IRM ERM M1.U4.5 Communication versus consultation Flashcards
ISO Communication and consultation
ISO Guide 73:2009, the standard on vocabulary for risk management, defines communication and consultation as follows:
“continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders (3.2.1.1) regarding the management of risk (1.1)
Note 1 to entry: The information can relate to the existence, nature, form, likelihood (3.6.1.1), significance, evaluation, acceptability and treatment of the management of risk.
Note 2 to entry: Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue.
Consultation is:
a process which impacts on a decision through influence rather than power; and
an input to decision making, not joint decision making.”
Risk Communication- Whistleblowers
communication is ensuring that there are adequate arrangements in place for ‘whistleblowers’.
This has been part of the public interest disclosure legislation in UK since the late 1990s but has taken new life since the global financial crisis and in particular the EU Directive on Whistleblowing, effective from 2021 – the year after the UK left the EU, so it is uncertain as to its full applicability.
However, there is a clear trend to more strictly enforce whistleblowing rules and this is a key area for the risk manager to make clear to management,
Whistleblowing ex. - Barclays fine for breach
Barclays fine for whistleblowing breach In December 2018 Barclays was fined $15 million by New York State’s Department of Financial Services for violating the State banking laws, as well as being found to have contravened its own procedures in handling a whistleblowing complaint. The responsibility for such action lay at the feet of the Chief Executive, Jes Staley, who was found to have attempted to unmask the author of an anonymous letter sent to senior management within Barclays and which should have been dealt with under whistleblowing rules. As well as the fine in the USA, Mr Staley was personally fined £642,430 by the UK regulator and had his bonus pay cut by £500,000.
A common language / Risk & Risk Culture
The first reason an organization needs a risk language is to underpin its risk culture.
Everyone in the organization has a role in an effective risk management process. Most organizations have many layers (eg executives, line managers and employees) and ‘silos’ (eg technology, treasury, operations, quality management and compliance).
A common language is needed to cut through the layers and break down the silos. Without a common language, the risk management team will spend too much time resolving communication issues at the expense of their primary responsibilities.
RACI chart
For projects, roles and responsibilities are commonly depicted in a RACI chart. This chart is a simple responsibility assignment matrix, which lists relevant stakeholders and their level of involvement in the project, which is denoted by the letters RACI: Responsible, Accountable, Consulted, Informed.
Communications Plan
What Is A Communications Strategy Plan?
A communications strategy is a plan for communicating with your target audience. It includes who you are talking to, why you are talking to them, how and when you will talk to them, what form of communication the content should take and what channels you should use to share it.
Crisis communication plan
2 equally effective strategies:
one for “now” and another that can be deployed in anticipation of events that might happen later down the road.
A crisis communication plan helps cushion against unexpected turns of events, no matter what happens.
SO 31000:2018 communication vs consultation
ISO 31000:2018 goes further in explaining communication and consultation, noting that
communication seeks to promote awareness and understanding of risk, whereas
consultation involves obtaining feedback and information to support decision making.
Reporting feedback loops
Feedback loops are an important aspect of communication. It can often feel like risk information is escalated up the management levels using a variety of risk report which then seems to disappear into a void. Engagement in the risk management process is detrimentally affected when risk information is shared with management, but then there is no reply or feedback as the information sharing is not reciprocated.
Where there is no feedback loop, the person sharing the information has no idea whether the information has been shared, whether it has been understood, and whether the information has been utilised
Board responsibilities with risk reporting / FRC 2016
Risk communication and reporting
Internal and external risk management communication takes place.
Necessary risk information is communicated to and from the board.
External Reporting / FRC disclosures
The Financial Reporting Council (FRC), in their ‘Guidance on Risk Management, Internal Control and Related Financial and Business Reporting’ goes further in expecting a number of disclosures relating to risk management in annual reports and accounts:
The principal risks
Whether directors have a reasonable expectation that the company will be able to continue and operate to meet its liabilities
The going concern basis of accounting
A review of and the main features of the risk management and the internal control system
The FRC note that the purpose of this reporting is to not only provide information on the risks and risk management but also to demonstrate and encourage stewardship and governance of the Board and their shareholders.
The UK Government has developed reporting guidelines that are aligned with the Orange Book in their ‘Good Practice Guide - Risk Reporting:2021’. These guidelines consider what risk reporting is and provides information on four different types of reporting: the principal risk report; the deep dive report; the risk radar, and the risk moderation.
Orange Book Good Practice Guide - Risk Reporting:2021’ 4 Types of Risk reporting
Orange Book in their ‘Good Practice Guide - Risk Reporting:2021’. These guidelines consider what risk reporting is and provides information on four different types of reporting:
the principal risk report;
the deep dive report;
the risk radar, and
the risk moderation.
Orange Book / The benefits of regular risk reporting include:
The benefits of regular risk reporting include:
* Embedding a consistent understanding of principal and emerging risks, thereby
reducing the uncertainty of outcomes within an organisation
* Monitoring progress in achieving or maintaining tolerable or optimal risk appetite
positions across an organisation,
* Enabling an organisation to understand the effectiveness of internal controls and
take direct, timely and informed interventions as required
* Integrating risk, planning, performance and prioritisation discussions to enable
informed consequence-based decisions
* Providing assurance to stakeholders, including oversight bodies, that risks are
understood and being effectively managed
* Providing oversight of business activities, enabling a dynamic response to
unplanned events threatening delivery of priorities and strategic objectives
Orange Book Enterprise risk reporting
Enterprise risk teams should therefore develop and deliver clear, informative and useful reports or dashboards highlighting key information enabling effective management.
This information should provide visibility against each principal risk, compare results against key performance/risk indicators, indicate whether these are within risk appetite, assess the effectiveness of key management actions and summarise the assurance information available.
Reports should include qualitative and quantitative information where appropriate, show trends and support early warning indicators. Understanding and decision-making should be supported through the presentation of information in summary form and the use of graphics and visualisation.
