When I run training for the development of risk frameworks, I ask participants to hold up their hand if they have a framework that is more than a couple of pages. I ask them to keep their hand up if it’s more than 10 pages, 20, 50 and I keep going if needs be. The winner so far had a framework that was over 200 pages. I kid you not. No wonder they were there to get help.
A great risk framework achieves your desired goals in the least amount of words possible. It should:
- Integrate risk into business-as-usual.
- Show risk to be an enabler of success.
- Be able to be overviewed and comprehended in 15 minutes.
Does yours? If not, here is a tip. Break it up.
I break up risk frameworks into Policy, Guideline and Procedure. The policy gives the “why” and sets the direction the organisation needs to head. The guideline contains the “what” and acts like a roadmap for the integration of risk into business-as-usual. And the procedure provides the “how”, the instructions for risk assessment and escalation as required.
The policy is a page or 3. The guideline, say 3 to 8 pages. And the procedure is as long as it needs to be to provide instructions. Maybe 8 to 10, including templates, if you don’t have a training package that provides staff with a guided tour through the risk assessment and reporting processes.
If you want to know more about framework design, download Ch. 7 Designing Success of my book Risky Business: How Successful Organisations Embrace Uncertainty and view more of my insights on my website here. Better still, you can sign up for the RMIA’s Enterprise Risk Management course and go into framework development in detail.