Professional Documents
Culture Documents
03 References (Same) - RMG02101ENME - v3 (AD02) - Nov2019
03 References (Same) - RMG02101ENME - v3 (AD02) - Nov2019
This document contains typical activity solutions and additional information referred to
during the course.
Table of contents:
Activity 1: Overall tasks................................................................................................... 2
Activity 2: Baseline gap analysis ...................................................................................... 3
Activity 3: Create a Gantt chart........................................................................................ 4
Activity 4: Determine leadership, commitment and integration ........................................... 4
Activity 5: Understanding organizational context ............................................................... 5
Activity 6: Risk management policy .................................................................................. 7
Activity 7: Determine communication and consultation approach: Framework process .......... 8
Activity 8: Evaluation and improvement ............................................................................ 9
Activity 9: Determine communication and consultation approach: Risk management process10
Activity 10: Determine the scope ................................................................................... 10
Activity 11: Determine the risk criteria............................................................................ 11
Activity 12: Risk identification ........................................................................................ 13
Activity 13: Analyse and evaluate risks ........................................................................... 15
Activity 14: Determine risk treatment options ................................................................. 16
Activity 15: Create a risk treatment plan ......................................................................... 17
Activity 16: Determine recording and reporting ............................................................... 18
Activity 17: Your implementation feedback to management ............................................. 18
2. Determine the external and internal context in which your organization is seeking to
achieve their objectives
4. Assign roles authorities, responsibilities and accountabilities for relevant roles with
respect to risk management
6. Develop an appropriate implementation plan based on the gap analysis and Gantt
Chart
8. Create an action plan to adapt the risk management framework to address external
and internal changes
This questionnaire can be kept by delegates and used again to track progress towards a fully
implemented risk management framework. Target scores and what they indicate about the
companies concerned:
Please complete the examples in your Toolkit. This will be available to you on a memory stick
as well.
Sample answer
Four main areas that will demonstrate leadership and commitment in your organization
(Clause 5.2):
• Customizing and implementing all components of the framework
• Issuing a statement or policy that establishes a risk management approach, plan or
course of action
• Ensuring that the necessary resources are allocated to managing risk
• Assigning authority, responsibility and accountability at appropriate levels within the
organization
Four areas/functions in your organization where decisions are taken (Clause 5.3):
• Strategic decisions – Board level
• Operation decision – CEO level
• Functional decision – Vertical head level
• Day to day decision – Function/project level
Strategic level
• Decisions on mergers/de-mergers, growth, cross-boundary, considering more options
during strategy selection
Tactical level
• Considerations to decision on approach to implement strategy
Operational level
• Day to day working; decision on risk taking/mitigation
• Project risk
• Decision on impact/probability criteria
• Decision on conflicting interests
Purpose of organization:
Telecom Company is an IT support and services provider. The organization’s purpose is to
provide IT support and hosting services to both public and private sector organizations.
Internal and external issues may include but are not necessarily limited to the following:
Internal issues:
• Structure of the organization
• Roles within the organization
• Availability of reliable qualified and competent work force
• Stability of work force
• Staff retention
• Impact of unionization
• Staff training levels
• Contractual arrangements with customers
• Payment terms from customers
• Solvency of customers
• Expansion of customer base
• Overall strength of business to support funding needs
• Opportunities to improve technology e.g. leasing of equipment
• Power consumption
• Data Centre capacity (physical and environmental)
• Resilience of infrastructure
• Relationship with investors
• Credit terms available
• Service level agreements with customers
• Culture within the organization
External issues:
• Political, economic, social, technological, legal and regulatory
• Environmental e.g. power consumption, recycling or destruction of equipment etc.
• Overall economic performance in the country
• Economic plans for future
• The nature and impact of economy on hosting market
• Customer demographic
• General levels of consumer confidence
• Growth of outsourcing business
• Competitive environment – overall low cost of entry in to the market
• Customer expectation
• Standardization and certification within the industry
• Fuel prices – international pressures, domestic market pressures, government
taxation regime, etc.
• Regulation within the industry generally
• Licensing requirements in respect of software
• Trade associations and lobbying powers
• Impact on neighbours
Example
The objective of this policy is to implement the highest standards of business risk
management across the organization.
ABC defines risk as events and consequences that constitute opportunities for benefit and
also threats to success.
The Board recognizes its responsibility for knowing and understanding the most significant
risks facing the organization and for ensuring that the risk management framework is
effective in the management of risk and is clearly embedded throughout the whole
organization.
All employees have the duty to identify and escalate risks through their line management.
Managers at all levels are responsible for ensuring that risks to their activities are identified,
recorded, assessed and managed on an agreed basis.
The risk management framework outlines the process of achieving successful risk
management by identifying the key elements required and the process for implementation.
The organization’s risk appetite will be identified and set annually by the Board and
communicated throughout the organization. All risks identified must be treated appropriately
to bring them within the organization’s risk appetite. Deviation from this process is only
permissible with the express approval of the Board.
Risks will be reported and reviewed monthly by the Executive, biannually by the Board.
Regional, and functional risks will be reviewed in accordance with the review program laid
out in the risk management framework. The Board will also review the effectiveness of the
risk management framework and risk management program.
Signed
CEO
Some examples of what needs to be communicated (high risks) to oversight body and top
management may include:
• Results of risk assessment
• Key risk indictors (leading and lagging)
• Results of audits
• Feedback from interested party/stakeholders
Oversight body may be required to fulfil some of these responsibilities as part of evaluation
and improvements:
• Supporting senior management in establishing the risk appetite, monitoring
compliance with the organization’s risk policy
• Monitoring the adequacy of controls
• Monitoring changes to the organization’s risk profile
• Assisting the organization to understand its key risks
• Periodically reviewing the effectiveness and appropriateness and adequacy of the risk
management and reporting process
When identifying and analysing risks; it’s important to include all stakeholders who would be
impacted if the risk were to materialize. Please find an example below:
We would seek to gather all information necessary to describe the risk; what could happen,
why and how.
Risk analysis: Once again, you would need to consult experienced employees/staff on how to
ascertain the probability of the risk identified as well as what the impact would be. An
individual may NOT have the complete information; hence the need for communications and
consultation.
This is the first stage of the risk process and needs to address the following questions:
Determining the risk criteria is the first and the most critical step in the risk assessment process.
Sample Likelihood criteria covering following areas is provided in the table below:
• Financial
• Operational
• Legal/contractual
• Customer satisfaction
Sample Impact criteria covering following areas is provided in the table below:
• Financial
• Operational
• Legal/contractual
• Customer satisfaction
Financial loss above $10000; OR SLA not being met exceeding 10 clients; OR Contract violations amounting to
High (3)
Heavy penalties in one quarter OR Customer satisfaction severe in nature and escalated at a Global level
Financial loss greater than $ 5000 and less than 10000; OR SLA not being met for more than 5 clients; OR
Med (2) Contract violations amounting to moderate penalties half yearly OR Customer satisfaction moderate in nature
and escalated regionally
Financial loss less than $ 5000; OR SLA not being met for less than 5 clients; OR Contract violations amounting
Low (1)
to minor penalties once in a year OR Customer satisfaction minor in nature and locally resolved
Please find examples under each category below. Make sure to note down examples
provided by other groups.
Financial risk
Financial loss in revenue due to loss of customer base arising due to competition bringing
down their sale price.
……………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………
Operational risk
Penalties imposed by clients due to SLAs not met arising due to non-availability of skilled
staff.
……………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………
Legal risk
Notice by the local municipality to close down premises; due to failure to produce fire
clearance required by the law.
……………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………
Customer satisfaction
CSAT results falling due to failure of the company to address the issues arising due to
customer details having incorrect/incomplete details in the system database.
……………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………
……………………………………………………………………………………………………………………………………
Sample answer
Risk evaluation
Probability (P) Impact (I)
Risk value
Risk ID Risk description H (=>6), M
H = 3, M = 2, H = 3, M = 2,
(P * I) (=>3<=6),
L =1 L =1
L=<3
Sample answer
Penalties imposed by clients due to SLA’s not met arising due to non-
2 Medium Mitigate
availability of skilled staff
CSAT results falling due to failure of the company to address the issues
3 arising due to customer details having incorrect/incomplete details in High Mitigate (High Priority)
the system database
Sample answer
CSAT results falling due to Reputational Sales Director Procure tool Audit Weekly
failure of the company to and customer for integrity
address the issues arising due High (High dissatisfaction of data
3
to customer details having priority)
incorrect/ incomplete details
in the system database