Critical Risks and Enterprise Risk Management
Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
In other pieces the Lloyd’s of London City Risk and the Natural Hazard Mitigation Saves studies were discussed. It was noted that both studies provide an assessment of the costs associated with the adverse impact of risk events. The Natural Hazard study focused on natural Hazards, while the Lloyd’s study incorporates both man-made and natural hazard risk events.
This piece will examine the policy recommendations made by the Organization for Economic Cooperation and Development (OECD) for managing Critical Risks and its relationship to ISO 31000:2018.
In May 2014 the OECD published “Recommendation of the Council on the Governance of Critical Risks”. Critical risks are defined as: “threats or hazards that pose the most strategically signification risk” because of their probability of occurrence and consequence. These can include earthquakes, industrial accidents, terrorist attacks, pandemics, illicit trade and organized crime. The impact of such events could cause damages equivalent to twenty percent of some countries Gross Domestic Product. Moreover, because of the interconnected global economy, a critical risk events can affect more than one country.
The definition of Critical Risks covers the risks assessed in the Lloyd’s and Natural Hazard Mitigation Saves studies. It, like the Lloyd’s study includes both natural and man-made risks. Consequently, the OEDC recommends an “all hazards” approach to risk mitigation. In this respect it is like the approach recommended by the International Organization for Standardization in its risk management standard ISO 31000:2018.
ISO and OECD Critical Risk Management
ISO 31000:2018 stresses that upper level management needs to be involved in the risk mitigation effort. It also indicated that risk mitigation needs to be enterprise wide and part of the administrative structure of the organization. While ISO focuses on the organizational implementation of risk management, OECD starts with national policy and moves downward. For instance, OEDC recommends the development of a national strategy which include:
- Identify and designate core capabilities required to preserve public safety, sustainable economic growth, market integrity and the environment against the harmful impact of critical risk.
- Clarify roles for the management of a country wide portfolio of critical risks and identify who is responsible for taking actions to protect citizens and assets;
- Adopt an all-hazard approach that identifies inter-dependencies between critical systems;
- Set goals for each phase of the risk management cycle, defining priorities for prevention, mitigation, response, recover and rehabilitation and ensure that these priorities are integrated into the polices and programmes of departments and agencies.
- Allocate of recourses to development and maintain the capabilities at all levels of government that are needed throughout the risk management cycle;
- Reinforce investment in prevention and mitigation efforts that limit the exposure of persons and core services to know hazards and reduce their vulnerabilities;
- Develop strategic plans to build safer and more sustainable communities. Pay attention to the design of critical infrastructure networks (e.g. transportation, telecommunications and information systems). Strategic plans should be coordinated with urban plans and territorial management policies which reduce the contraction of people and assets in areas where known exposures have increased over time.
- Require first responders stationed in critical infrastructure facilities to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable.
The similarities between what ISO advocates and the policies put forth by OECD are obvious – take an all hazard approach, ensure that risk management filters to all aspects of the organization, and prioritize risk for prevention and mitigation. OECD takes a similar approach to Lloyd’s when it encourages the adoption of ERM by local governments. The inclusion of building code related mitigative actions reflects the recommendations made in the Natural Hazards Mitigation Saves study. OECD goes beyond both studies by recommending that emergency action and recovery plans be developed.
The OECD’s policy recommendations for mitigating Critical Risks is like the process recommended in ISO 31000.2018. It links national policy recommendations with local government mitigative actives. These activities include investment in mitigative activities that limit exposure to known risks, the prioritization of the risks and the development of risk management capabilities at the local government level.
There are two things which make the two studies and the OECD policies important. First, the assessment of the dollar costs of adverse risk events, whether natural or man-made, provides management an understanding of the benefits of mitigative actions and the costs of not taking those actions. The availability of this cost information puts pressure on governments at all levels to take mitigative actions. Second, the 2014 OECD policies which recognize that critical risks include more than natural disasters are reinforced by the 2017 Lloyd’s study. The diversity of man-made risks leads to an all hazard approach. This is like the approach advocated in ISO 31000:2018. Both the OECD policies and the 2017 Lloyd’s study stress that operationally risk mitigation requires an enterprise wide approach. This shows that ERM is an important internationally recognized risk mitigation technique.
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. email@example.com