4.3 Standardised elements – controls, root causes, consequence

As organisations grow their structures, employee numbers will also inevitably grow; however, the nature of the risks they face may not change at all or be similar enough to still be managed consistently. Consider the example of a fast-food restaurant chain: whether it is a chain of 10 restaurants or 100 restaurants, each restaurant will still have the same risk of fraud, business interruption (fire, flood, cyber security) or employee safety. Managing these risks in a consistent way allows for the pooling of knowledge and best practice, while reducing wasted effort.

To facilitate the creation of standardised risks, the organisation may go one step further and create standardised root cause, events, consequences and even treatments, which will be covered in greater depth in Session 5. In doing so, the organisation effectively creates a ‘catalogue’ of risk elements that can come together to create a set of risks. Technology permitting, a readily searchable database can be created to allow risks to be easily generated by those tasked with risk management within the business. Prior to this point, as part of risk planning, the organisation will have established a standardised approach to evaluate consequences (which will be covered in Session 4) allowing for a streamlined risk process.