I have been thinking about risk management a lot and how to make it as effective as possible. One concept that I have not seen but I would have expected would be ‘cascading risk management’.
The Neck Bone is Risk Managed by the Head Bone…
Cascading risk management is where senior levels of an organization manage risks that are germane to the entire organization freeing subordinate levels to focus on their specific strategic, tactical and operational risk management. Here is an example in a fictional state or provincial government or larger for-profit company:
|Government Wide / National Wide||Strategic risks that affect the entire government and central services provided.||Government wide IT security, tax policy, inter-government relations.|
|Ministry/ Department||Strategic risks that affect the Department but exclude those identified as belonging to the government. Government wide risks are inherent to the Ministry’s Risk profile but do not need to be repeated unless they meet one of the following criteria:
||Ministry of Finance further articulates the risks of debt management or tax policy.
The Ministry of Health further articulates the risks related to a pandemic.
The Ministry of Education reinforces the need to replace retiring teachers.
|Division/ Branch||Strategic risks that affect a sub-element of the organization but exclude those sufficiently belonging to the above layers of the organization.
The same conditions as discussed above apply but cascaded down one more level. Note that this level will generate Strategic, Tactical and Operational Risks.
|Western Canada Marketing sub-Department.
Tax policy unit of the Ministry of Finance
|Team/ Project/ Other Work Unit||Tactical and Operational Risks with a reference to the above cascaded risks. In this manner, the operational area can focus on the most critical risks affecting delivering their contribution to organizational objectives.||IT Project Team.
Policy team drafting legislation.
New product launch team.
How is the Cascade Managed?
The above is predicated on the following assumptions:
- The senior levels of the organization have an effective risk management process including a risk registry available to subordinate areas.
- Resources managing risk at subordinate levels have a good awareness of the scope, limitations and intended usage for the senior risk management resources.
- Each of the resulting levels have the ‘container’ to cross reference ‘cascade risks’ that is efficient and effective.
- As required, a subordinate level can point to a senior level risk and then add or modify it as required.
- This method is consistent with ISO 31000 as part of the Risk Identification step.
Assuming the above exists the a cascade risk statement may look like this:
- The Ministry of Finance, Tax Department / Tax Policy Unit has prepared the following risks that may impair its ability to meet its operational objectives.
- This risks exclude the following risks already articulated and reasonably managed by the indicated entities:
- Government of Riskastan’s Economic assumptions and risks available via [link…].
- The Ministry of Finance’s business plan which include significant strategic risks affecting the unit and available via [link…].
- The Tax Department’s Tactical and Operational plan which includes significant departmental strategic, tactical and select operational risks.
- The exception to the above exclusions are the following two risks that are further expanded upon by the unit:
- Risk relating to the price of prunes and the Organization of Prune Exporting Countries to manage supply and thus price for prunes (Riskastan fiscal plan, page 17).
- Risk related to retaining staff in the Tax Department who can count on both their fingers and their toes (Tax Department Operational Plan, list of assumptions and risks, page 71).