Table of Contents
The Enterprise Risk Management Framework 6
Outline and Design of the Framework 7
Internal and External Contexts 7
Monitoring and Review of the Framework 9
Communication and Reporting 14
Integration with other Policies, Objectives and Strategies 15
Accountabilities and Responsibilities 17
Benefits of the Implementation Plan 20
Outcomes and Success Criteria 21
Objectives of the Risk Management Framework 21
Strategy for implementation 23
Benefits of ERM to Various Stakeholders 23
Appendix 1: Risk management Framework (AS/NZS ISO31000:2009) 26
Appendix 2: The Risk Management Process 27
Appendix 3: Sample Risk Register for MPM Contractors Pty Ltd 27
Appendix 4: Managerial and Leadership Agreement to Support the Risk Management Framework 28
Appendix 5: High level Implementation Schedule 28
Appendix 6: Approval of Implementation plan 29
MPM Contractors Pty Ltd is a vertically integrated electrical engineering contracting company based in Brisbane. Though it had enjoyed success for many decades leading to a turnover of $50 million in 2015/2016, there were several issues currently facing them. First, they had altered their organizational structure, abandoning the hitherto family dominated management for a formal organization structure with a CEO, COO and a Board of Directors. In addition, they expanded into larger space and formed several departments and divisions for management. Notably, the marketplace was becoming unfriendly with their main niche, mining, on the slowdown while reduction in government spending reduced their margins in related water and sewerage projects from the local governments. Better yet, the company dreamt of upping its value and selling at the right price to an interested investor. In light of these circumstances, a risk manual and implementation plan were drawn. The size of the company and the aforementioned issues meant that the organization was exposed to even more risks and as such an integrated risk management strategy was necessary. The risk manual consisted of the enterprise risk management framework and the risk policy. The framework applied in the case scenario is the AS/NZS ISO31000:2009 and has been discussed in detail. Consequently, a risk policy is elucidated and an augmenting implementation plan included. With the risk manual and its implementation plan, the organization shall be successful in integrating risk management into their strategy and corporate culture and realize success even in the periods of market uncertainty.
Started by siblings Tim and Gerald Smith, MPM Contractors Pty Ltd has experienced exponential growth since the late 1960s to a size of 500 employees, an annual turnover of $50 million and staggering profits of $1.2 million in the period ended 2015/2016. Following this expansion, the vertically integrated company sought to restructure, bringing onboard a CEO Alex Goveny who was to report to the Board of Directors while under him were further a number of departmental heads including the COO, Sue Fernell. Working as electrical engineering contracting company, the firm had established good business with the coal mining sector and at the same time profited from Local Government Authorities around Queensland who were expanding their water and sewerage infrastructure. However, several developments currently demanded their attention. To begin with, there had been a decline in the mining industry while government spending had been reduced, making profits narrower and the market more competitive. Luckily, they were surviving thanks to the exit of some competitors and some loyal customers. More importantly, the company had grown and increased their infrastructure on a bigger piece of land, and now had more fixed assets to manage. This paper shall present a risk management manual for the organization and its implementation plan. The manual consists of two parts, the enterprise risk management framework and the risk policy.
This section encompasses the enterprise risk management framework and the risk policy. Both sections are divided into a number of subsections detailing specifics of the manual.
This section details the framework to be used for MPM Contractors Pty Ltd and the various attendant elements to operationalize it.
The enterprise risk management framework proposed for MPM Contractors Pty Ltd is the AS/NZS ISO31000:2009. This framework does not propose a management system per se but offers a risk management framework that is to be incorporated into the organization’s management system. The success of the framework depends on the level of implementation. As shown in Appendix 1, the framework consists of five elements: Mandate and commitment, the design of the framework for managing risk, implementing the risk framework, monitoring and evaluation and continuous improvement. It must be appreciated that risk management is not a one off activity, and thus there must be organizational commitment and mandate from the board. From there, the risk management framework is designed, outlining processes and other supportive mechanisms. Ad hoc risk management processes are not enough and hence the need for a comprehensive design. After the design the framework should be implemented and an endeavor made towards continuous improvement. The complete illustration of the framework is provided in Appendix 1.
This section highlights what MPM Contractors Pty Ltd engages in, their corporate culture and other key items of the macro and micro environment. It also includes a SWOT analysis which identifies the strengths, weaknesses, opportunities and threats to the organization. SWOT was selected as a tool for analysis due to its ability to analyze both the internal and external environment of the organization.
MPM Contractors Pty Ltd is an electrical engineering contractor based in Brisbane, Australia. They have interests in coal mining and offering services to local government agencies offering water and sewerage services. While the company was founded by two brothers who have subsequently handed over the baton to their sons, the organization has also instituted a formal organization structure with a board of directors, CEO and several departmental heads. It is therefore a formal corporate environment seeking to integrate the best management practices. More importantly, the company has an excellent organizational culture that seeks to retain employees. While other companies sought exit and reduced their staff, they instead endeavored to maintain their best talent. An overview of their strategic position is presented in the SWOT analysis below:
| StrengthsLoyal customers in the mining and local governmentsFormal management system to aid competitivenessStrong foundational philosophy from the founding family. | WeaknessesToo many family members in managementLack of a risk management strategyVertical integration, creating management conundrums. | OpportunitiesDiversification into other niches within electrical engineering contracting.Business opportunities with other local governmentsExpansion of their geographical reach beyond Queensland and Brisbane in general | ThreatsCompetitive rivalryReducing government spending. Declining profits in the mining sector |
Table 1: SWOT Analysis
The risk management framework must be frequently reviewed to ensure that it addresses the fundamental needs of the organization. The dynamic nature of organizational contexts implies that some of the risks recorded in the register may not be applicable in the future while some that were unprecedented may appear on the frame. Monitoring and review should encompass:
There should be a clear mandate on monitoring and review. Internal and external audits should be carried out under the established authority and be eventually reported to the top management. In addition to this, various parties must assume specific monitoring and review roles as demonstrated in table 8 under risk policy.
The risk management process follows seven steps that are sequential. First is the establishment of the context. This involves scanning the organization in context, setting up the goals and objectives of the risk assessment, coming up with a risk management framework and analyzing stakeholders involved (AIRMIC, 2010). Next, there is risk identification, where the potential risks, their nature and sources in the macro and micro environment is established. From there, the risks are analyzed in terms of their likelihood to occur and the potential losses. Risk assessment is the next step and entails weighing the risks against each other in order to prioritize them. The magnitude of the risk in this case determines its priority level. Once the hierarchy has been established, the risk is treated. Treatments vary from risk avoidance, transfer, control and retention. Within each of the above five steps, there is monitoring and review as well as communication and consultation between stakeholders as shown in Appendix 2. Apart from this, the detailed risk criteria is outlined in Appendix 7.
This refers to a master document which identifies, characterizes, analyzes and assesses the various risks that face the organization, in this case MPM Contractors Pty Ltd. There is need to develop the document in order to ensure that all the significant risks going forward are known and acted on (AIRMIC, 2010). Also known as the risk log, the risk register is a document to be shared amongst the key stakeholders from middle level managers to the board of directors to allow for a risk sensitive growth pattern. The document further apportions the responsibility of risk treatment to specific stakeholders, paving the way for not only risk identification and documentation but also treatment. A general layout of the risk register is presented in appendix 3.
This is a description of all the words that have been used in the risk manual. A glossary helps the various stakeholders to understand the manual better and hence put it into proper use. Table 2 below presents the main terms used and their definitions.
| Term | Definition |
| Risk | Any event with an impact on the objectives of the organization and can be measured in terms of the magnitude of its consequence or likelihood to occur. |
| Risk analysis | The consideration of a risk in light of its sources, likelihood to occur and the possible consequences. |
| Risk assessment | The process of identifying, analyzing and ranking risks in order to establish their priority for the organization. |
| Risk Identification | This alludes to the process of scanning the organization to isolate the risks and document them. |
| Risk Management Framework | A detailed conceptual model for use in managing risks in structured and formal manner in an organization. |
| Risk Treatment | The procedure taken by the organization in dealing with the risks |
| Risk Register | A document wherein all risks facing the organization are recorded. |
| Stakeholders | Individuals who can affect or are affected by the decisions made by an organization for instance shareholders. |
| Likelihood | The probability of a certain event to occur within a specified period of time |
| Mitigation | The efforts made to reduce the impacts of a given event such as a risk. |
Table 2: Glossary of key terms
This refers to the commitment by the organizational leadership and management to support the risk management framework to its full implementation. This is in cognizance to the fact that managerial buy in is necessary for setting up monitoring and review mechanisms, offering financial and technical resources while also offering appropriate treatments to the identified risks in the risk register. A summary of the agreement is presented in Appendix 4.
The Risk Manual has been presented in this section in as far as the enterprise risk management (ERM) framework is concerned. The framework selected was the AS/NZS ISO31000:2009 which encompasses gaining the mandate and commitment, developing a risk management plan, implementing it, monitoring and review and continuous improvement. This framework offers a simple, sequential yet comprehensive pathway to managing risks in organizations of the magnitude of MPM Contractors Pty Ltd. The risk management process has been elucidated sequentially and in a detailed manner, including an illustration, all while taking into account both the internal and external setting of the organization. Other important components of the risk manual thus far include the risk register which identifies all the risks and characterizes them. Monitoring and review mechanisms, managerial commitment and agreement as well as a glossary to aid the understanding of key terminology were all included. The next stage of the risk manual will therefore benefit from a strong framework that has already been laid down in the preceding stages. The ultimate idea is to ensure that there is a comprehensive strategic risk management manual and its path of implementation to match the case scenario of MPM Contractors Pty Ltd.
The main objective of the risk policy is to inform the management and leadership of MPM Contractors Pty Ltd on the risks carried on different projects they undertake as well as those inherent of the current shape of the organization. Their size, activities, market conditions and competitive strategies are all potentially sources of risk and it is important that the management is aware of such risks at all time and the consequences they carry. More importantly the policy aims at bringing a structured and formal mechanism of hedging risks in the organization. In precise terms, the objectives of the policy can be summed as follows:
There are several underlying reasons for the development of a risk policy at MPM Contractors Pty Ltd. First, the organization had implemented a structural shift where they moved from the family led and dominated structure to a formal organizational plan. The latter involves a CEO, COO and a number of departmental heads who have been given autonomy to utilize the organizational resources to meet strategic objectives. There is need to understand the risks that are inherent of the new system, given that the family shall no longer hold direct control. The board of directors in place needs to comprehend the risks in every decision and the entrustment with control to every member of the top management. More importantly, the company was increasingly vulnerable to marketplace risks. There was a decline in the mining sector while government spending which was another major source of revenue was also on a downtime. This implied that the company faced many financial risks both on the long term and short term that needed a formal approach to isolate and address. It was also apparent that the organization had expanded immensely, having over 500 employees and raking in a profit of $1.2 million. Without a clear risk management plan, diseconomies of scale were likely to set in. It should also be appreciated that the setting up of the firm’s critical infrastructure was not in risk-free territory, with heavy rainfall likely to generate flooding. Other significant factors necessitating a risk policy include the planned sale of the company, where various prospects hold different levels of risks. For instance, the company could float an IPO given that 90% of it was still owned by the family or just sell it entirely to a new investor. All these factors put together created the case for the creation of a comprehensive risk manual.
The use of the risk manual shall be predominantly by the engineering and the construction and commissioning group. This is because the two departments are the most involved in production activities and are also the largest. They have a number of middle level managers dealing with a large number of resources and critical production activities that expose the organization to a myriad of risks. Nevertheless, the COO and the IT/Admin and HR departments under her shall also make use of the risk register given the flurry of risks associated with operations such as the size of the workforce and the management structure in place. There shall however be no external application of the tool.
As evident in the risk management process (Appendix 2), there is need for constant communication with the key stakeholders in every stage of the process. Those involved in implementing the manual must at all levels communicate and consult with the rest to ensure optimal implementation. However, the levels of communication shall differ depending on the importance of the stakeholder. A stakeholder analysis as shown in table 3 below shall determine the level of communication and reporting they receive.
Table 3: Stakeholder Analysis
As shown in the table above, those stakeholders with high interest and high influence must be kept in the know which implies constant communication to them. In addition, there should be two way communication with such groups who include the COO and the board of directors. Others can be informed comparatively less as indicated in the matrix and may have more to report on the process. This entails the relaying of feedback on the various outcomes of the audit and suggesting areas of change. Reporting shall be made to a great extent by the various middle level managers during the monitoring and evaluation process.
For effective implementation, the manual will need to be integrated into the organization’s policies, strategies and overarching objectives. The risk manual will be difficult to adopt and implement in isolation but would carried out seamlessly if integrated into the organizational management substratum. The best way to do so is to make risk management part of the strategic planning of the organization. Under strategic planning, the organization lays down their strategies, documents them and implements them for the long term. The strategic planning process culminates in strategic monitoring and evaluation, a stage that can integrate the risk manual and make it part of it.
Table 4: Strategic planning process (Swayne, Duncan & Ginter, 2012)
Therefore, one way to integrate the risk manual is to incorporate it into the strategic planning process in the final stage, the evaluation and control. Yet another way would be to integrate strategic risk planning into the organization culture, such that all organizational planning and operations are run in a risk- considerate manner. This will help to ease any resistance to risk audits and any other possible uses of the manual within the organization.
A number of individuals shall take part in the risk management process under the guidance of the risk officer. A summary of their contributions and the stage at which their role shall be apparent is as shown in table 5 below:
| Risk management Activity | Human Resource (s) |
| Establishing the context | Risk Officer |
| Risk Identification | Risk officer, COO and all departments |
| Risk analysis | Risk officer and middle level managers |
| Risk Assessment | Risk officer and departmental heads |
| Risk treatment | COO and departmental heads |
| Monitoring and review | Risk officer |
Table 5: Human resources in the risk management process
For the risk manual and the entire risk framework to function effectively, there is need for clear definition of roles to be taken by the various stakeholders within the company in order to set up accountability mechanisms in the process. The main roles and their respective undertakers are as follows:
| Stakeholder (s) | Role/ Accountability |
| Board of Directors | Providing human and technical resources for the implementation of the frameworkOffering leadership in monitoring and reviewEnsuring that the risk framework remains appropriate for the company. |
| Risk Officer | Providing technical and conceptual leadership in the risk management frameworkCoordinating with all stakeholders to ensure full implementation of the frameworkMonitoring the entire risk management processCommunicating with the board and the COO over major findings |
| Departmental and division heads | Consulting with the risk officer as requiredRisk identification and documentationIntegrating risk management into strategic planning and corporate cultureAllocation of Resources |
| Rest of the Employees | Supporting the risk management process in whatever way as called upon by the risk officerReporting any risks encountered and their sources |
Table 6: Accountability and Responsibility of key stakeholders
It is important to understand the risk attitudes in the organization in order to inform treatment options to be taken by the management. Risk attitude refers to an organization’s selected response to an uncertain situation. Based on the risk criteria given in appendix 7, the acceptable levels of risk in the organization are low and moderate. Any risks beyond that rating are taken seriously and set aside for treatment.
There are several documents required in order to support the implementation of the risk policy. These include:
There should be a policy review quite often to ensure that the risk management manual and framework are still relevant and address organizational needs. The timelines, persons responsible and review activities are summarized in table 7 below.
| Authority | Responsibility | Timeline |
| Board of Directors | Review the risk management frameworkReview human and material resources allocated for strategic risk management | Annually |
| COO (Sue Fennel) | Review the role of the risk officerReview the risk manual and management framework | Every 3 months |
| Departmental and division heads | Review the risk registerReview resources and roles in the risk management process | Every 6 months |
| Risk Officer | Review the risk management frameworkReview the risk register and manual Review technical and material resources for the risk management process | Every month |
Table 8: Review of the Policy
This section has summed up the risk policy from its key objectives to inform management of the risk inherent in their decisions, to understand all risks associated with the organizational practices and develop a standardized method of approaching and addressing risks. Within the policy is a justification for the development of the risk manual and the scope of its implementation in the organization. In the end, there is a clear role to be taken by the main stakeholders in review of the policy as well as accountability. Based on the characterization of the risks, only low and moderate risks are allowed in the organization. The policy and the framework together offer a useful strategic risk management platform for implementation.
The implementation plan is an equally essential facet of strategic risk management. It provides the roadmap for the execution of the manual content and the enterprise risk management framework. The risk manual remains just a document with ideas if there is no implementation and thus this section plays a huge role into operationalizing risk management at MPM Contractors Pty Ltd. Notably, the company currently lacks a risk management policy and the risk manual is therefore an unprecedented document in as far as the main stakeholders are concerned. They have to deal with a narrowing market and declining government spending all which poses multiple risks. Further, the organization has really grown to the extent of having 500 employees and generating $1.2 Billion in profit.
The company should be able to achieve the following milestones within the given periods below:
| Activity | Timeline |
| Development of risk management framework | 1 month |
| Assembling of the risk management team to work together with the risk officer | 2 months |
| Inform all stakeholders of the risk management framework and their roles | 3 months |
| Implement the framework fully | 6 months |
| Realize profits by 10% | 1 year |
| Expand their Vertical Integration | 6 months |
| Generate Capital by either a merger or IPO | 2 years |
Table 9: Outcomes and Success Criteria
There are various objectives attached to the risk management framework that justify its implementation. These include:
This implementation plan shall cover all the sections of the manual including:
This plan covers a myriad of risks and their management within the stipulated framework, and excludes:
The following are the constraints facing the current implementation plan:
The implementation plan proceeds under several assumptions. These include:
The high level schedule for MPM Contractors Pty Ltd is presented in appendix 5. It highlights the key activities and their timelines of implementation. Additionally, the handling of the various stakeholders involved in the project has been outlined in table 3 of the manual.
It is apparent that the ERM shall be of huge benefit to the vaious stakeholders of MPM Contractors Pty Ltd. This explains both their interest and influence with respect to its implementation. Some of the benefits include:
The Enterprise Risk Management (ERM) framework augments with the organization’s strategic planning processes (See table 4). This is because the risk manual can be used within the monitoring and evaluation framework at the end of the strategic planning process. Further, the framework interfaces with corporate culture. MPM Contractors Pty Ltd can create a risk sensitive decision making and generally risk-conscious operational framework.
The main stakeholders in the implementation plan have offered their signature in the document as provided in Appendix 6.
The implementation plan listed herein is detailed and offers a clear roadmap for the adoption of the risk manual at MPM Contractors Pty Ltd. It is detailed indicating scope, benefits, assumptions, an implementation strategy among other items. With its full adoption, MPM Contractors Pty Ltd will be able to navigate the current competitive environment, avoid risks emerging from their corporate structure and size as well as generate enough value for the company to attain sustainable competitive advantage.
AIRMIC. (2010). A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000. IRM, 20.
Swayne, L. E., Duncan, W. J., & Ginter, P. M. (2012). Strategic management of health care organizations. John Wiley & Sons.
| Risk no. | Description | Cause | Consequence | Existing controls | Consequences rating | Likelihood | Risk Level | Risk Treatment | Monitoring and review | Responsibility |
The afore-referenced has been read and well understood by the Board of directors, the CEO Alex Goveny and the COO Sue Fennell. The signatories hereby commit to offer all the necessary support to its full implementation. In addition, any changes to the framework as deemed necessary shall be made with the authority of the undersigned.
Board of Directors …………………………………………………………………………..Date……………………
CEO……………………………………………………………………….Date…………………………………….
CFO……………………………………………………………………….Date……………………………………….
| September-November- 2017 | November –December2017 | Dec 2017- Jan 2018 | Jan- feb 2018 | March 2018 | ||
| Establishment of Context | ||||||
| Risk Identification | ||||||
| Risk Analysis | ||||||
| Risk Evaluation | ||||||
| Risk Treatment | ||||||
| Monitoring and Evaluation |
The implementation plan herein has been read and well understood by the Board of directors, the CEO Alex Goveny and the COO Sue Fennell. The signatories hereby commit to offer all the necessary support to its full implementation. In addition, any changes to the plan as deemed necessary shall be made with the authority of the undersigned.
Board of Directors …………………………………………………………………………..Date……………………
CEO……………………………………………………………………….Date…………………………………….
CFO……………………………………………………………………….Date……………………………………….
| Rating | Risk Attitude | Responsibility |
| Low | Acceptable | Should be handled by the divisional manager using routine principles of risk management |
| Moderate | Only acceptable within a time limit | Should be addressed by the managing director, but requires advanced risk monitoring and management |
| High | Only acceptably if the risk can reduce with time. Such risks can damage the effectiveness of the organization | The risk will involve the COO and the CEO and many suffice notification of one or two board members. |
| Extreme | Not Acceptable at all, has adverse effects on functionality of the organization. | The entire board should be aware, and such a risk should be subjected to the appropriate treatments. |
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more