purchasing); and those which may be more risk tolerant like in the area of business development (such as sales) and business innovation.

 What is Actually Involved in Establishing a Risk Management Framework?

 In essence, a risk management framework is a set of policies and processes that help business owners or managers identify, analyse, evaluate and treat (or mitigate) any risk. This considered response to risk should also add value to the business by helping to achieve organisational objectives.

  Is Risk Management a One Size Fits All?

 The risk management framework that is suitable to one business is unlikely to be suitable to another because businesses operate in different industries, jurisdictions and locations and usually have different management models. An organisation needs to implement an enterprise-wide approach to their risk management, no matter how big or how small the playing field is and no matter what the industry is.

  Does Risk Management Overlap with any Other Areas of Governance?

 Risk management is relevant to every area of governance in a business, from the way that the board or management team operate in their supervisory environment, down to the financial policies, employment policies, legal obligations under contracts and even the day to day operations, which all carry their unique individual risks that need to be considered.

 How Can I Tell if Our Organisation has good Risk Management?

 There are giveaways that usually indicate how mature an organisation is with risk.  Where there has been very little work done, usually managing the problems which arise from something going wrong is pretty ad-hoc and often chaotic as everyone discusses the problem (unless they hide it), and nobody is quite sure what to do.  It is ultimately handled by the individual or who has the capabilities and the verbal wisdom to assist in dealing with whatever has happened. There is often a person who is the ‘go-to’ person who is expected to heroically leap into action and save the day.

For me, a great example of a mature risk culture is how product or service complaints are dealt with.  In the case of a risk mature organisation, There is a defined process and well-defined policies stipulating how complaints are received and acknowledged; there is training of staff who understand what role they have at the various stages of the complaint process as it proceeds and who fully understand their limits in authority to either apply a solution (like a refund) or to alternatively know when the complaint needs to be escalated to someone further up the chain.

Contrast an immature organisation may have front-line staff trying to pacify a complainant without any authority to apply a solution (such as a refund or a replacement) and this may cost the organisation significantly. Any action may still fail to solve the complaint, in the event that the complainant is still not satisfied, and the problem has cost money and still isn’t solved.

It is also very likely that complaints are simply sidestepped by front-line staff who have no training in any process and who legitimately feel that the complaint is “not our problem”.  Meanwhile, further up the line, a stressed senior manager or owner gets handballed each and every complaint after others have just made it worse – which then consumes a great deal of their time and causes a great deal of frustration.

Sound familiar?

What are the Nuts and Bolts of Implementing a Risk Management Process?

While there are several really good tools that assist in various stages of creating a framework, the starting point is to broadly follow the general process which is set out in the international Risk Management Standard – AS/NZS ISO 31000.

This identifies the Governing principles for creating value and protecting an organisation from various risks.  These principles are integrated in an organisation with the simultaneous development of the right tone or culture in the people who work there in order to reinforce the importance of risk management and to establish proper oversight responsibilities.

The 3 separate areas of risk management discussed below and the strategy and objective-setting in a business should all be part of the strategic planning process and should look both internally within the organisation and externally with how the organisation liaises with external stakeholders.

Can I Start on a Risk Management Framework if my Governance in Other Areas is Lacking?

Just because you have still not put comprehensive governance policies in place in other areas of the organisation (such as financial, IT, operations and personnel) does not mean that you can’t get started on your Risk Management framework.

Our own experience was that commencing with an operational risk management framework within the system of compliance known as “Quality Assurance” gave us tremendous insight into other areas of governance where policies and procedures could be improved.

Should I Hire a Consultant to Complete the Risk Management Framework?

A couple of factors come into play here!  The first is the effectiveness of the process.  Nobody knows an organisation better than the people that own or run it.  A risk consultant can be great in a larger organisation with many moving parts that can afford to pay significant fees over a lengthy period of time, but while this large capital cost can be absorbed in larger businesses, they generally are not practical in a much smaller organisation.

Our own experience is that the framework we have established and continue to work upon is suitable to our own operations and our own industry and that is why it adds value.

There are several alternatives to hiring a consultant who may work full or part-time for an extended period. These include:

  1. Obtaining some ongoing advice from a properly qualified consultant or legal practitioner who can provide intermittent guidance and appropriate tools for the business to use and modify in order to establish a well devised risk management process and framework; or
  2. As some of our clients have done, contemplate establishing a consulting group or a board or management subcommittee that meets periodically and will share appropriate knowledge and skills around the meeting table that will guide the management of the organisation who will be responsible to implement the risk management process and report back between meetings.

How Long will Establishing a Risk Management Framework take?

To embed the framework, processes and a risk management culture within an organisation, it is important to realise that the process takes time and should not be viewed as a short term or quick fix. As a project, allow at least 6 months to establish the rudiments of the framework and expect to continue refining and improving it forever!

In our experience, it is better to take smaller steps and engage with management and staff at all levels to obtain buy-in to the process.

What are the Payoffs from the Process?

The international standard publishes 11 Guiding Principles or in other words the attributes of establishing a Risk Management Framework which include:

  1. creation of value in the organisation;
  2. becoming an integrated part of the organisational processes;
  3. becoming an integral part of decision-making;
  4. explicitly addressing organisational uncertainty;
  5. decisions become systematic, structured and timely;
  6. and they are based on the best available information;
  7. the process is tailored to suit the organisation in its individual environment;
  8. it takes into account those human and cultural factors;
  9. it is transparent and inclusive;
  10. it should be dynamic, repeatable and responsive to change;
  11. and should facilitate continual improvement and enhancement of an organisation.

What are the Benefits to Stakeholders Within and Outside the Organisation?

An effective Risk Management framework will operate to defend an organisation and improve its reputation with its own employees, suppliers, contractors, regulators and’s customers. It will take into account and manage the risk of loss of reputation by identifying those key risks which can impact upon an organisation’s image and ability to trade and implement strategies for defending against them.

How does Risk Management relate to Auditing both Externally and Internally?

There are certainly some similarities in the activities undertaken by both internal and external audit but there are considerable differences in the way that they each integrate with the overall Risk Management framework.

It is the organisation has a Risk Management Framework in place and it also has an internal and external auditor, is often suggested that there are three lines of defence in relation to risk.

Can I find out More About How the Risk Management Process Would Benefit Our Business?

In the case of a business wanting to commence the process of establishing a Risk Management and overall Governance framework, we normally would prefer to meet personally with the CEO or the owner for a one-hour fixed fee appointment of $350 plus GST which can be booked as an appointment through this website or at this link.

Bruce Havilah is a Not-For-Profit Director of a National Sporting organisation and is an Associate Member of the Governance Institute.  He works in the areas of business and commercial law and litigation and Governance.


This newsletter article is made available by Havilah Legal only to give you general information and a general understanding of the law. It is not legal advice, and should not be treated as such.

The legal information in this newsletter is provided ‘as is’, and Havilah Legal makes no representations or warranties, express or implied, in relation to the legal information in this newsletter.

Your use of this newsletter does not establish a lawyer/client relationship between you and Havilah Legal. You must not rely on the information in this newsletter as an alternative to legal advice. If you need legal advice, or if you have any specific questions about any legal matter you should consult Havilah Legal or your professional legal services provider.

Liability limited by a scheme approved under Professional Standards Legislation.