A risk management process should have a well-defined structure and administration to ensure efficient communication and control of risks.
Many different risk management structures can be used depending on the organisation’s specific needs. However, the Risk Management Board (RMB) is the most common structure. It’s typically composed of senior management and representatives from business functions and departments with significant exposure to risk. The RMB reviews and approves the risk register and risk management plan before committing to the risk response action for the identified risk event.
Another standard structure is the functional or project risk management department, which manages risks specific to individual organisational functions. This structure allows departments to focus on their areas of expertise without worrying about the overall positive or negative risk profile.
Whatever structure is chosen, it must be administratively sound. Poorly designed or administered systems can lead to confusion and chaos, ultimately hampering the effectiveness of the risk management process.
Whatever structure and administrative processes are developed, there are a few must-haves for any risk management process:
A risk management policy
An organisation’s risk management policy should determine its approach to risk exposure, risk appetite, risk profile, risk treatment and the risk management framework.
The policy must also set out responsibilities for managing risk across the organisation, including defining a risk owner. It must also cover all legal requirements for policy statements, such as health and safety, compliance, etc.
The risk management process is supported by an integrated set of tools and techniques that can be used at different stages of the business process. To function effectively, the risk management process requires:
- Involvement of the executive and senior management of the organisation
- Allocation of responsibilities within the organisation
- Allocation of appropriate resources for training and the development of improved stakeholder potential risk awareness
Role definition – the Board and Trustees
The Executive Board defines the organisation’s strategic direction and creates the environment and structures for an effective risk management plan. This can be done through an executive group, a non-executive committee, an audit committee, or any other function consistent with the organisation’s functioning and can act as a “sponsor” of risk management.
The Board should consider at least the following when assessing its internal control system:
- The nature and extent of downside risks that an entity may assume for its business
- The likelihood that such risks will become a reality
- How unacceptable key risks should be managed
- The entity’s ability to minimise probability and impact on the business
- The costs and benefits of a risk mitigation plan and risk control plan activities undertaken
- The effectiveness of the risk management process
- The risk impact of Board decisions
Role definition – the business functions and departments
These include:
- Business functions and departments have primary responsibility for day-to-day risk management
- Business function and department management are responsible for promoting risk awareness within their operations; they must embed the risk management program in their function or department
- Risk management should be a regular point of management meetings to allow operational risk consideration and re-prioritise work based on effective risk analysis
- Business function and department management must ensure that risk management is included in the design phase of project management and the whole lifecycle
Role definition – the risk management function
Depending on the organisation, a risk management function can range from a single risk advocate, a part-time risk manager, to a comprehensive risk management unit.
The role of the risk management function must include:
- Establishing the risk management strategy and policies
- Primary responsibility for managing risk at the strategic and operational levels
- Creating a culture of risk awareness within the organisation, including appropriate training
- Establishing internal risk policies and business structures
- Design and review risk management processes
- Coordinate various functional activities and provide advice on emerging risks, risk assessment, risk analysis, risk reduction, potential impact, and whether a contingency plan is needed for an individual risk event
- Develop the risk management process, including emergency programs and business continuity programs
- Preparedness of risk monitoring reports for the Board and stakeholders
Provision of internal audits
The role of internal auditing is likely to differ from organisation to organisation. In practice, internal auditing may include some or all of the following tasks:
- Focusing internal audits on significant risks identified by management and reviewing risk management processes in an organisation
- Ensuring risk management
- Actively supporting and participating in the risk management process
- Facilitate risk identification, risk assessment, risk evaluation, and training of line staff in risk management and internal control
- Coordinate risk reporting to the Board, Trustees, senior management, and the audit committee
When determining the most appropriate role for a particular organisation, an internal audit should ensure that requirements for independence and objectivity are not violated.
Provision of resources and implementation of the risk management process
The resources needed to implement an organisation’s risk management policy must be clearly defined by each management level and within each business function and department.
Risk management process stakeholders should have clearly defined their roles in coordinating risk management policies and strategies. A clear definition is also needed for auditing and reviewing internal controls and facilitating the risk management process.
Risk management must be integrated into the organisation through strategy and budget processes. This should be emphasised during implementation, other training and development processes, and operations, such as product and service development projects.
Final Thoughts
Excellent risk management can only be achieved with the active participation of all key stakeholders. This includes senior management, audit committee, directors, managers, employees and other appropriate stakeholders. A well-defined and integrated risk management process will ensure the organisation can effectively address risks while managing their impact. The strategic risk management framework and process must include:
- A risk management policy
- Role definitions for all stakeholders
- The provision of sufficient and suitable resource
- An internal risk management audit program