There are many ways to think of a risk management framework (RMF). The example below is adapted from SRMBOK and represents a complex view of the elements of risk management. In this model, I have broken the elements of risk management into six main categories.
Practice Areas – the activity groups that embody distinct areas of expertise. These areas can also be the scope of the risks to be managed or the primary area in which a risk practitioner is focused (e.g., Safety, Finance, Enterprise risk, etc).
Strategic Knowledge Areas – the four concepts that all risk practitioners must understand in order to achieve an optimal trade-off in support of risk treatments (Ref: The Quadruple Constraints of Risk Management).
Operational Competency Areas – a group of closely related skill sets in which a risk practitioner needs to be competent in at least one of (if not all) in order to support effective risk management.
Risk Treatments – the strategies that we put in place to support objectives. In the graphic below, ‘assets’ are placed at the center of concentric circles. These circles represent the layered approach known as the 'hierarchy of controls' whereby multiple mutually supportive treatments are more effective than a single treatment.
Activity Areas – principle risk countermeasure areas through the lifecycle from pre-incident prevention (planning and preparation) to post-event response (emergency management and business continuity). As indicated in the diagram below, there should be a primary focus on various elements at the appropriate phase of a risk event (pre or post). Still, all four elements need to be considered at all times – albeit with varying levels of focus or priority.
Enablers – the underpinning elements required to ensure the application of risk management processes and activities in a sustained fashion (e.g., Policies, training, etc).
There is no such thing as the ultimate RMF. This model is just one possible way to view how risk management fits together. At the very least, it can be useful to stimulate your thinking in areas such as:
Gap Analysis - What elements aren’t happening right now in our organization and what do we need to do to fill in the gaps?
Benchmarking - If we had to measure the effectiveness of our risk management, which metrics would we choose, and how do they relate to each other?
Integration - How does this model help us integrate various functions such as treasury, IT, emergency response, design, governance, assurance, policies, etc?
I've also written an article on how to build a risk management framework and developed a short course on the topic.
