ISO 31000:2018 Example of Enterprise Risk Management Manual

Uncategorized 25 Minutes

1.0 Overview

Enterprise risk management addresses the risks and opportunities affecting value creation or value preservation and is defined as follows:

“Enterprise risk management is a process, effected by on entity’s board of directors, management and other personnel, a applied in strategy setting and across the enterprise, signed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”.

Enterprise risk management (ERM) is:

  • A Process, on-going and flowing through an entity
  • Effected by people of every level of an   organization
  • Applied in strategy setting
  • Applied across the enterprise, at every level and unit,
  • designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite
  • able to provide reasonable assurance to an entity’s management and board of directors, and,
  • geared to achievement of objectives in one or more separate but overlapping categories.

1.1 Key Definitions

Risk Management PhilosophyAn entity’s Risk Management Philosophy is a set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day -to -day activities.
Risk Management An on-going process, involving the Board of Directors, management and other personnel. It is a systematic approach to setting the best course of action to manage uncertainty by identifying, analyzing, assessing, responding to, monitoring old communicating risk issues/events that may have an impact on an organization successfully achieving its business objectives.
EventAn event is an incident or occurrence from internal or external sources that affects achievement of objectives. It can hove negatives impact, positive impact, or both.A risk is the possibility that on event will occur that would adversely affect the achievement of objectives. An opportunity is the possibility that an event will occur and positively affect the achievement of objectives
Risk UniverseA consolidation and segregation of the main and sub categories of risks affecting an organization, typically segregated in to Environmental, Process and Information for Decision-Making risks.
Risk AppetiteThe degree of risk, on a broad-based Level, that the organization is willing to accept or take in pursuit of its objectives
Risk ToleranceThe level of  risk  that  the organization is  willing  to  accept  in various  risk  areas. This  can be measured in terms of  both quantitative and qualitative dimensions
Risk MitigationRisk mitigation is the technique to treat the risk and reduce it to the acceptable level for the organization. It involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. It is systematic reduction in the extent of exposure to a risk and / or the likelihood of its occurrence.
Risk ProfileA visual representation, accompanied by explanations, either of key or of the entire portfolio of risks facing an organization, typically depicted in a head map.

1.2 Purpose

The Enterprise Risk Management (ERM) Manual defines the overall related risk management practices for ’XXX . Contained within the ERM Manual is a description of the ERM practices to monitor, control, and track material risks to which XXX is exposed in its operations. The policy also contains individual and functional responsibilities required to achieve the business objectives of its ERM. The purpose is to ensure that the exposure to enterprise-wide risks, that have been identified, measured, and deemed appropriate for response, are treated using the most effective and efficient methods. Further, it provide a framework for XXX to identify opportunities and considers the implications of ignoring these opportunities. XXX management tasked with decision-making across Departments must consider associated risks, and the structure of XXX’s decision-making process to avoid risks when required. While many functions within XXX may differ in risk exposure, a common and practical risk taxonomy supported by risk categories will inform the appropriate use of risk data. As XXX changes in size, nature of operations and complexity over time, the ERM Manual should evolve to ensure that all significant new, emerging and increased risks are appropriately considered and addressed as pa rt of the on-going review and assessment process.

1.3 Custody and Management of the Manual

The Risk Management Department is the owner of the Enterprise Risk Management Function, Thus is responsible for management and implementation of the content of this document as applicable. The custodian and controller of this manual Is the Risk Officer. All inquiries and requests for revisions relating to matters included in this Manual are to be addressed to the Risk Committee through the Risk Officer. The Controller of this Manual will have physical custody of the master copy, in both printed and e|electronic formats. For all official purposes, the master copy held by the controller will serve as the definitive document.

Physical distribution

Distribution of this Manual is controlled and monitored by maintaining a Manual Distribution Control Record that will record the following information about the distribution of copies of this Manual:
& Manual Name

  • Manual Controller Name and designation
  • Manual copy serial number
  • Issue Date( to custodians)
  • Custodian name (program /department manager to whom the Manual is issued)
  • Custodian Designation
  • Custodian signature (to signify receipt of the Manual )
  • Return date (to be entered in case the custodian handover the manual, such as cases of resignation, revision of the whole manual and issuing a new version, etc…), and,
  • Controller signature (on return oi the Manual)

Access through XXX intranet/internet

XXX shall grant “Read Only” access right privileges to designated employees for this Manual through the Intranet/Internet. Granting such access rights shall be subject to the approval of the Risk Management Department.

1.4 Manual Review

This manual is structured into a number of sections for easy review and approval. The Risk officer is responsible for annual review and update of the framework based on Risk Champions and other XXX Departments inputs and recommendations subject to the Risk Committee endorsement and Board of directors approval. Changes to the Manual will be made as a result of one or a combination of the following reasons:

  • Changes in local laws and regulations
  • Changes in functions and activities of XXX
  • Changes in business processes
  • Changes in the organizational structures
  • Changes in authority structures – changes in job roles duties, and descriptions,
  • Changes in the market and country that would affect risk management.

All requests for changes are to be processed as follow:

  • The requesting employee is to prepare a request and discuss it with their respective Risk Champion.
  • The Risk Champion will discuss and document their recommendations regarding the suggested changes. The request will subsequently be forwarded to the Risk Officer to discuss and review.
  • The Risk officer will document its opinion on the suggested changes.
  • The Risk officer will subsequently review and discuss the proposed changes with Risk Committee and document its opinion before any change is sent for approval.
  • The proposed changes to the manual, with Risk Committee’s opinions, are then to be forwarded to the Board of Director’s for approval.
  • Upon approval by the Board of directors, the amendments shall be updated to the manual by the Risk Officer, and,
  • All changes are logged in the updates log of this manual and maintained by the Document controller.

2 Risk Management Process

Risk Management is an on-going and cyclical process. The Board of Directors and senior management in an organisation set “the tone” for how risk management activities ore conducted throughout on organization. This Includes establishing a risk appetite and how risks will be identified, assessed, managed and monitored. The overall risk management process con be summarize d by the below elements:

  • Risk Identification: This includes documenting the potential events that will affect the organization’s achievement of its objectives; events with a negative impact represent risks (require assessment and response by management], and events with a positive impact represent opportunities (con be channeled back into the strategy and objective-setting processes).
  • Risk Assessment: This includes assessing events from two perspectives, likelihood and impact, using a combination of qualitative and quantitative methods. Risks are assessed on an inherent and residual basis and include categorizing and prioritizing these risks.
  • Risk Control: This includes the development of strategies for mitigating (Terminate, Reduce, Accept or Pass on) risks to within the desired risk tolerance levels, exploiting any opportunities, and understanding all control costs and benefits
  • Monitoring and Reporting: This includes monitoring of risk management through a variety ongoing monitoring activities and/or separate evaluations. the organisation’s risk management performance should be reported regularly to the Boo rd of Directors

3 Risk Management Infrastructure

3.1 Risk Infrastructure

The ERM framework provides a mechanism for oversight, and guidance for the roles, responsibilities and reporting lines in managing and communicating risks and controls within XXX, while providing flow of risk information, to aggregate by a centralized ERM function (Risk Management Function).

The key functions and stakeholders who are responsible for XXX’s Enterprise Risk management are described below:

  • Board of Directors: To provide oversight of the overall ERM process and monitor priority risks.
  • Risk Committee: Oversight of the ERM Implementation, and Risk Monitoring and Reporting.
  • Risk Officer: Department for risk reporting, monitoring and management.
  • Risk Champions: identifications, assessment and close review and monitoring and risks.

The Risk Committee is composed of the following members:

  1. Chief Executive Officer
  2. Member of the Board of Directors
  3. Risk Officer

The Committee’s composition reasonably covers all the functions of XXX, while the number of members is little to ensure efficiency in decision making and responses a{ fhe members due to the nature of the Committee’s dynamic role. A quorum at the committee meeting shall consist of a majority of the committee members (at least 2 out of 3 members to attend to meet the quorum. The Risk Committee may invite members of the management to attend the Risk Committee meetings as needed.

The following describes the key roles and responsibilities of XXX’ ‘s ERM stakeholders.

1.Board of Directors

  • Providing effective oversight for the organizations risk management process.
  • Understanding the most significant risks affecting the organisation and being informed of the mitigating actions taken by the senior management for key risks.
  • Monitoring priority risks of XXX through quarterly reports raised by the Risk Committee and make decisions in their regard.
  • Review and approve the ERM policy, risk appetite, risk infrastructure, and XXX Risk Strategy.
  • Approve XXX’s ERM manual and framework.
  • Maintain management commitment to improving ERM performance.
  • Issue directives for risk treatment to maintain risk levels within defined tolerance thresholds, and approve risk treatment expenditures.
  • Monitoring priority risks of XXX through quarterly reports raised by the Risk Committee and provide directions to the Risk Committee on risk mitigation and response plans.

2. Risk Committee

  • Review the ERM policy, risk appetite, risk infrastructure, and risk documentation such as risk tolerances, impact and likelihood scales, and risk rating boundaries.
  • Monitor XXX ERM position maturity versus XXX ERM strategy
  • Assume over all responsibility and accountability For ERM.
  • Endorse XXX’s ERM Manual and framework.
  • Ensure ERM objectives, plans, and procedures are developed to implement the policy. Make the necessary resources available to meet ERM’s Objectives and targets.
  • Approve XXX’s risk register.
  • Maintain an awareness and understanding of XXX’s risk appetite, the principal risks to achieving XXX’s strategic objectives, and the actions being taken to maintain overall risk levels within the stated risk appetite.
  • Recommend directives for risk treatment to maintain risk levels within defined tolerance thresholds, and app rove risk treatment expenditures.

3. Risk Officer

  • Develop, implement, and administer the ERM manual.
  • Develop and maintain ERM policies, processes, procedures, standard tools, and information systems.
  • Develop ond deliver ERM training.
  • Ensure that all activities are carried out consistently with the ERM Policy.
  • Ensure that appropriate processes and capabilities are in place to identify, assess measure, manage, monitor, and report risks.
  • Assist management in bringing risks back within established risk tolerance thresholds in the event of a breach. Determine the consequences of such a breach and take cor receive action.
  • Assist management with resource allocation decisions so that they are based on the best and most correct and complete Information.
  • Establish ERM communication at all levels. Gather data and develop risk reports for the Risk Committee, and management as required.
  • Analyze ERM performance report. Aggregate, and prioritize risks, validate assumptions, and methodologies, report risks, and ensure information presented for decision-making and reporting is complete and correct.
  • Deploy and maintain tools that assist in estimating the likelihood and impact of risk events.
  • Facilitate the identification, measurement, monitoring, and reporting of risks through risk identification and assessment workshops.
  • Own and manage XXX’s risk register.

4. Risk Champion

  • Coordinating with the Risk Officer for periodic risk assessment which involves identifying, analyzing, describing and estimating the impact of identified and emerging risks.
  • Planning, designing and implementing an over all risk management process for the respective department, all of which is performed in conjunction with the Risk Officer.
  • Monitoring controls, mitigation plans, and risk treatment plans.
  • Periodically reporting on risk mitigation activities for all identified risks to the Risk Management Department, ensuring accountability for risk management and providing status updates on action plans.
  • Monitor and report on the risk indicators to ensure that XXX has not exceeded approved risk appetite

5. Process owners

The process owner is the ultimate owner of the identified risks, thus process owners are responsible for managing risks and implementing risk mitigation pl ans and controls subject to monitoring and reporting of the risk champions The process owners are responsible for providing the risk champions with risks identified in their respective areas

6. Internal Audit Function

The Internal Audit function in XXX is responsible for monitor compliance with ERM policies and procedures, evaluate the effectiveness of current ERM processes, including the effectiveness of controls and other risk treatment actions, and provide recommendations fot improvement.

3.2 Summary of Authority Matrices

Activity InitiateEndorseApproved
Kick-off, Risk Identification and Assessment, Annual WorkshopRisk Officer
Initiate update of Risk Reg EsterRisk ChampionsRisk Officer
Quarterly update of Risk RegisterRisk ChampionsRisk OfficerRisk committee
Annual update of Risk RegisterRisk OfficerRisk committeeBoard of Directors
Quarterly TestingRisk ChampionsRisk Officer
Risk Monitoring ReportsRisk ChampionsRisk OfficerRisk committee
Escalation of Identified RisksRisk ChampionsRisk OfficerRisk committee
Risk Monitoring Ad Hoc Reports (Major to Catastrophic)Risk OfficerRisk committeeBoard of Directors
Risk Monitoring Ad Hoc Reports (Moderates)Risk ChampionsRisk OfficerRisk committee
Risk Monitoring Ad Hoc Reports (Insignificant to Minor)Risk ChampionsRisk OfficerRisk committee
Post Impact ReportRisk OfficerRisk committeeBoard of Directors

4 Risk Appetite Guidelines

XXX seeks to ensure risks are taken in a systematic, thoughtful manner, and that personnel throughout XXX are clear on what types of risks must be taken to achieve XXX strategic thrusts, and what types of risks should be avoided to project its intended purposes. XXX risk appetite is articulated by statements covering the fallowing elements:

  • Risk philosophy
  • Risk attitude (seeker, averse, neutral)
  • Risk and return relationship
  • Mitigation preference
  • Risk treatment priorities
  • Acceptable impact thresholds, and,
  • Risk appetite category.

Risk appetite statements cover two levels as follows:

  • Entity wide statement which describes XXX’s willingness to take risks as an entity, and,
  • Parameters Statement that describes XXX’s willingness to take risk impact for each risk parameter .

XXX has three categories of risk appetite for application to each risk parameter:

CategoriesDescription
No appetite for riskXXX is unwilling to knowingly take risks in this area, and is committed to sustaining a strong management and control system to minimize exposure.
Moderate appetite for promising cost/benefit riskXXX is willing to expose itself to measured risk in this area, when the risk taken is based on a favorable Cost/benefit analysis. XXX recognizes that compromise decisions must be made to optimize meeting XXX’s objectives against minimizing exposure.
Large appetite for well-thought-out risk and failureXXX is willing to expose itself to more risk in this area, and is able to tolerate a degree of loss or failure. XXX recognizes that occasional failure is to be expected as it seeks operational excellence.

XXX Management is taking action to ensure attainment of, and sustained compliance with, the Following standards:

  • Risk appetite should be defined and approved by XXX’s Board.   This applies to the first issue as well as subsequent revisions.
  • Risk appetite should be aligned with XXX’s strategy values and objectives, and should be linked to key performance indicators.
  • Responsibility for applying risk appetite should be distributed across all the employees of XXX subject to be monitored by the Risk Champions through periodic reporting.
  • Risk appetite concepts should be embedded in the processes, policies and procedures, annual planning, resource allocation, and various business and risk processes, and,
  • Risk appetite statements con be quantitative and/or qualitative in context based on the risk type and extent to which the appetite can be quantified.

5 Risk Identification

It outline the process of risk identification where XXX identifies all potential risk events that will affect the achievement of its objectives. This is either in the form of a risk (negative event) or opportunity (positive event). The risk identification process takes into consideration both internal and external events (global, regional and local) For .e.g.:’In the process of identifying risks the Enterprise Risk Management Function has identified “Loss of Funding” as one of the key risks that are common across the entire foundation

5.1 Policies

Risk Identification is conducted annually as part of the Annual Risk Assessment workshops during the fourth quarter of XXX’s financial year.

The following are the key objectives og the Annual Risk Assessment Workshop:

  • Identifying risk events and risk indicators
  • Measuring the residual impact and likelihood for each risk
  • Selling the mitigation plans for each individual risk.
  • Measuring, the inherent impact and likelihood (after mitigation plans are set) of the risk event.
  • Setting the risk responses to the risk event should it occur, and,
  • Assign responsibilities of risks

The Risk officer is responsible for facilitating the risk identification process for each Department. This will be achieved through coordinating the Annual Risk Assessment Workshop during the fourth quarter of XXX’s fiscal year. This meeting is to be attended by Risk Champions and Process Owners. The Risk officer approach toward risk assessment is a Bottom-up Risk Assessment where risks are identified by the process owners and risk champions, validated by the Risk Committee and approved by the Board.

The Risk officer is responsible for disseminating Annual Risk Assessment Workshop preparatory material at least 10 working days before the workshop date. The material comprises of (but not limited to) the following:

  • Objectives, expectations and outcomes of the Risk Assessment Workshops
  • Current risk inventory of potential events that have been identified and maintained in the XXX’s Risk Register
  • XXX Risk Assessment template
  • Questions and/or surveys about new emerging risks associated with new or altered department objectives
  • Instructions on how to conduct risk identification using the XXX Risk Universe, and
  • Examples of risk identification applicable to the department.

Periodic Risk Assessment Workshops are to be facilitated, and driven, by the Risk officer in coordination with the respective Risk Champion of the particular department. XXX’s Risk Assessment is documented in XXX Risk Register subject to validation by the respective Director and approval of the Risk Committee. XXX Risk Register comprises of the following elements:

  • Risk Type
  • Risk Event
  • Key Risk Indicator
  • Impact Type (Primary)
  • Inherent Risk Scoring (Impact x Likelihood)
  • Risk Rating
  • Mitigation Plan (Treatment type, Treatment plan, existence)
  • Residual Risk (Impact x Likelihood)
  • Risk Response,
  • Risk Champion.

The Risk event is assigned to one of the risk universe categories identified in the XXX risk universe. The Risk officer is responsible for consolidating the Risk Assessment Workshops outputs for validation and finalization within 15 working days from the Assessment date. The Risk Champions are responsible for a quarterly review and update of XXX Risk Register based on inputs from process owner. Updates and changes to the risk register could be the results of (but not limited to) the following:

  • New activities, program, or operations.
  • Changes/ omission in the mandate of any of the activities, programs, or operations.
  • Environmental changes affecting XXX (e.g governmental laws, market changes, technological changes, etc.)
  • Changes in the control environment.

The Risk Champions are responsible for communicating the updated risk register on a quarterly basis to the Risk Officer for their review and endorsement. The Risk officer is the custodian and owner of XXX approved risk register and is responsible for monitoring the quarterly updates received from the Risk Champions and maintenance of the final risk register. XXX Risk Register is subject to the quarterly endorsement of the Risk Committee and annual Board approval.

5.3 Procedures

  1. The Risk officer announces the kick-off of the annual Risk Assessment Workshops.
  2. The Risk Champions review and update the existing risk register according to emerging risks and changes in existing risks.
  3. The Risk Champions sends the updated risk register fo the Risk Officer for their review and endorsement.
  4. The Risk officer arranges for a workshop date with the Risk Champions and Process Owners.
  5. The Risk officer disseminates the updated risk register of the particular department along with preparatory material to the risk champions and risk owners at least 10 working days before the workshop date.
  6. The workshop is conducted by the Risk officer in coordination with the Risk champions and the updated risk register is reviewed for final update based on inputs from the workshop attendees.
  7. Upon completion of the workshop, the Risk officer prioritizes risks based on the residual risk rating and prepares a draft risk register.
  8. The Risk officer sends the draft risk register to the respective department head/ CEO of the subsidiaries for his/her review and sign-off.
  9. The Risk officer sends the endorsed risk register to the Risk Committee for their review and endorsement.
  10. Upon completion of the Risk Assessment Workshops, the Risk officer consolidates all the final approved risk registers for monitoring and reporting purposes.

6 Risk Assessment

The assessment takes into consideration the likelihood and impact of the event’s occurrence, and, simultaneously, the levels of inherent and residual risk posed to the organization.

For e.g. In the process of assessing risks, the Enterprise Risk Management has outlined the risk ranking of “Loss of Funding” risk as follows: Inherent risk X Likelihood = 6 X 3 = 18

Impact: Temporary shutdown of XXX program due to lack of funding

Risk Type: Financial Impact

6.1 Policies

Risk Assessment is conducted annually as part of the Annual Risk Assessment workshops during the fourth quarter of XXX’s fiscal year. The Risk Champions are responsible for communicating the updated risk register on a quarterly basis to the Risk Officer for their review and endorsement. Risk Assessment includes three key elements of risk:

  • Impact
  • Likelihood, and,
  • Readiness, to provide an indication of the organization’s residual risk.

The following criteria are used for the ranking of the assessment of Impact and Likelihood:

 Impact- Financial, stakeholders, strategic, Reputational, Operations
RiskScore
Catastrophic5
Major4
Moderate3
Minor2
Insignificant1
Likelihood
RanklikelihoodScore
CertainMore than 90% or Daily occurrence5
LikelyMore than 60% but less than or equal to 90%, or Weekly occurrence4
ModerateMore than 35% but less than or equal to 60%, or Monthly occurrence3
UnlikelyMore than 20% but less than or equal to 35%, or annual occurrence2
RareUp to 20% or long-term occurrence (once every 3 to 5 years)1

Assessment of Impact is based on the risk parameters below:

  • Financial impact
  • Stakeholders’ impact
  • Reputational impact
  • Operational impact, and,
  • Strategic impact.

Each risk parameter will consist of specific thresholds and determined based on XXX’s Risk Appetite. These thresholds are used to determine the impact rank and score.

Impact is determined based on the highest impact rank under any of the parameters (e.g. if a risk is financially catastrophic but operationally minor, the risk impact will be ranked as catastrophic, thus = 5).

Assessment of likelihood is based on the number of occurrences of the risk event. Overall assessment of risk is based on the assessment of Impact and Likelihood taking into consideration the current control environment.

Total risk score is calculated based on the following formula: [Residual Impact X Residual Likelihood = Residual Risk Score].

The following table represents the ranks of the residual risk scores:

RiskResidual Risk Score
Catastrophic20-25
Major10-19
Moderate05-09
Minor03-04
Insignificant01-02

The Risk Assessment Criteria is fo be reviewed annually as part of this framework’s revision. Risk profiling and prioritization is based on the final risk scores determined by the risk assessment results. Upon completion of the risk management process, the Risk Management Department is responsible for developing and documenting a risk rating matrix to be presented to the Risk Committee. XXX’s Risk Register is subject to the quarterly endorsement of the Risk Committee and Annual Beard approval.

6.2 Procedures

During the Risk Assessment workshop, the Risk Management Department ensures the following:

  • The impact of each identified risk is tested under each risk parameter defined in this Framework and the impact scoring is determined accordingly.
  • The likelihood of each identified risk is calculated based on the likelihood measurement criteria defined in this Framework.
  • Total Inherent Risk Scoring is determined based on the formula [Impact X Likelihood]
  • Risk Treatment is determined, and existing controls are assessed.
  • Residual Impact and Likelihood are calculated again based on the criteria defined in this Framework.
  • Final residual risk score is calculated based on the formula [residual impact X residual likelihood], and,
  • Risk is ranked based on the heat map provided in Appendix 3.
  • The Risk officer prepares the risk profiling based on the risk rankings and assigns the responsibilities for monitoring accordingly.

The Risk Champions documents the results of the risk assessment within the Risk Register and this is validated by the respective head of departments and approved by the Risk Committee. The final risk register is disseminated to the Internal Audit for their reference and inputs (if any).

7 Risk Mitigation and Controls

It outlines the development and implementation of cost-effective action plans and controls for reducing the overall probably of a risk event occurring to an acceptable level. Risk Mitigation actions are divided into four options as follows:

  • Terminate: Exiting the activities giving rise fo risk; it suggests that no response option was identified that would reduce the impact and likelihood to an acceptable level
  • Reduce: Action is taken to reduce risk likelihood and/or ip
  • Accept: No action is taken to reduce risk likelihood and/or impact, or,
  • Pass on: Reducing risk likelihood or impact by transferring, or otherwise sharing, a portion of its risk.

e.g. In the process of assessing existing controls to mitigate the “Loss of Funding” to a tolerance level as part of the risk assessment, the following has resulted:

  • Mitigation Plan: XXX to find other source of sustainable funding.
  • Existing Control: Realized Revenue from investments.
  • Residual Risk X Likelihood =4 X 3 =12
  • Residual Risk Rank = Low to Moderate

7.1 Policies

Risk Mitigations and Controls are set-up annually as part of the Annual Risk Assessment workshops during the fourth quarter of XXX fiscal year. The Risk Champions are responsible for communicating the updated risk register on a quarterly basis to the Risk Officer for their review and endorsement. During the process of setting up the risk mitigation and controls, the following aspects are taken into considerations:

  • Direct and indirect costs and benefits (qualitative and quantitative analysis)
  • Legal, political and social responsibility
  • Practicality and maintainability
  • Enterprise objectives and strategies, and,
  • Testing the effectiveness of different risk options.

During the Annual Risk Assessment workshop and quarterly update of the Risk Register, The Risk Champions are responsible for assessing the existence of these controls in XXX or that there is a need to implement these controls subject to the endorsement of Risk Management Department. After one or more risk control options have been selected, The Risk Champion is responsible for calculating the residual risk subject to the endorsement of Risk Management Department. If the residual risk still exceeds the enterprise’s risk tolerance, then additional risk control options must be considered and selected until the residual risk is reduced to be within a tolerable limit. Risk mitigation may itself introduce new risks that need to be identified, assessed, treated, and monitored. The risk mitigation includes (but not limited to) the following:

  • Proposed risk mitigation dictions controls
  • Resource requirements
  • Responsibility
  • Timing
  • Performance measures, and,
  • Reporting and monitoring requirements.

The Risk Management Department is responsible for developing alternative risk response suggestions, in coordination with the relevant Risk Champions and risk owners, if the suggested risk mitigation is rejected by the Risk Committee. The alternative suggestions will include a cost- benefit analysis comprising the below elements:

  • Costs and benefits of selecting alternative risk responses.
  • Cost and benefits of selecting alternative controls within the desired risk responses.

The Risk Champions are responsible for monitoring the implementation of the risk mitigation plan and testing their effectiveness and adequacy on a quarterly basis in coordination with the Risk owners. The quarterly testing steps of the mitigation plans and controls are conducted according to the performance measurement set in the mitigation plans. Adequacy of risk mitigation plans are reviewed and tested by the Internal Audit function, in coordination with the Risk Management Department. The Risk officer is responsible for incorporating the required controls within XXX processes, policies, and procedures during their annual review and update in coordination with respective risk champions. For each low to medium risk event, i.e.: Insignificant to Moderate, the risk mitigation plans developed and documented by the respective Risk Champion are both reviewed and approved by the Risk Management Department. For each high-risk event, i.e.: Major or Catastrophic, the risk responses developed and documented by the respective Risk Champion, are to be reviewed by the Risk officer and presented to the Risk Committee their review and approval. This Risk officer will periodically conduct educational sessions about risk management and the risk management activities currently underway within XXX; the Risk officer will coordinate the mandatory attendance of all Risk Champions and for a minimum of 1 educational session each year.

The Risk Management Department is responsible for educating the process/risk owners; covering the below minimum elements:

  • Enterprise Risk Management
  • Risk Appetites
  • Risk Management Cycle
  • Employee roles in risk management, and,
  • Examples of risk management implemented within XXX.

The Risk Owners are responsible implementing the controls and mitigation plans as part of their day-to-day operations assuming the full responsibility of implementation subject to monitoring by Risk Champions.

7.2 Procedures

Upon completion and approval of the risk register (including the risk mitigation plans and risk responsibility), the risk owners start implementing the mitigation plans as devised in the risk register. The Risk Champions conducts a quarterly testing during the last 3 weeks of respective quarter over the implementation of the risk mitigation plans. The testing includes (but not limited to) the following:

  • Existence of the controls, treatment actions
  • Adequacy of the treatment actions and controls, and,
  • Residual risks are maintained within XXX risk appetite.

The Risk Champions prepares quarterly reports of risks and mitigations plans. The Risk officer receives the reports for review and endorsement. The Risk Committee receives the report for review, decision making and approval.

8 Monitoring and Reporting

It is intended to outline the communication frequency, methods, timeliness and reporting lines for periodic monitoring and in case of a risk event occurrence. The purpose of this communication is to ensure the following:

  • Significant changes in existing and trending risks
  • Acceptable tolerance ranges and indicators of risks that are outside of tolerance
  • External and internal events that are impacting risk exposure
  • Key mitigation activities and related status
  • Effectiveness of risk mitigation activities/Key Risk Indicators
  • Risks that require additional investment resources, and,
  • Separate risk dashboards for Risk Committee and Board of Directors can address differences in roles, reporting frequency and format.

[ for e.g. In the event of “Loss of Funding” due to a global financial crisis, which affected the private sector performance in Kuwait the following actions has been taken as a risk response:

  • The Risk Champion has detected the risk from the Risk Indicator.
  • The Risk Champion has escalated the risk to the Risk Management Department
  • The Risk officer requested a meeting with the Risk Committee to report the risk indication and recommend actions based on the agreed risk response.
  • As an agreed risk response, the Risk Committee will draft a proposal to reprioritize XXX funding priorities and get it approved by the Board of Directors to ensure impact is tolerated.]

8.1 Policies

XXX’s risk monitoring and reporting divides info two main activities as follows:

  • Periodic reporting for monitoring current and emerging risks, along with mitigation plans and Key Risk Indicators, and,
  • Ad-hoc reporting based on events occurrence and escalation procedures.

The Risk Champions are responsible for providing the Risk Officer with quarterly reports and dashboards. Risk dashboard should summarize critical risks, root causes, mitigation actions, and risk indicators and associated thresholds to measure progress on addressing the risks. The template to be used by the Risk Champions when undertaking quarterly reporting to the Risk Management Department.

The Risk officer is responsible for providing the Risk Committee with reports and dashboard outlining an overview of critical risks that may impact the organization’s strategy, progress on mitigation actions for those risks, and outstanding issues in addressing the risks. The templates to be used by the Risk Champions when undertaking reporting to the Risk Management Department are provided in Appendix 5. The Risk Champions are responsible for day-to-day monitoring of key risk indicators. Where any concern regarding the occurrence of a risk event is raised, an immediate escalation process is to take place. This reporting should be to the appropriate recipient based on the following table:

Risk RankOwnership
Major to CatastrophicBoard of Directors
ModerateRisk Committee
Insignificant to MinorRisk Champions

The table below summarize the Risk Monitoring reports and dashboard.

ReportPrepared byAudienceFrequency
Quarterly Monitoring ReportRisk officerRisk CommitteeQuarterly
Quarterly Risk ReportingRisk officerRisk CommitteeQuarterly
Risk Occurrence Report-Major to CatastrophicRisk Champion and Risk officerRisk CommitteeAs and when occurred.
Risk Occurrence Report-ModerateRisk ChampionRisk officerQuarterly
Risk Occurrence Report-Insignificant to Minor.Risk ChampionRisk officerAnnual

8.2 Procedures

The following table outlines the procedure steps in case of risk occurrence or indication of occurrence

Risk RankAction steps
Major to Catastrophic1. Risk Champion sends an urgent request to the Risk officer for the escalation to Risk Committee for advise on actions based on the Risk Response agreed action steps. 
2. The Risk officer investigates the causes of the risk occurrence and prepares a detailed report to the risk committee for their review and decision making. 
3. The Risk Committee conducts an immediate meeting to decide on actions based on the Risk Response agreed action plans. 
4. Risk officer monitors the risk response activities closely with the Risk Champion and the same is reported on a weekly basis to the Risk Committee until resolution. 
5. The Risk officer prepares a detailed report of the impact on XXX and rectification actions if required in coordination with the Risk Champion and the Risk Owner.
Moderate1. Risk Champion sends an urgent request to the Risk Officer. 
2. The Risk officer meets with the Risk Champion and concerned risk owners for agreed response actions to be taken. 
3. The Risk officer investigates the causes of risk occurrence and prepares a detailed report for the Risk Committee along with the impact on XXX. 
4. The Risk officer monitors the risk response activity on a weekly basis. 
5. Upon resolution, The Risk officer prepares a report in coordination with the Risk Champion along with rectification action steps to be submitted to the Risk Committee.
Insignificant to Minor1. The Risk Champion takes actions based on the agreed risk response.
2. The Risk Champion investigates the causes of the risk and prepares a detailed report along with rectification plan and impact on XXX.
3. The Risk officer reviews the report and monitors rectification on a monthly basis.

8.3 Responsibility Matrix

Activity InitiateEndorseApproved
Escalation of Identified RisksRisk ChampionsRisk OfficerRisk committee
Risk Monitoring Ad Hoc Reports (Major to Catastrophic)Risk OfficerRisk committeeBoard of Directors
Risk Monitoring Ad Hoc Reports (Moderates)Risk ChampionsRisk OfficerRisk committee
Risk Monitoring Ad Hoc Reports(Insignificant to Minor)Risk ChampionsRisk OfficerRisk committee
Post Impact ReportRisk OfficerRisk committeeBoard of Directors

Appendices

Appendix 1 Risk Register sheet

 Risk Register NameSheet NumberRisk Register sheetDescription
High level Risk Register1XXXComprises of all risks XXX is exposed to which carry an inherent risk rank of major or catastrophic (Priority Risks)
2FinanceComprises of all risks related to the Finance Department in XXX
3Human ResourcesComprises of all risks related to the Human Resources Department in XXX
4Information TechnologyComprises of all risks related to the Information Technology in XXX
5ComplianceComprises of all risks related to the Compliance Function applicable for XXX

Appendix2: Impact Measurement Criteria/ Risk Parameter

ScoreCriteriaFinancialExternal  StakeholderInternal StakeholderReputationOperationsStrategic
5Catastrophic>=30 % of XXX’s total capital or total investmentsSevere damage to relationship with the contributing companies and disruption of XXX imageTurnover Rate of key executives or staff over 50%, critical impact on morale, or severe injury to employee.  Global and regional media attention. Long term damage to public image (e.g. less than 12 months).  Permanent shutdown of XXXPotential complete inability to execute XXX’s strategic plans and objectives  
4Major20 – 30 % of XXX’s total capital or total investments  Decline in satisfaction of the contributing companies of XXX  Turnover Rate of key executives or staff between 25% and 50%, critical impact on morale, or severe injury to employee.  Local media attention relating to corruption/ fraud. Long term damage to public image (e.g. less than 12 months).  Temporary shutdown of XXX  Potential inability to execute any critical element of XXX’s strategic plans and objectives  
3Moderates10 – 20 % of XXX’s total capital or total investments  Inability of XXX to attract external parties  Turnover Rate of key executives or staff between 10% and 25%, serious impact on morale, or severe injury to employee.  Local media attention excluding corruption, fraud. Short term damage to public image. (e.g., less than 12 months).  Temporary shutdown of specific activities  Potential inability to execute any two or more elements of XXX’s strategic plans and objectives  
2Insignificant5-10 % of XXX’s total capital or total investments  Decline in the external parties satisfaction by equal to or more than 30%  Non-recurring loss of key executives or staff, or negative impact on morale.  Internal dissemination of matters that impact reputation within XXX  Inability to run, develop, or deploy specific existing or new activitiesPotential partial inability to execute any one element of XXX’s strategic plans and objectives
1Minor<5% of XXX’s total capital or total investmentDecline in the external parties i satisfaction by investments less than30%  No loss of key executives or staff, no impact on moraleN/AMinimal impact on ability to run, develop, XXX activities  Potential temporary inability or easily remedied inability to execute XXX strategic plans and objectives  

Appendix 3: Heat Map

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply