A risk management process should have a well-defined structure and administration to ensure efficient communication and control of risks.
Depending on the organisation’s specific needs, many different structures can be used for risk management. However, the most common structure is the Risk Management Board (RMB), typically composed of senior management and representatives from business functions and departments with significant exposure to risk. The RMB reviews and approves the risk register and risk management plan before committing to the risk response action of the identified risk event.
Another common structure is the functional or project risk management department, which manages risks specific to individual functions within an organisation. This structure allows departments to focus on their specific areas of expertise without worrying about the overall positive risk or negative risk profile.
Whatever structure is chosen, it is important that it be administratively sound. Poorly designed or administered systems can lead to confusion and chaos, ultimately hampering the effectiveness of the risk management process.
Whatever structure and administrative processes are developed, there are a few must-haves for any risk management process:
A risk management policy
An organisation’s risk management policy should determine its approach to risk exposure, risk appetite, risk profile, risk treatment and the risk management framework.
The policy must also set out responsibilities for managing risk across the organisation, including defining a risk owner. In addition, it must cover all legal requirements for policy statements, such as health and safety, compliance, etc.
The risk management process is supported by an integrated set of tools and techniques that can be used at different stages of the business process. To function effectively, the risk management process requires:
- Involvement of the executive and senior management of the organisation
- Allocation of responsibilities within the organisation
- Allocation of appropriate resources for training and the development of improved stakeholder potential risk awareness
Role definition – the Board and Trustees
The Executive Board defines the organisation’s strategic direction and creates the environment and structures for an effective risk management plan. This can be done through an executive group, a non-executive committee, an audit committee, or any other function consistent with the organisation’s functioning and can act as a “sponsor” of risk management.
The Board should consider at least the following when assessing its internal control system:
- The nature and extent of downside risks that an entity may assume for its business
- The likelihood that such risks will become a reality
- How unacceptable key risks should be managed
- The entity’s ability to minimize probability and impact on the business
- The costs and benefits of a risk mitigation plan and risk control plan activities undertaken
- The effectiveness of the risk management process
- The risk impact of Board decisions
Role definition – the business functions and departments
- Business functions and departments have primary responsibility for day-to-day risk management
- Business function and department management are responsible for promoting risk awareness within their operations; they must embed the risk management program in their function or department
- Risk management should be a regular point of management meetings to allow operational risk consideration and re-prioritise work based on effective risk analysis
- Business function and department management must ensure that risk management is included in the design phase of project management and the whole lifecycle
Role definition – the risk management function
Depending on the organisation, a risk management function can range from a single risk advocate, a part-time risk manager, to a comprehensive risk management unit.
The role of the risk management function must include:
- Establishing the risk management strategy and policies
- Primary responsibility for managing risk at the strategic and operational levels
- Creating a culture of risk awareness within the organisation, including appropriate training
- Establishing internal risk policies and business structures
- Design and review risk management processes
- Coordinate various functional activities and provide advice on emerging risks, risk assessment, risk analysis, risk reduction, potential impact, and whether a contingency plan is needed for an individual risk event
- Develop the risk management process, including emergency programs and business continuity programs
- Preparedness of risk monitoring reports for the Board and stakeholders
Provision of internal audits
The role of internal auditing is likely to differ from organisation to organisation. In practice, internal auditing may include some or all of the following tasks:
- Focusing internal audits on significant risks identified by management and reviewing risk management processes in an organisation
- Ensuring risk management
- Actively supporting and participating in the risk management process
- Facilitate risk identification, risk assessment, risk evaluation, and training of line staff in risk management and internal control
- Coordinate risk reporting to the Board, Trustees, senior management, and the audit committee
When determining the most appropriate role for a particular organisation, an internal audit should ensure that requirements for independence and objectivity are not violated.
Provision of resources and implementation of the risk management process
The resource needed to implement an organisation’s risk management policy must be clearly defined by each management level and within each business function and department.
Risk management process stakeholders should have clearly defined their roles in coordinating risk management policies and strategies. The same clear definition is also needed for those involved in auditing and reviewing internal controls and facilitating the risk management process.
Risk management must be integrated into the organisation through strategy and budget processes. This should be emphasised during implementation and other training and development processes and operations, such as product and service development projects.
Excellent risk management can only be achieved with the active participation of all key stakeholders. This includes senior management, audit committee, directors, managers, employees and other appropriate stakeholders. A well-defined and integrated risk management process will ensure the organisation can effectively address risks while managing their impact. The strategic risk management framework and process must include:
- A risk management policy
- Role definitions for all stakeholders
- The provision of sufficient and suitable resource
- An internal risk management audit program