Monitor and Review in Risk Management
In this session what I am going to talk about is monitor and review.
Now, we all know that monitor and review is on the right hand side of our risk management process and supposedly monitoring and reviewing is happening across the whole of the risk lifestyle. The reality is what I see is organisations that say monitor and review, every 3 months or every 6 months or every 12 months we pull out our risk register out of our G drive or our system and have a look and just confirm that there still risks and their level and so forth.
That is not monitor and review. The monitor part of it is the most important part and I’ve actually broken it down into 4 distinct categories of monitoring your particular risks. Manage intensively, manage closely, watch and act and acknowledge. Now I will go through these and talk about what I believe is meant by each of those.
Now let’s look at manage intensively and what we mean by that. I believe that the risks that fall into that category are those risks that are severe, i.e. extreme; we are looking at high likelihood high consequence but also those risks with a highest level of consequence to the organisation regardless of the likelihood, because we really need to monitor those as well.
What are we monitoring? Well, first and foremost of course we are monitoring the controls and their effectiveness and that will give us significant assurance that those controls are effective.
We are also monitoring and scanning the internal and external environment constantly, within the organisation to make sure or identify any of those triggers that might give an indicator that that event it going to occur.
So, those people or those risk owners for the risks that fall into that category need to be looking and monitoring this particular risk always, basically non-stop.
Then we’ve got manage closely and I believe the risks that fall into this particular category are our high risks and also the risks with major consequences to the organisation, regardless to the likelihood and what we are doing there as part of the monitor process for those particular risks.
Well of course, once again we are managing or making sure that the control environment is effective, and that gives us reasonable assurance that those controls are going to limit the likelihood of that particular risk occurring. Once again we’re also scanning the internal and external environments to make sure to identify any triggers that may give rise to that risk.
So, when it comes to those two, the manage intensively and the manage closely, the risk owners of all those particular risks can Ill afford to be pulling out the risk register every 3, 6 or 12 months because if you’re waiting that long, those events are more likely to happen.
Now, the next category that’s the watch and act and I put medium risks into that category or those risks regardless of likelihood that have a moderate impact on the organisation and of course we don’t need to provide as much assurance around the control effectiveness for those particular risks.
We do need to provide some assurance that those controls are effective but only to the extent that we have the resources to be able to do that. They are not as greater priority as the first two categories we’ve talked about.
And of course we are looking at the environment to see if there were any changes that might give rise to the likelihood increasing or worse still the consequences of that particular event escalating as well or be coming greater.
Now the final are the acknowledge and we’re talking about their lower risks or risk events with minor or insignificant consequences. The reality is that the only thing we need to scan in terms of the environment there is whether there is once again, any changes to the likelihood or the consequence.
Even if we have an almost certain event that’s going to have minor or insignificant consequences, the question that you need to ask yourself is do I really need to reduce the likelihood of that particular event occurring? because when it does it has such a little impact on the organisation and I’ve discussed that in a previous blog as to whether we even put those into the risk register.
In summary, monitor and review is not just something that we pull out the risk register every 3, 6, 12 months or longer in the case of some organisations. It is a continuous program and process where we make sure that those events that are high in the minds of our executive i.e.: those with the highest level of consequences and in some cases likelihood and not going to happen.
We cannot give the assurance to our executive if we are just looking at those things periodically. We need to monitor and review then environment and make sure that we’re monitoring and reviewing the effectiveness of our controls so we can provide adequate reporting and assurance to our senior executive.
Well that’s all I’ve got for this particular session and as always, let’s be careful out there.