The article deals with problems encountered during first year of risk management process implementation in the public administration in Poland, and points at the lack of appropriate implementation guides as the main reason. A short review, discussing pros and cons of a few available reference documents, leads to the conclusion that (although widely recognized in Poland) COSO's ERM - Integrated Framework doesn't fit the needs of public administration. The main claims are: strong bias towards problems typical for an international corporation, difficult language, and small but important terminology differences with ISO/IEC Guide 73. Instead, the author proposes much simpler methodology, based on the Joint Australian/New Zealand Standard AS/NZS 4360:2004 - Risk Management, with its excellent Companion AS/NZS HB 436:2004 - Risk Management Guidelines, and European Risk Management Standard issued by FERMA as complementary references. After some discussion concerning organizational matters and critical role of top management, the main part of the article deals with the details of risk analysis and assessment. Before anything else, all main activities of an (usually highly hierarchical) organization must be described in a process-oriented fashion. The importance of each process for achieving organization goal's is then evaluated using a 10 points scale. Within each process a list of critical assets is prepared, and importance of each asset is evaluated in a similar way. The products of scores for each process/asset pair form the preliminary vulnerability assessment. The weakest points selected in that way become the subject of detailed risk analysis using AS/NZS 4360 methodology. Possible risk scenarios are identified, and then consequences and likelihood of each scenario are evaluated using semi-quantitative approach. Probable incident frequency is used for likelihood evaluation rather then probability. The consequences are considered in four areas (human health and safety, financial loss, business continuity, image and reputation) and the total score is given using the "high water mark" rule. At the end overall risk level is calculated as a product of consequences and likelihood scores, and then compared with risk acceptance criteria, to decide on further risk treatment methods. Sample scales for consequences and likelihood evaluation, resultant risk matrix, risk acceptance criteria and risk treatment preferences tables are included. The author believes that publication of the risk management handbook, similar to AS/NZS HB 436, but dedicated to the specific needs of polish public administration would be the best solution to current implementation problems. Hopefully, the methodology proposed in this article may become the basis for such publication.
JavaScript jest wyłączony w Twojej przeglądarce internetowej. Włącz go, a następnie odśwież stronę, aby móc w pełni z niej korzystać.