This website uses cookies

This website uses cookies to ensure you get the best experience. By using our website, you agree to our Privacy Policy

Sign Up for our Free Newsletter
Solictors Journal logoSolictors Journal logo
Jean-Yves Gilg

Editor, Solicitors Journal

A three-step process to develop a strong risk management framework

News
Share:
A three-step process to develop a strong risk management framework

By

By Louise Fleming, Partner, Aretai Consulting

Do you have a world-class award-winning risk management framework? Do you want one? The answer is 'probably not', but that is no reason to stick with what you have. Wherever your firm is on the 'risk management journey', you should at least complete an annual evaluation of the adequacy of your risk management framework. Best practice is to summarise this in a succinct paper for presentation to your board and/or senior management team, together with a prioritised action plan for identified gaps.

If you don't have this in place already, now is a good time to start. No business is perfect and there are almost certainly areas where you know you could improve risk management. There are three key benefits
to this exercise:

  1. increased revenues as barriers to achieving strategic objectives are addressed;

  2. reduced costs as operational or credit losses are minimised; and

  3. the potential for lower professional indemnity insurance premiums next year.

Your value plan

Most risk management frameworks or processes have a 'continuous improvement' element (for example, see the ISO 31000 accreditation). A risk management 'value plan' could help you to continue to improve your firm's approach to risk management.

Let's be clear: this is NOT the time to write a 100-page document listing all the things that you could do to create a gold-plated world-class risk management framework. My suspicion is that, if you do so and present it to your board for sign off (and, no doubt, budget), it will be rejected. Instead, I suggest a three-step process.

Step 1: Evaluate the adequacy of your
firm's approach to risk management

You may wish to benchmark against a recognised external model or against the components of your firm's own risk management framework. As well as getting your risk team's view on this, it is important to consult with stakeholders, including other functions (such as finance, HR or IT), internal audit (if you have it) and fee earners. Consider, in particular, your firm's:

  • governance structure;

  • organisational culture;

  • risk appetite;

  • risk identification and prioritisation;

  • risk response;

  • policies and procedures;

  • information systems;

  • risk event reporting;

  • independent assurance;

  • control remediation; and

  • information and communication.

Step 2: Prioritise the top three areas to improve risk management

There is no point in setting out a plan to boil the ocean. It is important to be realistic about the availability of resources (people and financial) and the capacity of your business execute change.

You may wish to use a simple scoring system to evaluate your firm's framework, or it may be obvious what the top three priorities are for your business. Ideally, the priorities will result in measurable value-add to the business and will play to the priorities of wider stakeholders (for example the board, internal audit, regulators and so on), as well as the risk function's to-do list. You are looking for this response: "of course, that makes sense", not "what are they on now?!"

Step 3: Identify the SMART objectives
for the top three areas

It is worth investing time to work through specific, measurable, achievable, relevant and time-bound (SMART) objectives for each of the top three areas identified to improve risk management.

These should be treated in the same way as performance objectives for other parts of the business. This will help to identify the investment and buy-in required and to track progress so that promised value is delivered.

The elephant in the room

Taking action to complete a timely assessment of your risk management framework is all very well, but what about the elephant in the room? That is, the risk(s) you know of already that you still haven't addressed.

Optimising your risk management framework is about ensuring you have processes to govern, identify, control, monitor and report risks to achieve the firm's strategic objectives. However, if your existing risk management framework has identified risks that are not being managed effectively or efficiently, these also need to be addressed.

In addition to continuous improvement of the firm's risk management framework, most if not all firms have identified key risks where the controls in place to mitigate the risk are either:

  1. not designed effectively; or

  2. not operating effectively to reduce
    risk to an acceptable level.

You know what they are. You know what you need to do. I am not suggesting that you abandon continuous improvement in your framework in preference for fire-fighting. But I am suggesting that, alongside risk management framework evaluation and improvement, you flag up the risks to your strategic objectives that need to be addressed today.

Louise Fleming has 20 years' experience working with professional and financial services firms in business and risk management (www.aretai.net)