Guidelines on risk management practices in statistical organizations – THIRD DRAFT 1 GUIDELINES ON RISK MANAGEMENT PRACTICES IN STATISTICAL ORGANIZATIONS THIRD DRAFT November, 2016 Prepared by: In cooperation with: Guidelines on risk management practices in statistical organizations – THIRD DRAFT 2 This page has been left intentionally blank Guidelines on risk management practices in statistical organizations – THIRD DRAFT 3 TABLE OF CONTENTS List of Reviews .................................................................................................................................. 5 FOREWORD ....................................................................................................................................... 7 The guidelines ............................................................................................................................... 7 Definition of risk and risk management ...................................................................................... 9 SECTION 1: RISK MANAGEMENT FRAMEWORK ........................................................................... 13 1. Settling the risk management system ................................................................................... 15 1.1 Risk management mandate and strategy ............................................................................. 15 1.2 Establishing risk management policy .................................................................................... 17 1.3 Risk management approaches .............................................................................................. 21 1.4 Adopting an integrated risk approach connected to statistical quality management ..... 24 2. Risk management resources ................................................................................................. 2828 2.1 Risk organizational culture ............................................................................................... 2828 2.2 Training .............................................................................................................................. 2929 2.3 Delivering roles and responsibilities ................................................................................ 3030 3. Risk management process (see Section 2) ........................................................................... 3232 4. Monitoring and reporting ...................................................................................................... 3333 4.1 Monitoring and review of the framework ........................................................................ 3333 4.2 Establishing reporting mechanisms ................................................................................ 3434 SECTION 2: Risk management process .................................................................................... 3939 1. Communication and consultation .......................................................................................... 4141 1.1 Internal communication .................................................................................................... 4242 1.2 External communication ................................................................................................... 4444 2. Context analysis .................................................................................................................. 4646 2.1 Establishing the context ................................................................................................... 4646 2.2 Process mapping ............................................................................................................... 4747 3. Risk assessment .................................................................................................................. 4949 3.1 Risk identification .............................................................................................................. 5050 3.2 Risk analysis and measurement ....................................................................................... 5454 3.3 Risk weighting ................................................................................................................... 5858 4. Risk treatment ....................................................................................................................... 5959 4.1 Risk treatment actions ..................................................................................................... 6060 Guidelines on risk management practices in statistical organizations – THIRD DRAFT 4 4.2 Risk treatment process .................................................................................................... 6262 5. Monitoring and control ......................................................................................................... 6868 5.1 Monitoring and review..................................................................................................... 6868 5.2 Key risk indicators ............................................................................................................ 6969 6. Risk based control and audit ................................................................................................... 7171 7. Risk management information system ................................................................................ 7474 8. Risk management maturity model ........................................................................................ 7777 9. Lessons learned...................................................................................................................... 8585 9.1 Strengths and weaknesses when implementing a risk management system in NSOs 8585 9.2 Cluster 1: Mandate to manage risks and Risk Policy ....................................................... 8787 9.3 Cluster 2: Risk management procedure and the role of risk management office ....... 8989 9.3 Cluster 3: Risk management integration with other functions .................................... 9090 9.4 Cluster 4: Risk management process .............................................................................. 9292 9.5 Cluster 5: Risk management supporting processes ....................................................... 9595 9.6 – Risk management integration into ongoing activities ................................................ 9797 Acknowledgements ................................................................................................................... 9999 Guidelines on risk management practices in statistical organizations – THIRD DRAFT 5 List of Reviews First Draft (April 2016) – Risk management guidelines presented during the "Workshop on risk management practices in Statistical Organizations", held in Geneva on 25-26 April 2016. Second Draft (July 2016) – Review of risk management guidelines after the "Workshop on risk management practices in Statistical Organizations", according to the observations and suggestions received by the NSOs participating in the Survey. - The following paragraphs/chapters have been revised: Foreword: “what risk is and why risk management is relevant” statements added (page 9-11); - Risk Nomenclature and definitions: meaning of risk Plan clarified (page 17); - Risk appetite: risk Appetite and risk Profile issues implemented (page 18-20). - Risk management commitment: paragraph revised as required (page 20); - Risk management approach: example of “mixed approach” clarified (Fig. 2, page 23); - Internal control according to a risk-based approach: relationships between internal controls and risks clarified (page 24-26); - Integration with GAMSO: proposal to align GAMSO and risk management process added referring to the integration between risk and quality management (page 27); - Roles and Responsibilities: responsibility of he “governing board” clarified (page 31); - Monitoring and Review of the Framework: the importance of periodically reviewing the risk management maturity level underlined (page 34); - Review Audit Report: the importance of the audit report in aligning risks with internal controls underlined (page 37); - Communicating risks: the importance of documenting risk communication in the risk management /Internal communication Plan underlined (page 42-44); - Establishing the context: the importance of risk maturity assessment in order to successful implementing a risk management policy underlined (page 46-47); - Risk treatment: the differences between mitigation actions and contingency actions clarified (page 61); - References: the standard ISO 27000 “Information technology - Security techniques Information security management systems – Requirements” quoted in “References” The following paragraphs/chapters have been included/added: - Risk management approaches: paragraph on risk management approaches (top-down, bottom-up) implemented (page 21-22);. - paragraph on risk identification modified (page 50); - Risk management Maturity Model paragraph added (page 76); Guidelines on risk management practices in statistical organizations – THIRD DRAFT 6 - Risk Appetite: UK case study added (page 9-11, Annex); - Risk Maturity Model: UK Case study added (page 29-34, Annex); - Risk Maturity Model combining both international standards and analysis of surveys on risk management practices results added (page 35-42, Annex) Third Draft (October 2016) – Risk management guidelines integrated with the analysis of results from the III Survey “What was most successful, What was most Difficult, What not to do when