Appearing for a Risk Management Interview! Refresh your Concepts - Getjobsandskills
Preloader

image

Appearing for a Risk Management Interview! Refresh your Concepts

Risk

Risk encompasses both possible threats and opportunities and the potential impact these may have on the ability of  to meet its objectives. The risk is of two types – strategic risk and operational risk. Strategic risks relate directly to an organization’s strategic planning and management processes.

Strategic risks are those which could significantly effect on the achievement of ’s vision and strategic objectives as documented in the strategic plan. They are high level risks which require identification, treatment, monitoring and management by ’s senior executives or board. These risks may need to be managed by more than one organization for the risk treatments to be effective.

Operational risks are those which could have a significant impact on the achievement of:

  1. Company’s strategic objectives (as documented in the strategic plan) from the perspective of the actions undertaken by a particular division, branch, or work unit.
  2. The individual programs or project management aims.
  3. Operational risks require management by the relevant senior officer responsible for the division, branch, or work unit, or by the relevant program or project board. In extreme instances, these risks may require escalation to executive management.

Risk management

Risk management is the process of identifying, assessing and responding to risks, and communicating the outcomes of these processes to the appropriate parties in a timely manner.

Effective Risk Management System

An effective risk management system:

  1. Improves planning processes by enabling the key focus to remain on core business and helping to ensure continuity of service delivery.
  2. Reduces the likelihood of potentially costly ‘surprises’ and assists with preparing for challenging and undesirable events and outcomes.
  3. Contributes to improved resource allocation by targeting resources to the highest level risks.
  4. Improves efficiency and overall performance.
  5. Contributes to the development of a positive organizational culture, in which people and Companies understand their purpose, roles and direction.
  6. Improves accountability, responsibility, transparency and governance in relation to both decision-making and outcomes.
  7. Adds value as a key component of decision-making, planning, policy, performance and resource allocation, when subject to continual improvement.

Factors Inhibiting Effective Risk Management System

The factors that inhibit effective risk management can include:

  1. Lack of support for a risk management culture from executive management.
  2. Lack of time and resources distributed to risk management.
  3. Difficulty in finding and assessing emerging risks, especially cross-organization risks.
  4. Lack of independent assurance over the effectiveness of the risk management framework.
  5. Lack of clarity over risk ownership and the responsibility for risk management.
  6. Over- or under-treatment of risks.
  7. Unnecessarily complex risk documentation.

When risk management has commitment from executive management by encouraging a strong organizational culture and awareness of risk, an organization should be able to overcome the factors which inhibit effective risk management.

Principles of Risk Management

Principles that should be adopted by any organization to successfully manage their risks are enumerated below:

  1. Risk management has a firm commitment from the accountable officer or the board.
  2. The risk management framework is integrated with other organization governance processes, such as strategic planning, operational planning and executive management functions.
  3. Effective risk management is based on a strong organizational culture and awareness of risk at all levels, which involves encouraging a risk-informed workforce and culture.
  4. Risk management is supported by a program of education, training and development for staff that is devoted to risk management at key levels.
  5. The risk management process appoints clear ownership of risk accountabilities, responsibilities, duties and actions.
  6. The risk management process is initiative-taking with cross-organization communication of risks.
  7. The risk management process draws on both current experiences and lessons learned.

Risk Management Framework

Risk management is not an isolated function that exists within. Rather, it is an integral part of strategic planning and strategic management, and the everyday activities. Three specific areas: the responsibilities of relevant officers within an organization; the integration of risk management into all areas of the company; and the mechanisms in place to review the framework, are discussed in further detail below:

Responsibilities of Employee Entrusted for Risk Management

It is fundamentally the role of accountable officers and their management teams to ensure that the company has a robust internal organizational culture and process that can find and managing its risks.  The Head of Internal Audit with aiding with risk management. However, the responsibility and accountability for implementation of a risk management framework remains with the accountable officer. Objectives and strategies for risk management should be designed to complement the company’s existing vision and strategic objectives. In establishing an overall risk management direction, a clear vision for risk management should be articulated and supported by policies and operating principles. An up-to-date, risk management framework will guide employees by:

  1. Describing the risk management philosophy (why?) and process (how?).
  2. Supplying methods for finding, treating, checking, and reviewing risk.
  3. Establishing roles and responsibilities for effective management of risk (for example, setting up a risk coordinator role to lead and manage the risk management program across and assigning a risk owner to each risk).
  4. Detailing an appropriate process for reporting on strategic and operational risks.
  5. Providing for ongoing continuous improvement through the evaluation of the objectives and results of the risk management process.
  6. The greater the awareness and understanding of the risk management framework by all staff, the more likely it is that staff will own and apply the risk management principles promoted by and incorporate them in their day-to-day activities. It is essential that accountable officers and senior and executive management model all aspects of risk management, and principles to promote a robust risk management culture within their organization.

There is no “one size fits all” risk management framework that can be applied across the varied types of companies. Executive management needs to consider the type of framework that will best integrate with its operational context and internal and external environment. Companies should refer to existing policies and procedures such as the following to aid with developing a framework:

  1. Business operations.
  2. Reporting mechanisms.
  3. Organizational culture.
  4. Workforce skills and capabilities.
  5. Planning and performance management processes.
  6. Budget and resourcing.
  7. Supporting infrastructure.
  8. Standards, legislative and regulatory requirements.
  9. Organizational and governance structure.
  10. Delegations of authority, responsibility, and accountability.

Integration of Risk Management

Risk management should be embedded or integrated into ’s philosophy and organizational culture, existing governance policies; and planning, reporting and decision-making structures at both the strategic and operational levels. Companies that integrate risk management have a greater likelihood of achieving their strategic aims and delivering their services efficiently and effectively. Successful alignment of risk management and governance needs four key factors:

  1. An organization focus – where there is an identifiable source of risk management expertise in and senior managers come together on a regular basis to discuss risk management issues.
  2. An organization direction – where a clear direction and strategy is established for risk management, including articulating ’s risk appetite and giving a clear mandate for what constitutes effective risk management.
  3. Decision- making structures – where risk management is not a separate process, but a key consideration at all parts of the decision-making chain: being factored into strategic and operational planning; included as a common component in all project proposals and business cases; and incorporated into advice.
  4. Organization capacity and capability – where ’s executive management invests time and resources to build momentum, capacity and capability, including: ensuring that there is a shared language of risk management; a common understanding of the principles; training and development to build expertise; and established tools and processes for risk management.

Integrated risk management requires an ongoing assessment of potential risks and opportunities for an organization at every level. The results should inform organization level risks, ease priority setting and improve an organization’s decision making. Clear links should be established between risk management, policies and priorities, organization objectives (vertical integration), and organization policy and operations (horizontal integration).

Vertical Integration

Vertical integration involves:

  1. Integrating risk management with aims at all levels of by supplying a framework that links an organisation’s strategic plan through to its individual operational plans.
  2. Integrating risk management with evaluation and reporting mechanisms, to ensure that risks and risk treatment strategies are checked, analyzed, reviewed, and updated.
  3. Embedding risk management components into existing strategic and operational planning processes.
  4. Communicating executive management or board decisions on acceptable levels of risk.
  5. Establishing escalation processes to be followed where a risk is reviewed and falls outside the range of the accepted levels of risk appetite and tolerance.
  6. Improving control, governance and accountability systems and processes to consider risk management and results from the assessment of potential risks.

Horizontal Integration

Horizontal integration involves integrating risk management into an organization’s systems, processes and practices and, in particular, the planning and decision-making processes at each level. When risk management is integrated into strategic and operational planning and regular reporting cycles, the additional risk management information available should enable more informed planning and decision-making. Information should be shared throughout an organization to ensure there is a coordinated approach to identifying and treating risks. In considering risk, business areas should consider the potential impact of risk treatment on other business areas and should be encouraged to share best practice/lessons.

Organizational Culture

Effectively embedding risk management into the organizational culture is key to achieving integrated risk management. A challenge for all Companies is to deliver an appropriate level of investment in strategic risk management – both in time and resources – and clearly communicate the importance of risk management as a core component of ’s business. This can be accomplished in a number of ways, such as by:

  1. Executive and senior managers championing and modelling risk management.
  2. Promoting the view that all staff in are managers of risk.
  3. Encouraging managers and staff to develop knowledge and skills in risk management.
  4. Training and supporting staff in incorporating risk management into their everyday roles and responsibilities.

Successful risk management requires involvement by all organisation staff. A supportive organizational culture, where ability, learning and innovation are rewarded, and where a “no surprises” rather than “no risks” philosophy is encouraged, should assist Companies in developing their risk management process. Companies with a supportive work environment tend to:

  1. Promote learning – by encouraging staff to learn and to value knowledge, expertise, innovative ideas and innovation.
  2. Learn from experience – by valuing experimentation, sharing lessons from past successes and failures and bringing this learning to planning and risk management.
  3. Demonstrate management and leadership – by selecting leaders who are good coaches and teachers, demonstrating commitment to staff by providing tools, opportunities and resources and investing in the risk management process, including reviewing the process periodically.
  4. Providing the right risk management resources, training and awareness programs for staff is critical to building an effective organizational culture.

Mechanisms to Review the Risk Management Framework

Risk management is not just about the review of risks themselves. Companies need to review their risk management capability and governance systems to ensure they are delivering effective and robust risk management that is fit for its purpose. Internal auditors may aid in providing assurance that an organization’s risk management framework is running effectively and may also aid with the development, maintenance, and review of the framework, provided care is taken to maintain independence and objectivity. This may involve internal audit being part of a risk project team in an advisory ability. Risks, risk profile, risk management capability and systems, and the risk environment are all constantly changing and evolving. A regular review of a risk management framework will:

  1. Provide assurances to the executive management that’s risk profile has been properly identified, documented, and assessed.
  2. Ensure ’s procedures and governance systems are working effectively.
  3. Ensure that risks are being effectively checked and treated to an agreed level.
  4. At a minimum, an annual review of the entire risk management process should be undertaken by the accountable officer or statutory body. It is important to consider “lessons learned”, both positive and negative, and to use these to enhance current practices and processes. It is also important to assess whether all elements of the risk management framework have been implemented effectively.
  5. Responsibility for reviewing the risk management framework may be allocated to a committee to provide support and advice to the accountable officer. It may be a separate risk management committee or combined with ’s audit committee.
  6. While the committee has no responsibility for managing the risks themselves, they may manage regularly reviewing and evaluating the risk management framework and related governance systems to supply assurance on their efficiency and relevance. It is good practice for the committee to carry out such reviews at least annually, to ensure the procedures remain fit for purpose and are up-to-date. The committee should take care not to confuse reviewing risk management procedures with risk management itself. Reviewing the process is not a substitute for the active management and treatment of an organisation’s risks.

Risk Management Process

The risk management process consists of following steps as under:

  1. Establishing the context.
  2. Risk identification.
  3. Risk analysis.
  4. Risk evaluation.
  5. Risk treatment.
  6. Communication and consultation.
  7. Monitoring and review.

These processes can be undertaken in any sequence as Companies may find that some processes overlap or fall in a different order. Companies are encouraged to develop a complete risk management process that suits their circumstances. For example, risk identification, risk analysis and risk evaluation can be encompassed in the one process known as risk assessment. The risk management process developed by an organisation may require refinement after a review of the process has been undertaken.

Establishing the Context

The purpose of setting up the context is to decide the boundaries within which the risk management framework will run. It should note the boundaries of the framework and the ability of  to successfully address the risks that may be found in the assessment phase of the risk management process. In setting up the context, an organisation should consider:

  1. The external and internal environment.
  2. The risk profiles.
  3. Risk appetite and risk tolerance levels.
  4. A risk matrix and responsibilities.
  5. The business continuity plan.

The context of  should be reviewed on a regular basis to ensure any effects on an organisation from these areas are found on a timely basis.

External and Internal Environment

Establishing the external and internal environment of  is the first step in the risk management process. It involves consideration of both challenges and opportunities in the context of ’s vision and aims, operating environment and key stakeholders. The environment is important as it sets the parameters within which risks are identified, assessed, and managed. As such, it must be sufficiently broadly defined to include a wide range of trends, influences and time horizons. Companies will need to collect information at both the strategic and operational levels, and include both the external and internal risks.

The primary influences on the external environment relate to the social, cultural, political, legal, regulatory, financial, technological and economic environments within which  operates. These external influences could occur at international, national, state, regional or local levels.

Influences on the internal environment may include:

  1. Companies aims and plans results.
  2. Plans set up to ensure achieves its aims and delivers its services.
  3. Individual projects being undertaken.
  4. Companies’ governance and accountability structures.
  5. Policies set up.
  6. Resources available within (for example, information systems, staffing and funding).
  7. Existing risk management ability and practices.

The defined external and internal environments should be regularly and systematically examined to ensure that they still are proper and desirable.

Risk Profile

There is a significant interrelationship between developing a risk profile and the strategic planning process. Risk management underlies all aspects of priority setting, planning and resource allocation. The risk profile is informed by and should feed back into an organisation’s strategic planning documents and processes. In a mature practice of integrated risk management, a robust strategic and operational planning process should assimilate the risk profile, eliminating the need to present it separately.

Risk Appetite and Risk Tolerance

While setting up the context,  should also consider its risk appetite, which is the amount (or range) of risk which is considered by  to be acceptable and justifiable. The risk appetite of individual Companies will differ depending upon the environment. Risk appetite can be expressed as a series of boundaries appropriately authorized by ’s executive management. Various levels of staff within an organisation should be given clear guidance by management on the limits of risk which they can accept. This involves key discussions being held at various levels within an organisation and across Companies especially where there are interrelationships or similarities. To identify the acceptable levels of risk it is expected that discussions would be held at executive level to clearly communicate, assess and provide direction on what are acceptable levels of risk. Discussions would concern political, economic, social, technological, legal, environmental, and financial issues that impact on Companies and on the whole-of-Government. In developing the risk appetite for an organisation, consideration may be given to:

  1. Commitments or views previously expressed.
  2. How ’s stakeholders have reacted to past risk events and issues.
  3. Whether stakeholders have been consulted on risk tolerances and performance targets.
  4. Companies’ performance expectations, as expressed in its strategic plan and budget documentation.

Risk tolerance can be defined as the acceptable variance from ’s risk appetite boundaries. Companies should develop processes to determine acceptable limitations and whether they are negotiable. Within an organisation, the risk appetite and risk tolerance will not be static. Rather they will differ depending upon the particular challenge or opportunity at the time. Individual projects are an example of how the risk appetite within an organisation may differ. Companies should also consider an appropriate process where a risk falls marginally outside the desired risk tolerance, but a strong case exists as to why the risk should be accepted and managed. Determining an organisation’s risk appetite is not a one-off event. Both risk appetite and risk tolerances may change over time as new information and outcomes become available, and as stakeholder expectations evolve.

Risk Matrix and Responsibilities

A risk matrix should combine the likelihood of the risk occurring, and the consequence should such a risk occur, to result in the risk rating for treating and/or checking the risk. Parameters should be set for each likelihood and consequence in an organisation’s risk matrix. Each possibility within a matrix should be defined and the necessary action and the relevant officer responsible for the risk documented for each possibility. The matrix should be reviewed with the internal and external environments to determine the relevance to the risks identified by an organisation. An organisation should ensure that all risks are analysed using the same risk criteria. Companies may also consider developing a matrix for each division, branch, work unit, program and/or project. Alternatively, an organisation may define the consequences into various risk categories, such as financial risks, occupational health and safety risks, political risks, and so on.  would then provide a quantitative and/or qualitative descriptor for each consequence. It is important that Companies determine the level of detail that will be appropriate for their circumstances and ensure they develop a risk management system that meets their needs and is within their capabilities.

Business Continuity Plan

Companies must recognize that some risk is unavoidable, and it is not within the ability of  to completely manage all risks to a level commensurate to an organisation’s risk appetite. For example, Companies have limited control over risks associated with natural disasters. In these instances, the only action that can be taken by  is the preparation of contingency plans for business continuity. A business continuity plan should include appropriate crisis management plans that can be activated as required and these plans should be tested periodically to ensure their effectiveness.

Risk Identification

Once the environment within which  runs has been set up (that is, the context), the next stage is the identification of individual risks. The aim of this step is to generate a comprehensive list of threats and opportunities based on those events that might create, enhance, prevent, degrade, accelerate or delay the achievement of ’s strategic objectives. Comprehensive identification is crucial, because a risk that is not identified at this stage will not be included in further analysis. Risk identification should include examination of the knock-on effects of consequences, including cascading and cumulative effects of actions.

Environmental Scanning

A common method used by Companies to find emerging risks is environmental scanning. An environmental scan is a powerful risk management and strategic planning tool that entails careful monitoring of an organisation’s internal and external environments to detect early signs of challenges and opportunities that may influence ’s current and future plans. It involves obtaining both factual and subjective information on the potential challenges and opportunities to increase ’s awareness of the key risks it faces.

Key considerations for Companies when undertaking environmental scanning include:

  1. The type of risk – political, legal, economic, environmental, socio-cultural, technological.
  2. The source of risk – external (political, economic, natural disasters) or internal (reputation, security, knowledge management).
  3. The causes of the risk.
  4. The impacts of the risk – type of exposure (people, reputation, program results, priorities, funding, assets).
  5. The level of control – the degree to which can influence, affect or manage the risk.

In undertaking the environmental scanning process, issues that an organisation should consider include:

  1. The frequency of scanning – depending on ’s context, environmental scanning may be undertaken continuously or periodically (for example, monthly or yearly).
  2. Timeframe – for example, policy development officers may be interested in developments over the next five years, whilst scanning that supports operational decision making may be restricted to a six-month timeframe.
  3. Scope – some Companies may be fairly inward-looking in their risk identification processes if they perceive that the major element of risk arises from within ; others may need to consider a much wider scope (including international, national or interstate) if they consider that they may face risks from a wider environment.
  4. Opportunity/challenge – some environmental scanning is concerned mainly with spotting potential challenges, but it can equally be used to scan for opportunities (“positive risks”), and many challenges may be converted into opportunities if identified early.
  5. Rigor/informality – environmental scanning varies in the extent to which it is structured and supported by technology, that is, some Companies may use sophisticated assessment schemes and information search technologies, while other Companies will rely almost entirely on informal networks of contacts and good judgement.

Other resources or methods that can be adopted by Companies to identify risks include:

  1. Organisation documents, such as the strategic and operational plans, performance reports, budgets, and audit observations and recommendations.
  2. Media reports and commentary.
  3. Benchmarking ’s performance against that of other Companies.
  4. Undertaking brainstorming activities.
  5. Preparing a strength-weakness-opportunity-threat (SWOT) analysis.
  6. What-if scenarios to seek reaction from stakeholders.
  7. The use of surveys and questionnaires.

Irrespective of the method used by  to find the risks, it is vital that relevant and up-to-date information is used, and that people with proper knowledge participate in the risk identification process.

Risk Analysis

Risk analysis involves analysing the impact of the potential challenge or opportunity, starting with an assessment of the consequences as well as the likelihood of a risk occurring. A common approach for analysing risk is using the risk matrix that  would have developed previously. Where an organisation considers the risk analysis process to be relatively straight-forward then categorization of the risk as high, medium or low may be considered sufficient.  Should use critical judgement to determine the level of analysis that is required based on what is appropriate and reasonable. The process for analysing risk will differ from organisation to organisation; however, an individual organisation should ensure all risks within its organisation are assessed using the same method. Where collaboration between Companies is required, an organisation may need to adopt a flexible approach to risk analysis when assessing a cross-organisation risk. Once an organisation’s risks have been identified and analysed, management may use a simple table to summarize the assessment.

Assessing Risk

Companies may consider using a two-step approach to assessing risk. The first step involves assessing challenges or opportunities based on their inherent risk. This is the risk that exists prior to any internal controls being implemented to manage the risk. After inherent risk is assessed, Companies could focus on the residual risk, which is the risk which still is after action has been taken to manage the risk. Advantages of using this two-step analysis approach include:

  1. Aiding management with identification of excessive or ineffective controls.
  2. Ensuring management is aware of ’s exposure if the control fails.
  3. If the two-step approach is implemented, both inherent and residual risk will need to be reassessed whenever controls are adjusted, or environmental scanning shows that circumstances may have changed.

Risk Evaluation

Once an organisation has identified and analysed its risks, they should be evaluated to determine which risks are to be treated and the priority for treatment implementation. This process is known as risk evaluation. When evaluating risks Companies should consider:

  1. The external and internal environment runs – this will involve the overall strategic direction.
  2. The risk appetite of , as set up earlier in the risk management process – for example, where is involved in speculative activities, high risk activities may not always require priority treatment.
  3. The risk appetite of parties other than (that is, the stakeholders) – for example, some high risk activities may be more acceptable than others.
  4. Any legal, regulatory or other requirements which may exist – for example, if the risk could result in legal action against , this risk may be a high priority if the probability of occurrence is high.
  5. The cost/benefits of treating the risk.
  6. The highest priority should be given to those risks that are evaluated as being the least acceptable. High priority risks should be given regular attention, review, and evaluation.
  7. Over time, specific risks and risk priorities will change, and an organisation will need to review and evaluate its prioritization process. Further information is provided in the section on Monitoring and review.

Risk Treatment

Once risks have been analysed and evaluated,  needs to decide the appropriate risk treatment/s. Any action taken to address a risk becomes part of ’s internal controls. There are a number of risk treatment options available, and more than one may be applied to a given risk. Risk treatment controls include:

  1. Preventative Controls – designed to limit the possibility of an undesirable outcome being realized. The more important it is that an undesirable outcome should not arise, the more important it becomes to implement appropriate preventive controls. Examples of preventive controls include separation of duty, installing security cameras to deter criminal activity, the use of contract terms to enable recovery of overpayment or to safeguard against potential breaches of contracted project milestones.
  2. Corrective Controls – designed to correct undesirable outcomes which have been realized. Examples of corrective controls include rotating staff positions, internal audit review of preventative and detective controls, or a change to management procedures.
  3. Directive Controls – designed to ensure that a particular outcome is achieved. They are particularly important when it is critical that an undesirable event is avoided, particularly in health and safety. Examples of directive controls include a requirement for protective clothing to be worn, or that staff be appropriately trained before working unsupervised.
  4. Detective Controls – designed to identify unfavourable events after they have occurred. As they are “after the event” controls, they are only appropriate when it is possible to accept the loss or damage incurred. Examples of detective controls include inventory or asset stock takes, bank reconciliations, or monitoring activities which detect changes that should be responded to.
  5. Transfer the Risk – Risk transfer may be achieved by taking out insurance to facilitate financial recovery against the realization of a risk, or by compensating a third party (potentially another organisation) to take the risk because the other party is more able to effectively manage the risk. Risk may be transferred, or partly transferred (that is, shared). For example, an organisation may, with the Treasurer’s approval, enter into a forward contract (such as a contract for to buy an asset from an overseas party at a specified future time at a price agreed today) to transfer some of the exchange rate risk to the other party.
  6. Terminate the Risk – Some risks may only return to acceptable levels if the activity is ended.
  7. Take the opportunity – There may be opportunities for an organisation to take advantage of a risk event. For example, may find that a reduction in over-the-counter payments may result in reduced opening hours.   Opportunities, however, may arise where  could partner with another organisation to combine counter services (thus maintaining opening hours but reducing personnel costs) or transfer some of the resources to improve other areas of service delivery.

It may be appropriate, in some instances, to accept the risk rather than treat the risk. A risk may be accepted because:

  1. The probability or consequences of the risk is low or minor.
  2. The cost of treating the risk outweighs any potential benefit.
  3. The risk falls within ’s established risk appetite and/or tolerance levels.
  4. Whole-of-Government policy requires acceptance of the risk.
  5. Company has limited or no control over the risk, for example, natural disasters, international financial market impacts, terrorism and pandemic illnesses.   To manage such risks, Companies should have a business continuity plan in place to supply effective prevention and recovery while reducing adverse stakeholder impacts caused by the event, and these plans should be subject to regular testing and review.

When determining the most appropriate treatment option in relation to risks, Companies should consider the following:

  1. There should be a balance between the costs and efforts involved in implementing the option against the benefits derived. Apart from the most extreme undesirable outcome (such as loss of human life) it is generally sufficient to design controls to give a reasonable level of assurance that the likely loss will be within ’s risk appetite.
  2. Consider financial costs.
  3. Companies may also need to consider the political, environmental, or social costs and benefits.
  4. The values and perceptions held by stakeholders and the most appropriate ways to communicate with them. Where risk treatment options can impact on risk elsewhere in or with stakeholders, they should be involved in determining the treatment.
  5. Risk treatment itself can introduce risks, for example, the failure or ineffectiveness of the risk treatment measures, or the introduction of secondary risks that will also need to be assessed, evaluated and treated.

Companies should fully integrate risks into their strategic and operational plans, and prepare risk treatment plans to document how the chosen treatment/action will be implemented. The following points should be addressed:

  1. The identification of officers assigned responsibility for implementing the plan.
  2. Proposed treatment actions and times, including a cost-benefit analysis of alternatives.
  3. The physical and human resource requirements to implement the actions.
  4. Performance indicators that will be used to measure, review, and evaluate the effectiveness of the treatment/action.
  5. The ongoing monitoring and reporting requirements.

Monitoring and Review

Continuous monitoring and review are vital components of an effective risk management process. They may be undertaken as part of a formal periodic process or performed on an ad hoc basis. The primary purpose of monitoring and review is to decide whether risks still exist, whether new risks have arisen, whether the likelihood or impact of risks have changed, and to reassess the risk priorities within the internal and external context of . Monitoring and review supplies important feedback about assurance over the efficiency and effectiveness of controls implemented to treat risks. It enables  to analyse and learn lessons from event successes, failures and near-miss. Review of risks and review of the risk management process are distinct from each other and neither is a substitute for the other. The review processes should ensure that all aspects of the risk management process, including the framework, are reviewed at least once a year.

  1. Ensure that risks themselves (and their associated internal controls) are subjected to review within a suitable timeframe (with appropriate provision for management’s own review of risks and for independent review/audit).
  2. Make provision for alerting the appropriate level of management to new risks or to changes in already identified risks so that the change can be appropriately addressed.
  3. It is important that responsibilities for monitoring and reporting are clearly defined, and that results are documented and shared with all appropriate internal and external stakeholders. This includes sharing experiences and better practices internally and across government.
  4. Head of Internal Audit is responsible for providing assistance in risk management. As a member of senior management, the Head of Internal Audit is in a position to report to relevant management committees on many of the major risks Where specialist risk managers are appointed to undertake this reporting, the Head of Internal Audit would ensure management’s reporting is effective.
  5. The results of monitoring and reviewing the risk management process should also be used as input to the review of the risk management framework. This enables continuous improvement of the risk management process and framework which will lead to improvements in ’s management of risk and its organizational risk culture.

Communication and Consultation

Communication, consultation and regular feedback must take place during all steps in the risk management process. The nature of the risk (for example, strategic, operational, political) will need to be considered in deciding an appropriate consultation process. All staff within an organisation must be involved in the risk management process, including identifying, analysing, managing and reporting on risks. Internally, risk communication promotes action, continuous learning, innovation and team work. It can demonstrate how management of a localised risk contributes to the overall achievement of organisation objectives. It is important to ensure that all organisation staff understand, in a way appropriate to their role, what ’s risk strategy is, what the risk priorities are and how their responsibilities in  fit into the risk management framework. If this is not achieved, appropriate and consistent embedding of risk management and an organizational risk culture will not be achieved and risk priorities may not be consistently addressed. Stakeholders outside  can also provide information about risks that may affect , as well as assist with managing known risks. When identifying stakeholders of a risk, and determining with whom to consult, Companies may consider:

  1. The employees.
  2. The accountable officer / Chief Executive Officer / organisation executive management.
  3. The risk management committee (or similar).
  4. Partners and/or third-party Companies used to delivery key services.
  5. Interest groups, for example, employer groups, industry groups, unions, and Suppliers.

Cross-organisation risks

Where Companies have shared priorities and challenges and have found risks from a joint or cluster viewpoint, a lead organisation should be determined to set up clear communication and consultation processes. An organisation may be required to adopt a risk analysis methodology compatible with the lead organisation to provide comparable risk reporting and ratings. The aim is to improve communication and networking within relevant clusters and to develop contacts and share knowledge. The single code of conduct for all public sector officers provides confidentiality protocols to be followed when discussing all risks.

Reporting

To ensure the effectiveness of the risk management process, consideration should be given to setting up a proper reporting structure within an organisation. For example, the Head of Internal Audit may be required to report to the risk committee (or the audit committee where applicable) or the accountable officer or statutory body regarding the status of the risks currently on the risk register or incorporated into the strategic and operational plans. Reporting processes should be timely and address the following points:

  1. The adequacy and effectiveness of the internal controls in place to treat risk.
  2. Identification of any new risks that may have arisen.
  3. Implementation of new controls to address key risks.

Where significant risks are identified within an organization, processes should be in place for reporting these to Chief Executive Officer. Depending upon the risk, the Chief Executive Officer may discuss the risk with the counterparts or escalate the risk to the appropriate authority.

References

  1. https://www.diligent.com/insights/grc/strategic-risk-examples/
  2. Risk Management Matrix http://www.eventsportstephens.com.au/insurance/risk-management-tool/
  3. The Orange Book: Management of Risk – Principles and Concepts, HM Treasury, October 2004.
  4. http://www.hm-treasury.gov.uk/d/orange_book.pdf
  5. https://www.investopedia.com/terms/o/operational_risk.asp
  6. https://corevalues.com/work-environment/risk-management-cross-functional-teams-and-new-trends/
  7. https://continuity2.com/blog/risk-treatment-with-examples
  8. https://www.bcmpedia.org/wiki/Risk_Evaluation
  9. https://www.hse.gov.uk/simple-health-safety/risk/steps-needed-to-manage-risk.htm
  10. https://www.eccouncil.org/business-continuity-planning/

Comments are closed