The 2004 Edition of The Orange Book provides guidance helpful for the following individuals:
- Those new to risk management and those tasked with providing training on risk management in their organizations
- Reviewers of risk management (such as audit committees) – this will provide a comprehensive set of principles for evaluating risk management
- Senior staff, to help them guide leadership surrounding a culture that supports ERM
- Risk management staff who have operational responsibilities for day-to-day risk management
- Experienced risk management professionals – explore higher level concepts, e.g. risk appetite (the amount of risk that is tolerable and justifiable)
Risk management faces many challenges. Despite the fact that risks are unavoidable, the resources available for managing risk are finite. So the challenge for organizational leaders is to find the optimum response to risk, prioritized in accordance with the evaluation of risks. Effective risk management does not operate in a vacuum but rather it gives full consideration to the context in which the organization operates. The management of risks needs to be integrated throughout the organization so that various risk management activities support, rather than compete with, each other. Leaders at all levels within the organization need to be equipped with appropriate skills and common processes to ensure risk management is being implemented in an appropriate way at each level. Organizational leaders need best practice thought-leadership to help them navigate the complex arena of risk management.
The 2004 edition of The Orange Book provides an introduction to the range of considerations which apply in risk management. The guidance contained within it can be applied at various levels ranging from the management of a particular project to the establishment of an organization wide risk management policy. This document does not reflect a detailed instruction manual. Rather, it introduces a broad range of issues surrounding risk identification, risk assessment, risk appetite, risk responses, risk reporting, and risk communications, among others.
The Orange Book recognizes that there is no standard of risk management for government organizations. Thus, this document builds on numerous other already-established risk management frameworks to establish “principles” of risk management that can serve as a framework for assessing the maturity of risk management in government organizations. One can adopt standards, but it is more important to demonstrate that risk is managed in the organization in its particular circumstances in a way that supports the delivery of its objectives.
The remainder of this synopsis summarizes key components of The Orange Book guidance.
Risk Management Model
Risk management cannot be a linear process. Instead, effective risk management recognizes that there are a number of interwoven elements that interact with each other. The challenge to effective risk management is identifying the appropriate balance in knowing how to respond as risks evolve and impact one another.
The Orange Book introduces a risk management model that reflects ongoing risk management as a never ending circular process. Core elements in the risk management model include risk identification, risk assessment, risk response, and risk reporting. Throughout all components is the need for communication and learning across the organization. The model illustrates that the core risk management process cannot be isolated. Instead, it operates within a particular context, which can be affected by risk drivers within and external to the organization.
The first step to risk management is building the organization’s risk profile. There are two phases: Initial risk identification and continuous risk identification. The key to risk identification is always linking risks to objectives that are impacted. Without such linkage, the organization will struggle to prioritize risk. As risks affect more than one objective, their impact may vary greatly warranting more attention as the impact increases.
As risks are identified, they should be documented along with their corresponding objective(s). It is important that the documentation of the risk specifically identify the cause of the impact and the impact to the objective.
The document provides additional guidance about grouping related risks, approaches used to identify risks, and techniques to conduct “horizon scanning” procedures to continually maintain an awareness of leading key indicators of risks lurking over the horizon.
Because some risks lend themselves to quantitative analysis while others, such as reputational risk, require more subjective determination, it is necessary that an organization develop some framework for assessing risks. Three principles for assessing risk include the following:
- Make sure there is a clearly structured process in which both likelihood and impact are considered for each risk
- Record the risk an a way that facilitates monitoring of the risk and the identification of priorities
- Be clear on what is residual and what is inherent
As much as possible, risk assessment practices should rely on unbiased independent evidence. And, the assessment must be determined by evaluating both the likelihood and impact of risks. While there is no standard scale for determining likelihood and impact, the organization needs to clearly establish the evaluation scale so that risks are consistently measured across the organization.
Once assessed, risks must be evaluated against the organization’s risk appetite, which reflect the boundaries of acceptable risk levels authorized by management. These boundaries should give each level of the organization clear guidance on the limits of risk that they can take, whether the consideration is a threat and the cost of control or of an opportunity and the cost of trying to exploit it.
The document provides guidance about three levels of risk appetite: corporate risk appetite, delegated risk appetite, and project risk appetite. Corporate risk appetite reflects the overall amount of risk that the organization can tolerate and should be set at the board level. Delegated risk appetite takes the corporate risk appetite and cascades it down, tailoring the proper risk appetite to the objectives at the appropriate level where they are managed on a day-to-day basis. Project risk appetite relates to risk tolerances for projects that fall outside day-to-day business activities, such as speculative or pilot projects.
Effective risk management and delegation throughout the organization require escalation processes where risk trigger points are established so management within the organization know when risks should be elevated to the next level of management.
The purpose of addressing risk is to turn uncertainty to an organization’s benefit by constraining threats and taking advantage of opportunities. There are multiple ways to address risks. The Orange Book defines any action to address risks as “internal control.” The following internal controls may be used by an organization to manage risks. The organization can
- Tolerate it
- Transfer it
- Terminate it (end the activity causing the risk)
- Constrain it to an acceptable level
- Live with it (may be able to transform it to a benefit)
After risks are addressed, the remaining risk is “residual risk.” The residual risk should be within the risk appetite.
Reviewing and Reporting Risks
The purpose of reviewing and reporting on risks is to:
- Monitor whether or not the risk profile is changing
- To gain assurance that risk management is effective
- To identify when further action is necessary
Processes should be in place to review whether risks continue to exist, whether those risks are increasing, and whether new risks are arising. Additionally, organizations need to periodic assess the effectiveness of its overall risk management process to determine if it remains appropriate and effective.
The Orange Book identifies several tools and techniques that are available for reviewing and reporting risks. It also describes the role of internal audit, the audit committee, and risk committees in managing and monitoring risk management practices.
Communication and Learning
Communication and learning runs through the whole risk management process; it is not a distinct stage in the management of risk. An organization cannot do horizon scanning if it does not have a good network of communications with relevant contacts and sources of information to facilitate identification of changes which will affect the organization’s risk profile.
Everyone in the organization should understand what the organization’s risk strategy is, what its risk priorities are, how their responsibilities in the organization fit into that framework.
An organization should ensure that each level of management, including the Board, gets sufficient information about risk to allow them to plan action in respect to identified risks. The risks may be residual risk that is not acceptable or risks deemed acceptable when controlled. There should be an established routine and a mechanism for escalating important risks that suddenly develop or emerge.
The Extended Enterprise
The extended enterprise consists of interdependent relationships, parent relationships and contractual relationships. Thus, no organization is self-contained and risk drivers can arise out of organizations that extend beyond the enterprise. These relationships will give rise to a need for assurance that risk is being managed in that relationship both appropriately and as planned.
Risk Environment and Context
The risk environment is beyond the boundary of the “extended enterprise.” The environment may generate risks that cannot be controlled, or may constrain the way the organization is permitted to take on or address risk. Often, the only response to the risk environment is to make contingency plans (terrorism, for example, cannot be mitigated – one can only make contingency plans to attempt business continuity). Contributors to the risk environment include:
- Laws and regulations
- The economy
- Stakeholder expectations
Overall Assurance of Risk Management
To arrive at an overall opinion on risk, the scope of the processes for obtaining assurance should encompass the entirety of the organization’s risk management lifecycle. The review will need to provide:
- Assurance of the risk management strategy
- Assurance of the management of risks/controls
- Assurance of the adequacy of the review/assurance process
Assurance should be sufficient in scope and weight to support the conclusion and to be relevant, reliable, understandable, and free from material misstatement.
Click below for a link to the full document.