By establishing the framework for the management of risks, the basic parameters within which risks must be managed are defined. Consequently, the scope for the rest of the Risk Management process is also set. It includes the definition of basic assumptions for the organization’s external and internal environment and the overall objectives of the Risk Management process and activities. Although the definition of scope and framework are fundamental for the establishment of Risk Management, they are independent from the particular structure of the management process, methods and tools to be used for the implementation.
In order to define an efficient framework it is important to:
- understand the background of the organization and its risks (e.g. its core processes, valuable assets, competitive areas etc.);
- evaluate the Risk Management activities being undertaken so far;
- develop a structure for the Risk Management initiatives and controls (countermeasures, security controls etc.) to follow.
This approach is useful for:
- clarifying and gaining common understanding of the organizational objectives;
- identifying the environment in which these objectives are set;
- specifying the main scope and objectives for Risk Management, applicable restrictions or specific conditions and the outcomes required;
- developing a set of criteria against which the risks will be measured;
- defining a set of key elements for structuring the risk identification and assessment process.
This step includes the specification of the external environment in which the organization operates and the definition of the relationship between this environment and the organization itself.
The external environment typically includes:
- the local market, the business, competitive, financial and political environment;
- the law and regulatory environment;
- social and cultural conditions;
- external stakeholders.
It is also very important that both the perceptions and values of the various stakeholders and any externally generated threats and/or opportunities are properly evaluated and taken into consideration.
As in every significant business process, the most critical prerequisite is to understand the organization itself.
Key areas that must be evaluated in order to provide a comprehensive view of the organization’s internal environment include:
- key business drivers (e.g. market indicators, competitive advances, product attractiveness, etc.);
- the organization’s strengths, weaknesses, opportunities and threats;
- internal stakeholders;
- organization structure and culture;
- assets in terms of resources (such as people, systems, processes, capital etc);
- goals and objectives and the strategies already in place to achieve them.
In business terms, Risk Management as a process should provide a balance between (all kinds of) costs, benefits and opportunities. Therefore, it is necessary to draw the appropriate framework and to correctly set the scope and boundaries of the Risk Management process.
Setting the Risk Management context involves defining the:
- organization, process, project or activity (to be assessed) and establishing its goals and objectives;
- duration of the project, activity or function;
- full scope of the Risk Management activities to be carried out specifying any including inclusions and exclusions;
- roles and responsibilities of various parts of the organization participating in the Risk Management process;
- dependencies between the project or activity and other projects or parts of the organization;
The criteria by which risks will be evaluated have to be decided and agreed. Deciding whether risk treatment is required, is usually based on operational, technical, financial, regulatory, legal, social, or environmental, criteria or combinations of them. The criteria should be in line with the scope and framework defined above. Furthermore they should be closely related to the organization's internal policies and procedures and support its goals and objectives.
Important criteria, to be considered, are:
- impact criteria and the kinds of consequences that will be considered;
- criteria of likelihood;
- the rules that will determine whether the risk level is such that further treatment activities are required.
It is very common, that criteria identified during these steps are further developed or even modified during later phases of the Risk Management process.