Risk Management Frameworks
Our experience shows that ERM processes in Poland – mainly frameworks, policies, procedures, and methodologies – are mainly governance driven. There are of course some exceptions, and in the energy sector it has been identified that there is a company that makes an effort to increase its value through effective risk management.
Writing a risk management policy is relatively easy. Typically, the policy is combined with a risk assessment methodology. The main framework that is used in Poland is COSO 2004 – almost always fully used by the public sector. We can say that it is an auditor-based view of risk management. Some companies use the MoR (Management of Risk) Framework (UK Office of Government Commerce), some became interested in ISO 31000, some frameworks were developed and delivered by consulting companies, and some were elaborations of the company's own framework as based on various aspects from the different frameworks just mentioned.
After the relatively easy part – writing some documents – the execution phase starts. What are the typical challenges during the execution phase? In an ERM implementation in which we participated, confirming the risk owners was one of the first challenges, as business managers perceived being a risk owner as an unfavorable label in the company. For example, a billing process owner did not understand that he should be a risk owner since he managed the budget and had targets and goals related to the billing process. The billing process owner did not want to be a risk owner for political reasons – he did not like to be associated with IT billing systems problems, and he postulated that the head of IT should also be a risk owner. This is an example of a typical silo-based approach. For middle- or high-level managers, being a risk owner looks like a dangerous role. Finally, after discussions that confirmed that he had the budget to influence the process and by referring to the risk management policy, he had to agree, but he was not happy with the new responsibility. So perhaps it is better to call the role a risk management leader, risk coordinator, or risk manager, rather than a risk owner.