Risk response strategy
A key outcome of the risk identification and assessment process is a detailed list of all key risks including those that require treatment as determined by the overall level of the risk against the Institution's risk tolerance levels. However, not all risks will require treatment as some may be accepted by the Institution and only require occasional monitoring throughout the period.
All key risks identified should be responded to; however not all these risks will require treatment. The risks that fall outside of the Institution's risk tolerance levels are those which pose a significant potential impact on the ability of the Institution to achieve set objectives and therefore require treatment.
The purpose of responding and treating risks is to minimize or eliminate the potential impact the risk may pose to the achievement of set objectives.
Risk response is concerned with developing strategies to reduce or eliminate the threats and events that create risks. Risk response should also make provision for the exploitation of opportunities to improve the performance of the Institution. Responding to risk involves identifying and evaluating the range of possible options to mitigate risks and implementing the chosen option. Management should develop response strategies for all material risks, whether or not the management thereof is within the direct control of the Institution, prioritising the risks exceeding or nearing the risk appetite level.
Where the management of the risk is within the control of the Institution, the response strategies should consider:
· avoiding the risk by, for example, choosing a different strategy or terminating the activity that produces the risk;
· treating the risk by, for example, implementing or improving the internal control system;
· transferring the risk to another party more competent to manage it by, for example, contracting out services, establishing strategic partnerships and buying insurance;
· accepting the risk where cost and strategy considerations rule out alternative strategies; and
· exploiting the risk factors by implementing strategies to take advantage of the opportunities presented by such risk factors.
In instances where the management of risk is not within the control of the Institution, the response strategies should consider measures such as forward planning and lobbing. Response strategies should be documented and the responsibilities and timelines attached thereto should be communicated to the relevant persons.
2. Developing a risk response strategy
Risk response plans identify responsibilities, schedules, the expected outcome of responses, budgets, performance measures and the review process to be set in place.
The risk response plan usually provides detail on:
· actions to be taken and the risks they address;
· who has responsibility for implementing the plan;
· what resources are to be utilized;
· the budget allocation;
· the timetable for implementation; and
· details of the mechanism and frequency of review of the status of the response plan.
2.1 How to respond to risks?
Responding to risks involves the following key steps, each of which is covered in detail in this section:
· Identify risk response options;
· Select risk response options;
· Assign risk ownership;
· Prepare risk response plans; and
· Identify risk response options.
2.1.1 Identify risk response options
Risk response design should be based on a comprehensive understanding of how risks arise. This includes understanding not only the immediate causes of an event but also the underlying factors that influence whether the proposed response will be effective.
Risk response options are not necessarily mutually exclusive or appropriate in all circumstances. They should include the following:
· Avoiding risk – not engaging in the activity that creates risk exposure;
· Mitigating risk – applying procedures that reduce the risk;
· Transferring risks – transferring the risk exposure to other parties;
· Exploiting risk – exploiting risks that represents missed opportunity;
· Accepting risk – accepting a risk with a low level of exposure;
· Terminating risk – stopping the activity that gives rise to a risk higher than the acceptable level; and
· Integrating some risks – applying some or all of the risk response to a address a risk.
2.1.2 Select options for response
Once risks have been assessed and a level of risk rating has been assigned, an option for response is selected. Consideration should be given to the cost of the response option as compared to the likely risk reduction that will result.
For example, if the only available response option would cost in excess of R10mln to implement and the cost impact of the risk is only R5 mln, it may not be advisable.
In order to understand the costs and benefits associated with each risk response option, it is necessary to conduct a cost-benefit analysis.
Basic cost benefits analysis includes:
· Defining or breaking down the risk into its elements by drawing up a flowchart or list of inputs, outputs, activities and events;
· Calculating, researching or estimating the cost and benefit associated with each element. (Include, if possible, direct, indirect, financial and social costs and benefits); and
· Comparing the sum of the costs with the sum of the benefits.
2.1.3 Assign risk ownership
The Accounting Officer / Authority typically allocates responsibility for risk to an operational or functional area Line Manager.
Risk owners nominated by Executive Management should assume responsibility for developing effective risk response plans. The risk owner (the person accountable for managing a particular risk) should be a senior staff member or Manager with sufficient technical knowledge about the risk and/or risk area for which a response is required.
The risk owner will often delegate responsibility (but not accountability) to his / her direct reports or consultants for detailed plan development and implementation.
2.1.4 Prepare response plans
Once response options for individual risks have been selected, they should be consolidated into risk action plans and/or strategies.
As one risk response may impact on multiple risks, response actions for different risks need to be combined and compared so as to identify and resolve conflicts between plans and to reduce duplication of effort.
Response plans should:
· Identify responsibilities, schedules, the expected outcome of responses, budgets, performance measures and the review process to be set in place include mechanisms for assessing and monitoring response effectiveness, within the context of individual responsibilities;
· Institution's objectives, and processes for monitoring response plan progress against critical implementation milestones. This information should all arise from the response design process; and
· Document how practically the chosen options will be implemented.
The successful implementation of the risk response plan requires an effective management system that specifies the methods chosen, assigns responsibilities and individual accountabilities for actions, and monitors them against specified criteria. Communication is a very important part of response plan implementation.