Risk management consultancy and training services

Call Us:

(+61) 400 666 142


Canberra ACT 2600

Monitor and Review of Risk Management Process

Monitor and Review of Risk Management Process

Dec, 11, 2014
by Rod Farrar

Well hello again.

In this session what I want to talk about is monitor and review of your risk framework but also your individual risks.

It’s a part of the risk management process that I don’t think gets the level of importance that it should. So let’s break those things down.

First and foremost, what are we monitoring?

Well, we are monitoring the environment; we’re monitoring that environment for any changes that might give rise to the change in risk level for a particular risk. We are looking for triggers that might indicate that an event is more likely to occur. We are also monitoring the effectiveness of our framework.

So we’re monitoring whether all the parts of the organisation are meeting their policy requirements. Whether parts of the organisation are maintaining their risk registers, whether the risk governance function is actually operating, such that people are being challenged as to what’s in their risk register.

Why is it there?

Why is it at that level?

We are also monitoring the effectiveness of our framework in terms of the maturity against best practice. And we are also monitoring our key performance indicators, not only from the risk side but for the whole of the organisation to see whether we’re actually adding value and contributing to the objectives and the outcomes of the organisation.

Well, that’s the monitor side of it.

Then there is the review and the number of organisations that have been represented in courses that I’ve been conducting where they pull risk register out every three months or once every 12 months and do a review of the risk register.

The risk register is live document. It’s not something that you pull out every 12 months, dust off, and say yep they’re still risks and put it back on the shelves. You need to be continually reviewing, particularly those risks that are high and extreme or in the thing that I advocate continually reviewing those risks with the highest level of consequences because we want to make sure that our control environment is remaining effective.

So we are continually reviewing that risk, we are continually monitoring over here the control so that gives rise to any changes to that risk. The notion that we just pull out our risk register every three to six months, or 12 months means we’re doing risk management, we are not managing risk. We need to focus very much on that monitor and review function within the risk management framework, within the risk management process.

As I said I think that’s something that is paid a lot lip service. We do it down to our treatments; we pat ourselves on the back and say yep we’ve got our risk registers now and here are all our treatments and we hope that somebody is going to come along and do them, but in most cases they don’t get done.

The controls aren’t monitored for effectiveness and every 12 months or every six months or every 3 months we pull out our risk registers say yep those things are still risks and away we go again.

That is not risk management, the monitor and review part is actually the glue that binds the whole of the risk management process together and makes sure that it continues to function and that is continues to add value to the organisation.

Well that’s all I’ve got for this session.

As always let’s be careful out there.

Written by Rod Farrar

Rod is an accomplished risk consultant with extensive experience in the delivery of professional consultancy services to government, corporate and not-for-profit sectors. Rod takes every opportunity available to ensure his risk management knowledge remains at the ‘cutting edge’ of the discipline. Rod’s Risk Management expertise is highly sought after as is the insight he provides in his risk management training and workshop facilitation. Rod was recognised by the Risk Management Institution of Australia as the 2016 Risk Consultant of the Year and one of the first five Certified Chief Risk Officers in Australasia.