IRM s Professional Standards in Risk Management PART 1 Consultation: Functional Standards

Transcription

1 IRM s Professional Standards in Risk PART 1 Consultation: Functional Standards Setting standards Building capability Championing learning and development Raising the risk profession s profile Supporting performance

2 Contents Building excellence in risk 3 An Enterprise Risk (ERM) approach 3 Using the standards in practice 4 IRM s Professional Standards Framework 5 The standards 8 2

3 Building excellence in risk As the professional body for risk, IRM sits at the heart of the risk profession. We lead on developing standards, building skills, cultivating talent, championing learning and development, and supporting individuals and organisations to improve their performance through building their risk capability. High standards of competence and integrity are vital to the success of the risk profession. IRM s standards underpin our qualifications and professional membership. They will also underpin IRM s continuing professional development activities, such as training and events. These elements provide individuals with a valuable route to keep their knowledge and skills up to date and build a successful career in risk. IRM s standards help employers build their risk capability, giving them a professional benchmark to recruit and retain appropriately trained and qualified people. An Enterprise Risk (ERM) approach All organisations need to take risks at the strategic, tactical and operational s to deliver their objectives. Anything that makes achieving these objectives uncertain is a risk and needs to be managed. Enterprise Risk (ERM) is an integrated approach to managing risks across an organisation. Led by an board, it provides clear frameworks and processes and provides a context and structure within which risk and reward are managed and communicated to internal and external stakeholders. Risk should not be exercised in a silo. It should be embedded in the general of an organisation and fully integrated with other functions such as finance, strategy, internal control, procurement, continuity planning, HR and compliance. The degree of this integration will vary, depending on an size, risk maturity, culture, implementation processes, operating models and external environment. 3

4 Modern organisations must cope with greater uncertainty in an increasingly volatile and unpredictable world. How mature and well developed an approach to ERM is can significantly affect its capability to take strategic risk decisions. If underdeveloped, it can lead to serious reputational and financial damage. Organisations may have risk specialist functions like insurance, health and safety and business continuity. An ERM approach to risk brings all these aspects together to create an integrated approach that is clearly aligned with an governance and business objectives. Using the standards in practice The standards define what good risk looks like. They provide an overview of what is expected of a risk professional at each stage of their career. They have been designed to be used by risk professionals, but also to be a valuable tool for employers, HR and training professionals, recruiters and regulators. Individual risk professionals Risk professionals are responsible for their own professional development. Individuals can use the standards as a benchmark to measure their current competence s. The standards provide individuals with a useful tool to identify gaps in their knowledge and skills, which may be a barrier to promotion, or improve performance in their current job. They also provide clarity on what will be expected of individuals as they progress through the different career s. Employers, HR and training professionals The standards help organisations benchmark their risk capabilities against the competences they need. It helps them identify any knowledge and skills gaps, corresponding learning and development needs, and to identify any resource needs. The standards should also become a key aspect of any risk recruitment and selection process, as they help with writing job adverts, searches, interviewing aids, drafting job descriptions and role profiles. Recruiters The standards provide a valuable tool for recruitment firms and head-hunters. They help identify, benchmark, and advise employers on the placement of appropriately qualified and experienced candidates for specific jobs. Regulators Regulators can use the standards as a guide to set out what criteria a fit and proper person should meet if practising risk in a regulated sector. 4

5 IRM s Professional Standards Framework The Professional Standards Framework has been developed by researching over 30 risk and associated risk competency frameworks. We have also consulted extensively with practitioners, academics and employers. The Framework reflects our expectations of the knowledge, skills and behaviours that are required of those working in risk. The standards have been designed to provide individuals and organisations with an overview of what risk professionals need to do, what they need to know and how they need to do it. The Framework is made up of: Functional standards these define the knowledge and skills required to do the job. Behavioural standards these describe the personal qualities and behaviours needed to operate effectively. This document sets out the functional standards. The behavioural standards which underpin the functional standards will be circulated for consultation separately in April Design principles The standards have been developed to reflect: An enterprise risk approach, recognising the principles of the global risk standard, ISO and other influential and relevant standards. The need for risk professionals to have both technical risk and business knowledge and skills. Different s of risk maturity within organisations, depending on size, sector and geographical region. Aspirations of organisations that wish to raise their risk standards and capabilities and where appropriate, develop a risk function. The wide range of variations in job roles between sectors and organisations. The need for individuals and employers to adapt standards to roles and responsibilities as strategy and priorities evolve. IRM s standards are jargon free and easy to understand and use. They are flexible and can be adapted and implemented in all types of organisations, sectors and geographical regions. They are outcomes based and can easily be measured. They purposefully do not prescribe exactly what must be done or in what way, to ensure they remain adaptable and futureproof. While the standards are written as competences, they implicitly include the relevant knowledge needed to meet the competence. 5

6 Structure The standards are broken down into FOUR discrete areas: 1. Insights and context 2. Strategy and performance 3. Risk process 4. Organisational capability Each of these areas has been divided into a number of components. See page 8. Career s Due to the universal nature of risk and the wide variation in job roles between sectors and organisations, IRM s framework is based around four career s, rather than specific job roles or titles. Leadership Each encompasses a number of different roles and job titles. For example, the Leadership includes Chief Risk Officer, Director of Risk, Heads of Risk and Partners and so on. The table below provides a summary of what is expected at each career. Knowledge in the standards is accumulated as individuals progress from to Leadership. 6

7 Career Summary description Examples of job titles Leadership Highest of knowledge and application KEY WORDS: INFLUENCES / SHAPES Shapes an risk strategy and direction and provides oversight of risk matters. Influences and informs decisionmakers on risk strategies. Influences the direction and profile of risk and the profession. Chief Risk Officer Director of Risk Head of Risk Director Partner Advanced of knowledge and application KEY WORDS: DELIVERS/STEERS Delivers risk policies and procedures and contributes proactively to risk strategies and oversees implementation. Steers and advises on improvements to risk practices and associated changes, liaising with internal and external stakeholders. Risk Manager Risk Consultant Risk Analyst Head of Risk Sufficient knowledge and application KEY WORDS: IMPLEMENTS Implements risk processes and procedures effectively and actively champions risk practice to internal and external stakeholders. Risk Executive Risk Officer Risk Adviser Risk Analyst Risk Consultant Basic knowledge and application KEY WORDS: UNDERSTANDS/CONTRIBUTES TO TEAM Understands and communicates the importance and benefits of risk and supports the implementation of risk processes and procedures. Risk Assistant Risk Officer 7

8 FUNCTIONAL AREA 1: Insights and context This functional area describes how the successful risk professional: Uses knowledge of internal and external influences to ensure risk is robust, agile and effective. FUNCTIONAL AREA 1 COMPONENTS: 1 A: Risk principles and practice: Understands the principles and practices of risk and the relevance and uses of theories, processes and tools. 1 B: Internal environment: Understands the internal environment of an organisation and its implications for risk practices 1 C: External business environment: Understands how the external environment influences an organisation and the implications for risk practices. FUNCTIONAL AREA 1 STANDARDS: 1 A: Risk principles and practice 1A1 Adapts risk Promotes risk to as a central part of an context strategic. 1A2 1A3 Builds resilience Promotes risk Ensures that resilience is incorporated into strategy. Anticipates developments in risk and influences it at a national and/or international. Educates an organisation on the probability, nature and scope of risks and opportunities and likely impact on an organisation. Builds resilience across an organisation to manage current and future risks, opportunities and uncertainties. Advises on the benefits and appropriateness of different approaches to managing risks. Advises on the selection and implementation of appropriate concepts, processes, tools and techniques. Analyses the suitability of, and makes recommendations about appropriate risk tools and techniques. Champions and explains the benefits of risk to stakeholders. Explains different types of risks and possible responses for their treatment. Explains risk standards, concepts, theories, processes and approaches to risk. Understands and explains the value of risk. 8

9 1 B: Internal environment 1B1 Aligns risk Shapes the relationship strategy to between an overall vision, strategy mission, objectives, culture and strategy and the risk 1B2 1B3 Influences decision making Improves policies and processes strategy. Influences an organisation to adopt a comprehensive, consistent and collaborative approach to risk. Drives how an organisation embeds risk into its strategies, policies and processes to create the desired culture. Assesses the influence of an strategic intent, internal context and governance practices on risk. Influences decision-making to achieve the right balance of risk and opportunity. Embeds risk into strategies and policies. Encourages internal understanding of the link between an vision, mission, objectives, culture and strategy and risk practices. Interprets risk information and feeds into structures and systems to support decision making. Embeds risk practices into operational processes. Understands the link between an vision, mission and its operational objectives and risk practices. Compiles relevant risk information to support decision making. Describes the factors involved in how to embed risk and supports embedding it into operational processes. 9

10 1 C: External business environment 1C1 Emerging risks Influences risk and horizon scanning across an industry sector and the wider business environment. 1C2 1C3 Strategic risk Regulatory context Adapts the strategic alignment of an risk to its external operating environment. Evaluates the implications and limitations of the regulatory environment on an organisation. Represents the risk perspective to regulators as appropriate. Analyses the potential impacts of the external environment on an organisation. Improves the alignment of an risk to its external operating environment. Analyses the impact of developments within the regulatory framework. Identifies and explains the factors in the external environment that may affect an organisation. Identifies opportunities within the external environment to maximise reward and minimise risk. Implements risk activities to meet regulatory requirements. Describes the kind of factors in the external environment that may affect an organisation (e.g. PESTLE). Understands and explains the likely impact that external factors may have on an organisation. Understands and describes the regulatory framework within which an organisation operates. 10

11 FUNCTIONAL AREA 2: Strategy and performance This functional area describes how the successful risk professional: Develops a risk strategy to meet needs. FUNCTIONAL AREA 2 COMPONENTS: 2 A: Risk strategy and architecture: Develops and implements risk strategy and architecture. 2 B: Risk policy and procedures: Develops and implements proportionate risk policy, guidelines, procedures and action plans to support the strategy. 2 C: Risk culture and appetite: Shapes risk appetite and a risk culture that is intrinsic to an culture. 2 D: Risk performance and reporting: Develops and implements an effective risk measurement, performance and reporting framework. FUNCTIONAL AREA 2 STANDARDS: 2 A: Risk strategy and architecture 2A1 Defines risk Achieves buy-in from the Board to strategy develop a proportionate risk strategy and 2A2 2A3 Implements risk strategy Risk governance structure architecture. Leads the development of the risk strategy and approach to optimum risk appetite. Establishes a coherent, transparent and rigorous governance structure that supports an risk appetite and culture. Evaluates the extent to which individual risk strategies are coherent with the overall risk strategy. Assigns ownership and s of authority that comply with the requirements of the strategy. Ensures consistency between an risk strategy, strategies and its governance structure. Understands the purpose and role of a risk framework, strategy and architecture. Makes recommendations for improvements to the risk strategy. Communicates the requirements of the risk governance structure. Explains the components of a risk framework, strategy and architecture. Provides information to support risk strategy development. Describes the features of an effective risk governance structure. 11

12 2 B: Risk policy and procedures 2B1 Risk Develops the risk policy policy that is consistent with the risk strategy. 2B2 2B3 Risk methods and processes Risk effectiveness Defines risk guidelines, accountabilities, methodologies, tools and techniques that meet strategy and policy requirements. Secures commitment and resources that will enable the effective implementation of the risk strategy. Implements plans and priorities to deliver risk policy within agreed timescales and budgets. Delivers risk policy ensuring that ownership and responsibilities are fulfilled within authority limits. Reviews the effectiveness of risk policy and processes and the use of resources and makes recommendations, for improvements. Explains the purpose, role and benefits of embedding risk policy and procedures into policies and procedures. Advises on the appropriate use of methodologies, tools and techniques within the context of the risk policy and guidelines. Analyses information to recommend improvements to risk policies and procedures. Explains the purpose of the risk policy and its procedures and components. Explains the features of methodologies, tools and techniques and their uses. Provides information to support improvements to risk policies and procedures. 12

13 2 C: Risk culture and appetite 2C1 Desired risk Influences and culture exemplifies an leadership in determining the desired risk 2C2 2C3 Risk appetite defined and used Risk maturity and ethos culture. Drives the boards understanding of risk appetite and its implications for strategy, tactics and operations. Shapes the approach to risk at board in line with an risk maturity. Fosters an culture through the design of systems, processes and behaviours. Drives an organisations understanding of the balance between risk taking, risk and personal rewards in line with its risk appetite. Embeds risk approaches into values. Acts as a role model and encourages others to live the agreed culture. Explains how an organisation establishes its risk appetite and tolerance. Understands an organisations current risk maturity and its implications for the implementation of risk practices. Explains the culture and acts accordingly. Understands the concept of risk appetite and explains the factors that influence people s perceptions of risk and opportunities. Understands the concept of risk maturity. 13

14 2 D: Risk performance and reporting 2D1 Risk reporting Establishes a comprehensive risk reporting system and ensures compliance with other performance structures and processes. 2D2 Risk metrics Integrates risk metrics with an other performance indicators and monitors and responds accordingly to issues identified. 2D3 Risk performance improvement Assures the approach to risk is fit for purpose through appropriate assurances and audit. Reports on the strategic and financial impact of risks that have been managed effectively and of unmanaged risks. Defines Key Risk/Performance Indicators (KRIs/KPIs) for evaluating risk performance and strategy, and develops a risk register and risk profile. Develops a timesensitive, actionorientated risk reporting system that enables effective decision making and is capable of identifying actual and emerging risks. Ensures that risk reporting systems operate efficiently. Uses analytical tools and techniques to monitor changes in risks and opportunities to an organisation and updates risk information. Reports and explains recommendations for improvements based on systematic analyses of information at agreed intervals. Explains the purpose of measuring and reporting risk performance and the use of technology to support effective risk. Complies with legal, ethical and regulatory requirements in the gathering and recording of risk information. Produces reports, highlighting areas of concern, change, emerging threats and opportunities. 14

15 FUNCTIONAL AREA 3: Risk process This functional area describes how the successful risk professional: Manages the risk process. FUNCTIONAL AREA 3 COMPONENTS: 3 A: Risk assessment: Identifies, analyses and evaluates the nature and impact of risks and opportunities. 3 B: Risk treatment: Develops, selects and implements risk treatment strategies and controls. FUNCTIONAL AREA 3 STANDARDS: 3 A: Risk assessment 3A1 Risk Defines the assessment approaches to risk process identification, analysis and evaluation and establishes the tools and techniques to be 3A2 3A3 Assessment tools and techniques Interpreting and explaining risk assessment information used. Determines and deploys appropriate resources and investment. Evaluates the impact and value of potential strategic opportunities and integrates these into an strategy, and applies expert judgement on presenting the right of risk information to the board. Interprets facts, patterns and trends to reach evidencebased decisions on the nature of risks and opportunities. Scopes the potential impact of aggregated risks and worst case scenarios quantitatively and qualitatively. Evaluates interdependencies between risks, uncertainties and opportunities, critical failure points and resource implications. Uses a range of information sources and assessment methods to identify, analyse and evaluate risks and opportunities. Uses and advises on the appropriate risk assessment tools and techniques and prioritises and classifies risks and opportunities. Advises on how to produce and use appropriate risk assessment information. Explains and contributes to the risk assessment process. Explains how and why to use different risk assessment tools and techniques. Explains how to display the results of risk assessments. 15

16 3 B: Risk treatment 3B1 Risk treatment Ensures an processes approach to the treatment of risk is focused, robust, proportionate, and viable and aligned with its risk appetite and 3B2 3B3 Allocates resources Integrates Business Continuity and Crisis strategy. Determines risk treatment strategies and resources to align with an approach to risk. Integrates business continuity strategies and crisis within an organisations risk strategy and plans. Monitors the effectiveness of an approaches to risk treatment and makes recommendations. Develops, prioritises and resources suitable controls to treat identified risks and manage opportunities. Ensures the continuing coordination of crisis and business continuity strategies and plans with risk. Advises on and monitors risk monitoring and mitigation actions taken and challenges when issues arise. Advises on budgets and resources for risk treatment activities. Collates and analyses information to support crisis and business continuity plans and activities. Understands and explains the suitability of different risk response options and control types. Understands and explains the costs and benefits of risk treatment activities. Explains the principles and features of crisis and business continuity. 16

17 FUNCTIONAL AREA 4: Organisational capability This functional area describes how the successful risk professional: Develops and manages a skilled, agile and responsive risk organisation. FUNCTIONAL AREA 4 COMPONENTS: 4 A: Communication and consultation: Develops and implements communication structures and plans. 4 B: Change : Manages risks within strategic and operational change. 4 C: People : Provides systematic performance and skills development to meet strategic needs. FUNCTIONAL AREA 4 STANDARDS: 4 A: Communication and consultation 4A1 Risk Establishes an communication infrastructure approach and infrastructure for communication about risk 4A2 4A3 Communication plans Stakeholder. Promotes the position that risk is a universal responsibility and acts as a risk champion across an organisation. Develops an stakeholder engagement strategy that is consistent with the risk strategy. Identifies media and methods for communicating the risk strategy that align with target groups. Develops a risk communication plan in a way that furthers relationships with stakeholders and is consistent with values and standards. Manages stakeholders expectations in a way that is consistent with values and standards. Uses agreed media and methods to communicate risk matters. Seeks stakeholders feedback on the effectiveness of the risk communication infrastructure and strategy. Builds productive relationships with stakeholders through effective communication and consultation. Communicates risk matters to agreed stakeholders, adhering to agreed values and standards. Ensures that information communicated is accurate, complete and complies with relevant regulations. Supports risk communication and consultation processes within agreed guidelines. 17

18 4 B: Change 4B1 Embeds risk Ensures that appropriate risk into change is embedded throughout major change programmes. 4B2 Culture change Achieves strategic and cultural change that optimises opportunities and mitigates risks through change programmes. 4B3 Champions change Promotes the vision for strategic change in line with the risk culture and strategy. Advises on the risk aspects of change. Develops change plans to support agreed changes to strategies and policies. Ensures changerelated risks and opportunities are communicated effectively and managed proportionately. Actively supports risk aspects in change activities throughout an organisation. Implements change plans in accordance with their role. Assesses the impact of the delivery of change plans, reporting any adverse effect or unexpected opportunities. Understands the nature of change and the role of risk. Supports others in managing risks in accordance with their role. Contributes positively to tasks relating to the implementation of change. 18

19 4 C: People 4C1 People Provides leadership inspirational leadership that motivates and empowers people to fulfil their objectives. 4C2 4C3 Right people, right roles Capability and skills Establishes an appropriately resourced structure that is capable of delivering the risk strategy. Defines the knowledge and competence an organisation needs to meet risk requirements. Supports and incentivises people to take responsibility for managing risks and opportunities within the limits of their role. Deploys the right mix of competence and expertise to meet strategic and operational imperatives. Practically develops the knowledge and competence of an organisation for the of risks and opportunities. Influences the behaviour of others to ensure that risk objectives and standards are met. Supports operational teams and individuals on the practice of risk. Provides risk support to individuals that enables them to achieve their objectives. Understands the requirements of their own role and how it supports an organisation. Takes active responsibility for their own personal and professional development. Contributes constructively to the achievement of agreed goals and objectives. 19