Risk management process - Establish the context
Establishing the context defines the parameters within which risks should be identified, prioritised and managed. Some areas that can be considered in determining the context include:
Scope and structure of the organisation, branch function or process
Legal, financial, cultural, political, socio-economic and physical aspects
Key drivers and trends impacting the objectives of the organisation
Organisation’s governance structure, culture, vision, goals, objectives and strategies (whether strategic or operational)
Relevant internal and external stakeholders and partners
Current key risks for the organisation.
Relevant to establishing the context for risks is the distinction the organisation makes between different types of risk. Most organisations distinguish three types of risk:
Strategic - risks that are associated with the strategic objectives of the organisation. These risks don't often change and are aligned with long term objectives
Operational - risks that are related to the ongoing procedures of the organisation. They are either long or short-term risks, depending on the objectives they relate to.
Project - risks that are linked to projects and programs that are managed by the organisation and are generally captured through the project management methodology used by the organisation.
When internal and external context is understood, the risk management context, or what it is that we are going to do, can then be established. The scope and boundaries of where the risk management process will be applied must be clearly defined, taking into consideration both the costs and benefits of risk management.
Key questions to ask when establishing the context may include:
What is the purpose/mission/objective(s) of our area?
What threats do you see that may affect the achievement of our area’s goals and objectives?
What opportunities do you see that could enhance the achievement of our area’s goals and objectives?
What are the strengths and weaknesses of our area (SWOT)?
Who are our internal and external stakeholders?
How is our area accountable to stakeholders?
Reviewing the sources and categories of risk may assist in establishing the context. When considering the environment in which risks will be identified, the basis from where a risk initiates is an important element in controlling and treating that risk.