Monitor and Review of Risk Management Process
Well hello again.
In this session what I want to talk about is monitor and review of your risk framework but also your individual risks.
It’s a part of the risk management process that I don’t think gets the level of importance that it should. So let’s break those things down.
First and foremost, what are we monitoring?
Well, we are monitoring the environment; we’re monitoring that environment for any changes that might give rise to the change in risk level for a particular risk. We are looking for triggers that might indicate that an event is more likely to occur. We are also monitoring the effectiveness of our framework.
So we’re monitoring whether all the parts of the organisation are meeting their policy requirements. Whether parts of the organisation are maintaining their risk registers, whether the risk governance function is actually operating, such that people are being challenged as to what’s in their risk register.
Why is it there?
Why is it at that level?
We are also monitoring the effectiveness of our framework in terms of the maturity against best practice. And we are also monitoring our key performance indicators, not only from the risk side but for the whole of the organisation to see whether we’re actually adding value and contributing to the objectives and the outcomes of the organisation.
Well, that’s the monitor side of it.
Then there is the review and the number of organisations that have been represented in courses that I’ve been conducting where they pull risk register out every three months or once every 12 months and do a review of the risk register.
The risk register is live document. It’s not something that you pull out every 12 months, dust off, and say yep they’re still risks and put it back on the shelves. You need to be continually reviewing, particularly those risks that are high and extreme or in the thing that I advocate continually reviewing those risks with the highest level of consequences because we want to make sure that our control environment is remaining effective.
So we are continually reviewing that risk, we are continually monitoring over here the control so that gives rise to any changes to that risk. The notion that we just pull out our risk register every three to six months, or 12 months means we’re doing risk management, we are not managing risk. We need to focus very much on that monitor and review function within the risk management framework, within the risk management process.
As I said I think that’s something that is paid a lot lip service. We do it down to our treatments; we pat ourselves on the back and say yep we’ve got our risk registers now and here are all our treatments and we hope that somebody is going to come along and do them, but in most cases they don’t get done.
The controls aren’t monitored for effectiveness and every 12 months or every six months or every 3 months we pull out our risk registers say yep those things are still risks and away we go again.
That is not risk management, the monitor and review part is actually the glue that binds the whole of the risk management process together and makes sure that it continues to function and that is continues to add value to the organisation.
Well that’s all I’ve got for this session.
As always let’s be careful out there.