Establishing the Risk management context

ISO 31000:2018 29 Minutes

The first step in the risk management process is to establish the context, which includes three parts: the risk management context, the internal context, and the external context.

  • Risk management context: This refers to the organization’s risk management framework, which includes its structure, strategy, and processes for managing risks. The framework should do two things: 1) support the risk management process within the organization, and 2) ensure that the results of risk management are shared with both internal and external stakeholders.
  • Internal context: This is about the organization itself, including its activities, the skills and resources it has, and how it is organized. It also includes internal stakeholders and their expectations. This is essentially the organization’s strengths and weaknesses.
  • External context: This involves the environment in which the organization operates, including its business sector, external stakeholders, and financial conditions. It represents the opportunities and threats the organization faces from outside.

When setting up the context for risk management, it’s important to consider the scope and purpose of the risk management process. The key question is: what is the organization trying to achieve with its risk management efforts? The risk management context also involves determining who will be responsible for managing risks and identifying the resources needed to carry out risk management activities.

Another key part of this context is establishing the organization’s risk appetite (the level of risk it is willing to accept) or risk criteria. This helps decide what controls should be in place and whether the remaining level of risk is acceptable. The context should also allow the organization to assess its overall risk exposure and compare it with its risk appetite and capacity to handle risks. The internal context relates to the organization’s culture, the resources available, and how the results of the risk management process will influence behaviour and support risk governance. It includes the organization’s objectives, capacity, capabilities, and core business processes. An important aspect of this is how the organization makes decisions. The external context involves understanding stakeholder expectations, industry regulations, competitor behaviour, and the broader economic environment. It also considers external trends and factors that could impact the organization’s success and ability to meet its goals.

External context

The first step in the risk management process is to “establish the context.” This is a crucial part of successful risk management and an important early step when implementing any management system standard. For instance, the ISO 9001:2015 quality standard also requires organizations to consider their context during strategic planning. External context involves understanding the expectations of external stakeholders, with customers often being the most important group for many organizations. The external context is shaped by who the customers are and what products or services the organization offers them. Considering the needs of customers is a key part of the organization’s business model, which is closely tied to risk management. Once the expectations of external stakeholders are clear, the organization can look more closely at factors influencing the external environment. The FIRM risk scorecard can help structure a detailed evaluation of the organization’s context. It covers areas like reputation and marketplace (linked to the external context) and finances and infrastructure (related to the internal context).

The reputational part of the external context for an organization refers to how others view the company, how willing customers are to do business with it, and how well it retains customers. When assessing reputation, the following factors should be considered:

  • Public opinion about the industry the company is in.
  • How well the company meets corporate social responsibility (CSR) standards.
  • The level of governance standards and whether the industry is highly regulated.
  • The quality of the products or services and the standards of after-sales service.

The marketplace component of the external environment focuses on the organization’s position in the market, which affects customer spending. When evaluating this, consider:

  • Revenue generated in the market and the return on investment.
  • The presence of strong competitors or high customer expectations.
  • The level of economic stability, including risks from interest and foreign exchange rates.
  • The complexity of the supply chain and fluctuating raw material costs.
  • Risks from international disruptions, such as political risks, war, or terrorism.

The FIRM risk scorecard is one way to assess an organization’s external environment, but other methods like a SWOT analysis (which looks at strengths, weaknesses, opportunities, and threats) can also be used. The main goal of evaluating the external context is to understand the level of risk in the environment where the organization operates. This helps the organization confirm if its current business model is still appropriate and develop strategies and tactics for future success.

Internal context

When setting up the internal context of an organization, it’s important to consider the expectations of internal stakeholders. These stakeholders include the people the organization depends on most, such as employees and those providing outsourced or contracted services. After identifying their expectations and their importance to the organization’s operations and compliance, you can look more closely at the factors influencing the internal environment. The FIRM risk scorecard helps with this detailed evaluation. The financial and infrastructure parts of the scorecard relate mainly to the internal context, while reputation and marketplace focus on the external context.

The financial part of an organization’s internal context refers to how money is managed and how profits are made. When assessing this, consider:

  • Whether there are enough funds to support strategic plans.
  • If there are solid procedures for properly allocating money for investments.
  • How strong the internal financial controls are to prevent fraud.
  • Whether there are enough funds to cover past and future liabilities.

The infrastructure component also affects the internal context, as it impacts the organization’s internal processes. Infrastructure risks relate to inefficiencies or problems that may occur. When evaluating this, consider:

  • The structure of senior management and the organization’s risk culture.
  • Whether there are enough skilled people and intellectual property.
  • Whether there are enough physical assets to support operations.
  • If the IT infrastructure is strong enough to ensure resilience and protect data.
  • Whether there are business continuity plans to keep things running after a major disruption.
  • If there are reliable systems for service delivery, transportation, and communication.

The FIRM risk scorecard is one way to evaluate an organization’s internal context, but other methods, like a SWOT analysis, can also be used. Many organizations also apply the PESTLE framework, which looks at political, economic, social, technological, legal, and environmental/ethical risks. Some of these factors relate to the external environment, some to the internal, and some to both. There are many tools and checklists available to help identify the external and internal risks an organization faces. The specific method used is less important than making sure all relevant risks are identified. This helps confirm that the current business model, its resources, and its resilience are appropriate.

Risk management context

The risk management context looks at the organization’s risk architecture, strategy, and protocols (RASP). These elements define how the organization structures its risk management efforts and how they are put into action to achieve the desired outcomes from its enterprise risk management (ERM) program. It’s important that the risk management context can support the organization’s strategy and help build a risk-aware culture. A good risk-aware culture is built on leadership, involvement, learning, accountability, and communication (LILAC). The terms of the risk architecture, strategy and protocols (RASP) developed by the organization. The RASP of an organization defines the structure of the risk management context and how the components of that context are implemented to achieve the desired benefits from the enterprise risk management initiative.

A key part of the risk management context is the mandate given by senior management, which outlines the scope and authority for managing risks within the organization. This mandate, assigned to roles like the risk manager or head of internal audit, should be clearly defined in the organization’s risk management policy. The organization’s risk attitude and risk appetite, set by the risk criteria for different risks, help shape the risk management context and guide the risk assessment process. These assessments are recorded in a risk register, and how this information is communicated across the organization also influences the risk management context. The success of an enterprise risk management (ERM) initiative largely depends on how well it is implemented. The PIML (Plan, Implement, Measure, Learn) model is useful for guiding this implementation.

The risk management context should support the organization’s success and align with the expectations of both internal and external stakeholders. It should also be capable of identifying emerging risks, which are often unpredictable. A risk radar mechanism is needed to provide early warnings and timely reviews of emerging risks. This system should also help the organization spot future opportunities. In summary, the organization must identify important factors from the external, internal, and risk management context that could affect it. It should gather and analyze information, assess risks and opportunities, and take the right actions to manage risks and seize opportunities. All of this should be documented in the risk architecture, strategy, and protocols (RASP).

Architecture, strategy and protocols

This section explains the risk architecture, strategy, and protocols (RASP) for an organization. RASP outlines the risk management framework, which helps define the risk management context. The most important part of RASP is the risk management policy statement, which sets the organization’s overall approach to managing risk. Other parts of the risk management manual describe the roles and responsibilities related to risk management and outline the procedures to follow (protocols). The risk architecture, strategy, and protocols create a framework that supports the risk management process. This framework should include the objectives, mandate, and commitment to manage risk (strategy), the organizational structure, plans, relationships, accountabilities, and processes (architecture), and it should be integrated into the organization’s overall strategic and operational policies (protocols). In short, the RASP represents the context for risk management within the organization. The risk strategy is often presented as a brief, one-page statement outlining what the organization aims to achieve in terms of managing risk.

Risk management architectureRisk management strategyRisk management protocols
Documentation and record-keepingRisk management philosophyTools and techniques
Roles and responsibilitiesArrangements for embedding risk managementRisk classification system
Internal reporting requirementsRisk appetite and attitude to riskRisk assessment procedures
External reporting controlsBenchmark tests for significanceRisk control rules and procedures
Risk management assurance arrangementsSpecific risk statements/policiesResponding to incidents, issues and events
  Risk assessment techniquesDocumentation and record keeping
  Risk priorities for the present yearTraining and communications
  Audit procedures and protocols
   Reporting/disclosures/certification

The risk management policy is usually part of a larger risk management manual in many organizations. Large organizations often document their risk protocols as a set of guidelines. The guidelines needed will depend on the organization’s size, type, and complexity. The types of documents that need to be maintained include:

  • Records for risk management administration,
  • Risk response and improvement plans,
  • Event reports and related recommendations,
  • Reports on risk performance and monitoring.

One key document organizations use in their risk management efforts is the risk register, which can be used for different purposes, including operational, project, and strategic planning. It’s crucial for risk management and internal audit to work closely together. Risk management focuses on assessing risks and identifying controls, while internal audit evaluates and tests the effectiveness of those controls. For a risk management program to succeed, cooperation and understanding between these two functions are essential. The RASP should explain how this cooperation will work in practice. The risk architecture outlines how risk information is communicated within the organization. The risk strategy defines the organization’s overall goals related to risk management. The risk protocols are the systems, standards, and procedures put in place to carry out the risk strategy. The risk architecture is part of the risk management framework, which in turn is part of the organization’s broader risk governance structure.

XYZ Corporation Risk Management Policy

1. Purpose

The purpose of this policy is to establish a structured approach to managing risk at XYZ Corporation. This ensures that risks are identified, assessed, managed, and monitored effectively to support our strategic goals and safeguard our assets, reputation, and stakeholders.

2. Scope

This policy applies to all employees, departments, and operations at XYZ Corporation. It covers all forms of risk that could impact our ability to achieve our objectives, including strategic, operational, financial, legal, and reputational risks.

3. Objectives

The objectives of XYZ Corporation’s risk management process are to:

  • Identify and evaluate risks that could affect our business.
  • Minimize the impact of risks by implementing appropriate controls.
  • Ensure risks are aligned with the company’s risk appetite.
  • Encourage a proactive risk-aware culture.
  • Provide a structured framework for risk management that integrates with our corporate governance and decision-making processes.

4. Risk Management Framework

XYZ Corporation adopts the RASP approach (Risk Architecture, Strategy, and Protocols):

  • Risk Architecture: Defines roles and responsibilities for managing risk throughout the organization.
  • Risk Strategy: Sets our approach to managing risk to achieve business objectives, balancing risk and reward.
  • Risk Protocols: Establishes the processes for risk identification, assessment, mitigation, reporting, and monitoring.

5. Roles and Responsibilities

  • Board of Directors: Oversees risk management efforts and ensures risks are managed within agreed risk appetite levels.
  • Risk Committee: Monitors risk exposure and ensure that risk management activities are being carried out effectively.
  • Risk Manager: Coordinates risk management activities, maintains the risk register and reports to senior management and the Board.
  • Employees: Responsible for identifying and managing risks within their areas of responsibility.

6. Risk Appetite

XYZ Corporation will only accept risks that support its strategic objectives. Risk tolerance levels are set for different categories of risk and are regularly reviewed by the Risk Committee.

7. Risk Management Process

The risk management process involves the following steps:

  • Risk Identification: Identifying potential risks that may affect the company’s objectives.
  • Risk Assessment: Evaluating the likelihood and impact of identified risks.
  • Risk Mitigation: Developing strategies to manage or reduce risks to acceptable levels.
  • Monitoring and Reporting: Continuously monitoring risks and reporting significant changes to the Risk Committee.

8. Monitoring and Review

This policy will be reviewed annually or more frequently if needed to ensure it remains relevant and aligned with the company’s objectives.

Risk architecture

The organization’s structure for managing risk is called the risk architecture. It outlines how information about risks is communicated and reported. The risk architecture must make it clear that the person responsible for a particular risk must manage it. To make sure risk management is part of the organization’s main operations, it’s necessary to clearly state who is responsible for managing risks. For each major risk, responsibilities should be assigned for the following:

  • Developing the risk strategy and standards,
  • Implementing the agreed standards and procedures,
  • Auditing compliance with the set standards.

The risk architecture helps identify which committees are responsible for managing risk and how they interact with each other. It includes details about the purpose, membership, and responsibilities of these committees, as well as how they share risk information. The architecture also outlines which reports are received by each committee and which reports they are responsible for submitting. A key part of the risk architecture is ensuring that risk escalation procedures, like whistleblowing policies, are in place. Organizations should differentiate between static documents, like the risk management manual (which records processes and procedures), and dynamic documents, like the risk register, which tracks ongoing actions and improvements. Essentially, the risk register serves as the risk management action plan.

The risk architecture should be outlined in the organization’s risk management manual. It should also include the terms of reference for various committees and a schedule of risk management activities, which should align with other company activities. The role of the audit committee and the head of internal audit is crucial in implementing the organization’s risk management strategy. Large organizations must ensure that all disclosed information is accurate, which often leads to the formation of a disclosure committee. This committee verifies the source and accuracy of all disclosed information, especially financial data. The risk architecture outlines the committee hierarchy and responsibilities related to risk management and internal control, with the corporate risk management committee handling executive risk management tasks.

Risk management responsibilities at the divisional or unit level should be given to divisional management. They are in charge of identifying key risks, maintaining the division’s risk register, and ensuring that appropriate controls are in place. The group risk management committee should guide divisional management. If a divisional risk committee exists, it should send reports to the group risk management committee to maintain an overall view of risk priorities. Reporting structures can vary based on the organization’s risk level and complexity. In high-risk industries like finance, the risk committee may report directly to the board, often led by the finance director with senior board members involved. Generally, the risk management committee should consist of executive directors, as managing risk is an executive task, while non-executive directors focus on audit and risk assurance. Typically, the risk management committee will report to the audit committee, where non-executive directors can review risk performance and gain assurance.

Risk management responsibilities at the divisional or unit level should be given to divisional management. They are in charge of identifying key risks, maintaining the division’s risk register, and ensuring that appropriate controls are in place. The group risk management committee should guide divisional management. If a divisional risk committee exists, it should send reports to the group risk management committee to maintain an overall view of risk priorities. Reporting structures can vary based on the organization’s risk level and complexity. In high-risk industries like finance, the risk committee may report directly to the board, often led by the finance director with senior board members involved. Generally, the risk management committee should consist of executive directors, as managing risk is an executive task, while non-executive directors focus on audit and risk assurance. Typically, the risk management committee will report to the audit committee, where non-executive directors can review risk performance and gain assurance.

Risk management responsibilities at the divisional or unit level should be given to divisional management. They are in charge of identifying key risks, maintaining the division’s risk register, and ensuring that appropriate controls are in place. The group risk management committee should guide divisional management. If a divisional risk committee exists, it should send reports to the group risk management committee to maintain an overall view of risk priorities. Reporting structures can vary based on the organization’s risk level and complexity. In high-risk industries like finance, the risk committee may report directly to the board, often led by the finance director with senior board members involved. Generally, the risk management committee should consist of executive directors, as managing risk is an executive task, while non-executive directors focus on audit and risk assurance. Typically, the risk management committee will report to the audit committee, where non-executive directors can review risk performance and gain assurance. For organizations not operating in a high-risk environment, it may not be necessary for the risk committee to report directly to the main board. Instead, the risk committee could be a sub-committee of the executive or operations committee. The structure for managing risk should match the organization’s risk level, size, complexity, and exposure. There’s no one “correct” way to design a risk architecture. As long as the risk committee achieves its goals, the organization can decide on its membership and roles. However, it’s important to note that managing risk is an executive responsibility, while audit tasks should be overseen by non-executive directors.

Risk management strategy

An organization needs to have a clear plan for managing risks. This plan called the risk management strategy, is outlined in the organization’s risk management policy. The strategy should reflect the organization’s overall approach to handling risks. A key part of this plan is ensuring that risk management is involved in strategy, tactics, operations, and compliance (STOC). To create the strategy, the organization must decide on its risk appetite, which balances opportunities, control measures, and risk tolerance. The risk appetite should not exceed the organization’s capacity to handle risk, and decisions must be made on how to calculate this capacity and track overall risk exposure. Managing the total risk exposure is an important part of operational risk management. The organization must decide on the risk management processes it will use and how it will design and implement its risk management efforts to meet the strategy’s goals. The strategy will also outline what the organization wants to achieve in terms of risk management, including the desired level of risk maturity and the expected contributions from risk management. In short, the strategy will ensure that risk management activities align with the organization’s broader goals and contribute effectively.

Risk management protocols

Risk management protocols are the specific guidelines, procedures, and standards an organization follows to manage risks effectively. These protocols ensure that risk management practices are consistent, organized, and aligned with the organization’s overall strategy. Risk management protocols form the backbone of a company’s ability to handle risks in a structured, consistent, and effective manner. They ensure all staff are aware of their roles and the actions required to manage risks properly. Here are the key elements typically included in risk management protocols:

  • Risk Identification Process:
    • Guidelines on how to identify potential risks that could impact the organization.
    • Tools and methods to be used (e.g., risk assessments, risk registers, brainstorming sessions, SWOT analysis).
  • Risk Assessment:
    • Procedures to assess and prioritize risks based on their likelihood and potential impact.
    • Use of risk scoring methods (e.g., qualitative or quantitative analysis).
  • Risk Response and Treatment:
    • Clear steps on how the organization will respond to identified risks.
    • Options like avoiding, transferring, mitigating, or accepting risks.
    • Procedures for developing risk treatment plans to reduce risks to an acceptable level.
  • Risk Monitoring and Reporting:
    • Guidelines for ongoing monitoring of risks to ensure that they remain within acceptable limits.
    • Protocols for updating risk registers and other documentation.
    • Regular reporting structures to ensure that senior management is kept informed about the current risk status.
  • Roles and Responsibilities:
    • Clear allocation of responsibilities to individuals or teams for risk management tasks.
    • Establishing roles for risk owners, risk managers, and committee members who monitor risks at different levels (e.g., project, departmental, organizational).
  • Communication Protocols:
    • Procedures for communicating risk-related information both internally (within departments or teams) and externally (to stakeholders or regulators).
    • Ensuring transparency and consistency in communication about risks, particularly in emergencies.
  • Internal Controls and Audit:
    • Specific internal control measures that will be implemented to prevent or reduce risks.
    • Regular audits or checks to ensure that controls are functioning correctly and risks are managed effectively.
  • Crisis and Emergency Response Plans:
    • Guidelines for responding to crises or unforeseen events, including clear steps for managing emergencies.
    • Protocols for business continuity and disaster recovery plans.
  • Risk Documentation:
    • Requirements for maintaining accurate records related to risk management activities, such as risk assessments, incident reports, risk mitigation actions, and audits.
  • Review and Improvement:
    • Procedures for regularly reviewing risk management processes and protocols to ensure they remain effective.
    • Mechanisms for updating protocols based on lessons learned or changes in the organization’s risk environment.

The risk management manual will outline who is responsible for managing risks and how the risk policy will be put into action. Risk management protocols will be provided through various procedures and guidelines. Written procedures for assessing risks related to strategy, projects, and operations must be established. The organization will also need to specify how often risk reports should be created, what information they should include, and who will be responsible for preparing them. Typically, risk management protocols should be reviewed annually to ensure they stay current. The protocols should also explain the level of record-keeping required. A wide range of risk management documents might be needed. These protocols describe the activities involved in risk management, specifying what actions need to be taken and how they should be carried out. Risk management guidelines usually indicate the standards that should be met and, in some cases, outline the controls in place, especially for procedures that must be followed. These procedures offer guidance for directors, managers, and staff within the organization.

Risk management protocols

  1. Risk assessment procedures
    • Governance procedures
    • Response to significant risks
    • Projects and CapEx approvals
    • Procedures for strategy and budgets
  2. Risk control objectives
    • Brand management guidelines
    • Health and safety at work
    • Environmental protection
    • Contract risk management
  3. Risk resourcing arrangements
    • Opportunity management
    • Project resource allocation
    • Insurance programme
    • Captive insurance company
  4. Reaction planning requirements
    • Loss and claims management
    • Disaster and recovery planning
    • Cost containment procedures
    • Risk management record keeping
  5. Risk assurance systems
    • Maintenance of risk register
    • Corporate RM committee
    • Terms of reference for audit committee
    • Control self-certification arrangements

Risk management manual

The amount of documentation an organization produces for risk management will differ based on the level of risk it faces. The documentation should match the organization’s risk level and follow risk management principles. Whatever is created needs to be organized in a way that fits the organization and aligns with its other activities. The first section of the risk management manual is the risk management policy, which outlines the organization’s risk strategy. This policy sets the intent and provides the context for risk management. It should help the organization implement risk management successfully.

The amount of documentation an organization produces for risk management will differ based on the level of risk it faces. The documentation should match the organization’s risk level and follow risk management principles. Whatever is created needs to be organized in a way that fits the organization and aligns with its other activities. The first section of the risk management manual is the risk management policy, which outlines the organization’s risk strategy. This policy sets the intent and provides the context for risk management. It should help the organization implement risk management successfully.

The manual contains all responsibilities, procedures, protocols, and guidelines related to the risk management process and framework. It outlines how to carry out the activities specified in the risk guidelines. These guidelines might be kept in separate documents for easier updates. The manual will also include the organization’s risk management strategy and details on how performance will be monitored, reported, and communicated. Essentially, it defines the framework for risk management activities.

Various risk management protocols or guidelines will need to be created, providing instructions on how they should be interpreted and followed. These protocols act as standing instructions for risk management, often requiring record-keeping, like maintaining a risk register. The specific risk management protocols or guidelines will include:

  • Procedures for assessing risks
  • Objectives for controlling risks.
  • risk resourcing arrangements;
  • reaction planning requirements;
  • risk assurance systems.

The framework, or risk architecture, for managing risks, should be outlined in the risk management manual. Individual companies within the group are then expected to follow this framework and set up their own additional procedures and protocols if needed. The risk management manual should cover at least the following:

  • The board member responsible for risk management
  • How the organization talks about and understands risk
  • The process for identifying significant risks
  • The roles of the risk manager and internal auditors
  • Terms of reference for the risk management committees
  • The structure or risk architecture for managing risks

Many organizations update their risk management manual every year, even if the overall strategy stays the same. This is done to ensure that risk management activities stay aligned with best practices. Updating the manual, including the policy, also helps the organization highlight risk priorities for the year and make sure important risks get the right attention. By issuing an updated policy annually, the board remains focused on risk management, and the organization understands that managing risk is an ongoing process that requires continuous attention. A risk management manual should include these sections in simple terms:

  • Objectives for managing risks and internal controls
  • The organization’s overall approach to risk (risk strategy)
  • Overview of the control environment
  • The acceptable level and type of risk
  • The structure and setup for managing risks (risk architecture)
  • How risk information is communicated
  • Standard steps for identifying and evaluating risks (risk assessment)
  • List of documents for analyzing and reporting risks (risk protocols)
  • Requirements for managing risks and control methods
  • Who is responsible for managing different risks
  • How risks will be monitored and compared to standards
  • Resources allocated for managing risks
  • Risk priorities and goals for performance
  • A calendar of risk management activities for the upcoming year
ISO 31000:2018 Example of Enterprise Risk Management Manual

Risk management documentation

Risk management documentation refers to the collection of records, reports, and guidelines that an organization uses to manage risks effectively. The extent of this documentation can vary depending on the organization’s size, complexity, and risk exposure. Key elements of risk management documentation typically include:

  • Risk Management Policy: Outlines the organization’s risk strategy, objectives, and approach to risk management.
  • Risk Register: A dynamic record listing identified risks, their assessments, and controls. It tracks risk status and mitigation actions.
  • Risk Assessment Procedures: Guidelines for identifying, assessing, and evaluating risks across various operations, projects, or strategies.
  • Risk Response Plans: Documents outlining actions to mitigate, transfer, avoid, or accept specific risks.
  • Internal Control Documentation: Records of procedures and controls in place to manage risks and ensure compliance.
  • Risk Performance Reports: Reports monitoring the effectiveness of risk controls and the overall risk management system.
  • Event Reports and Recommendations: Documentation of risk events, lessons learned, and any changes implemented as a result.
  • Risk Management Guidelines: Standards, systems, and processes that provide detailed instructions for managing and controlling risks.
  • Risk Committee Reports: Records from meetings detailing risk discussions, decisions, and escalation processes.
  • Audit and Review Reports: Evaluations of risk controls, testing their effectiveness, and identifying areas for improvement.
  • Training and Communication Records: Documentation of risk-related training and communication activities within the organization.

This documentation helps ensure a structured approach to risk management, enabling clear communication, proper oversight, and continuous improvement.

Creating a risk management manual, including the policy statement, is a good opportunity for an organization to outline clear procedures on various risk management topics and set risk management priorities for the upcoming year. For instance, many organizations produce annual health, safety, or environmental policies, and these should be part of the risk management documentation.

Some organizations face major risks that require regular or constant attention. This is especially true for hazard risks, where policies like health and safety, business continuity plans, and disaster recovery plans need frequent updates. Many organizations document their risk guidelines in writing, while others may take a more informal approach to embedding risk management into daily activities.

The risk guidelines often include details about the organization’s risk management structure, strategy, and protocols. They should also clarify managers’ responsibilities for internal controls. While the guidelines don’t have to list specific control standards, they should explain how decisions on risk control will be made, implemented, and monitored. Given the diversity within large organizations, risk guidelines cannot cover physical control standards for every unit, division, or department. Each part of the organization should set its own risk control standards for areas like health and safety, fire safety, security, information protection, and environmental protection.

The risk guidelines should outline how risk management will be integrated throughout the organization. Strategy, standards, and procedures must be defined within the framework of these guidelines. The format and content of the guidelines will depend on the organization and its risk exposure but should typically include information on:

  • Physical risk control goals and responsibilities.
  • Financial and authorization procedures
  • Insurance arrangements
  • Managers’ control responsibilities
  • Project risk management
  • Incident reporting and investigation
  • Event response and action planning

Types of RM documentation

Risk governanceRisk management policy (and priorities)
Specific risk statements (health and safety policy)
Terms of reference of the risk /audit committees
Risk protocols and procedures
Risk awareness training records
Risk responseResults of risk assessments (risk register)
Risk control standards
Risk improvement recommendations
Risk assurance reports
Business continuity plans/disaster recovery plans
Event reportsLoss/claim reports and recommendations
Legal and litigation reports
Enforcement action/customer complaints
Incident and near-miss investigations
Business performance reports/key performance indicators
Risk performanceControl risk self-assessment (CRSA) returns
Audit procedures and protocols
Internal audit reports
Unit risk management reports
External disclosure reports

To successfully embed risk management in an organization, it’s essential to keep various records related to risk management activities, such as:

  • Risk management administration
  • Risk response and improvement plans
  • Event reports and recommendations
  • Risk performance and certification reports

Risk management becomes fully integrated when these activities align with the organization’s planning cycle. The main goal of the risk guidelines is to help managers understand the organization’s risk management framework. This understanding ensures they consider risks when making decisions. The guidelines also provide practical advice for managers on how to fulfill their risk management duties. Keeping the right records is important to show that the risk guidelines are being followed. The aim is not to make record-keeping overly complicated, but enough records must be maintained to inform decision-making, provide managers with the right guidance, and assure auditors that the necessary controls are in place. There are many advantages to managing records effectively. Good records management increases efficiency and offers several business benefits, including:

  • Reducing the time spent searching for information
  • Making it easier to share information
  • Avoiding unnecessary duplication of information
  • Clarifying how long records should be kept
  • Enhancing the legal strength of records to defend against litigation
  • Supporting risk management and business continuity

In short, records management improves control over information, saves staff time and resources, and helps protect both individuals and the organization from various risks. It also prevents over-reliance on the memories of a few people.

The main reason for conducting a risk assessment is to check if current controls are effective and to identify any additional actions needed to improve risk management. The risk register is used to record details about current controls and planned improvements. However, the risk register should not be a static document; it needs to be dynamic, serving as a risk action plan for a department or the whole organization. Along with the risk response plans, information about who is responsible for specific controls should be documented. If new controls are needed, deadlines and responsibility for their implementation must be recorded as well. For hazard and control risks, the risk register is where details about significant threats are noted. Improvement plans for managing these risks often require capital investment, which may need approval according to the organization’s expenditure rules. It is now common practice to create a risk register for projects, especially in construction and software development, as these projects involve a lot of uncertainty. The risk register should remain dynamic, tracking actions taken to reduce uncertainty and planning further actions. One criticism of risk registers is that they are only updated once or twice a year, providing a static snapshot of risks. For risk management to be effective, it must be an ongoing process that leads to meaningful changes. The risk register should drive improvements and may be better referred to as the “risk management action plan.”

Event reports and recommendations are also important for managing risk, as they document incidents, assess their impacts, and recommend improvements to prevent future issues. These records are especially important for hazard and control risks. Analyzing incidents and business operations can highlight weaknesses and suggest ways to eliminate future risks. Tracking events, particularly in projects, is crucial. Annual evaluations of risk performance also generate reports that require careful analysis, and internal audit plays a key role in this evaluation process.Risk performance and certification reports involve reviewing and analyzing both early reports on the company’s operations and formal certified reports for stakeholders. Sometimes, these certified reports are required as formal proof of the company’s operational results, like under the Sarbanes-Oxley Act for financial reporting. This certification is often done by an external auditor and may also include evaluating the effectiveness of the company’s control measures. Management is particularly interested in risk performance, especially when the company faces a range of risks that bring the total risk exposure near its risk appetite or capacity. For example, if a company has budgeted for a certain amount of loss due to hazard risks, close monitoring is necessary to ensure that actual losses do not exceed this limit. In situations where the tolerance for hazard risk is low, it’s crucial for the organization to track losses carefully. For instance, a transport company would need to keep a close watch on vehicle accidents and breakdowns to manage risk exposure properly.

Risk register

A risk register is a tool used to document and track risks within an organization. It records important details about each risk, such as current controls in place, potential consequences, and any planned actions to further mitigate or manage the risk. The risk register serves as a dynamic document that helps guide the organization’s response to risks, making it more of an “action plan” rather than just a static list. Key elements typically included in a risk register are:

  • Description of risks: An explanation of each identified risk.
  • Current controls: Existing measures in place to manage or reduce the risk.
  • Responsibility: Identifies the person or team responsible for managing the risk.
  • Planned actions: Additional steps to improve risk control, along with deadlines for implementation.
  • Risk rating: How likely the risk is to occur and the potential impact if it does.
  • Status: Regular updates on the progress of managing each risk.

In some industries, such as construction or software development, risk registers are commonly used to manage project risks. To be effective, the risk register should be regularly updated and actively used to drive risk management efforts, rather than just reviewed once or twice a year. In this way, it helps ensure risks are continuously monitored, managed, and reduced. When a risk assessment is undertaken of strategic options, it is more usual for the risk assessment to be used as part of decision-making activities. Typically, this information will not be recorded in the format of a risk register, but will be presented to the decision maker as part of the full range of information available for making that strategic decision. The purpose of the risk register is to form an agreed record of the significant risks that have been identified. Also, the risk register will serve as a record of the control activities that are currently undertaken. It will also be a record of the additional actions that are proposed to improve the control of the particular risk. Other information about risks will also be included in the risk register.

Using risk registers has become a common practice for many risk managers, but there are some drawbacks. One issue is that the information in the register might not be actively used, turning it into a static record instead of an action plan. A risk register is a document that records identified risks and the risk management process. Its purpose is to assign ownership and ensure proper management of each risk. A risk register typically focuses on the major risks faced by the organization or a specific project. It records the outcomes of risk assessments related to a process, operation, business unit, or project. When assessing strategic options, the risk assessment is usually part of the decision-making process, but not always recorded in the same format as a risk register. Instead, it’s presented as part of the information needed for the decision. The goal of the risk register is to keep an agreed record of the significant risks, the current control measures, and any additional actions planned to improve the management of each risk.

A well-organized and active risk register is key to successful risk management. However, there’s a risk that the register could become a static document, merely capturing the status of risks at a certain point. This could lead senior management to think that attending a risk workshop and creating the register is enough, with no further action needed. Instead, the risk register should be treated as a living “risk action plan” that not only tracks the organization’s current risk management but also lists the essential controls in place and any additional controls required. This way, responsibilities for implementing actions are clearly defined. Some organizations use a Risk Management Information System (RMIS) to manage the data in the risk register, or they make it accessible through the company intranet to enhance understanding and communication. In certain cases, the risk register is treated as a controlled document, reviewed by internal auditors during audits of risk management processes. Regardless of its formal status, the risk register must be carefully prepared. Risks should be clearly defined, including the cause, source, event, impact, and size of any risk event. Existing controls and proposed improvements should also be precisely recorded to allow for proper auditing. This is especially important for daily operations, but risk registers are also essential for projects and strategic decisions. Project risk registers should be regularly updated and reviewed at every project meeting. For business decisions, the format of a risk register may be less formal, but it’s still important. For major decisions, the risk assessment should be attached to proposals, showing both the risks of proceeding with the strategy and the risks of not moving forward. Similarly, a risk register should accompany business plans to highlight risks that could affect success. The board will likely review the risk register quarterly or more often if major changes arise, ensuring it remains active and up to date, and that necessary actions are taken and reported.

Finance Department Risk Register (Oil and Gas Industry)

Risk IDRisk DescriptionRisk CategoryImpactLikelihoodCurrent ControlsProposed ActionsRisk OwnerDeadlineStatus
F01Volatility in oil prices impacting cash flow and profitabilityFinancialHighLikely– Regular monitoring of global oil prices – Hedging strategies to stabilize price fluctuations– Increase hedging limits – Diversify revenue streamsFinance ManagerQ4 2024In progress
F02Foreign exchange (FX) risk due to international contractsMarketMediumPossible– FX forward contracts in place – Monitoring exchange rates daily– Explore new FX derivatives – Adjust contract terms for high volatility currenciesTreasury HeadQ3 2024Ongoing
F03Tax regulation changes in key operating countriesRegulatoryHighUnlikely– Annual review of tax policies by external consultants – Compliance with international tax laws– Conduct scenario analysis for potential tax law changes – Lobby for stable tax regulationsTax Compliance OfficerQ1 2025Under review
F04Credit risk due to counterparty defaultsCreditMediumPossible– Credit assessment and limits set for all counterparties – Use of trade credit insurance– Tighten credit assessments for high-risk clients – Diversify client baseCredit Risk AnalystQ4 2024Active
F05Delays in capital projects impacting financial forecastingOperationalHighLikely– Regular financial updates on project milestones – Contingency planning– Improve collaboration with operations team for accurate updates – Adjust cash flow models to account for delaysProject Finance LeadQ2 2024Delayed
F06Cybersecurity breach affecting financial systemsOperationalHighPossible– Secure financial systems with firewalls, encryption, and multi-factor authentication – Regular IT audits– Implement continuous threat monitoring – Invest in advanced cyber defensesIT Security OfficerQ3 2024In progress
F07Liquidity risk due to sudden market downturnsFinancialHighPossible– Maintain a liquidity buffer – Access to credit lines from multiple banks– Reassess liquidity levels monthly – Strengthen relationships with lendersCFOQ2 2024Ongoing
F08Non-compliance with financial reporting standards (IFRS, GAAP)RegulatoryMediumUnlikely– Regular training for finance staff on reporting standards – Use of audit firms for compliance checks– Update internal financial policies – Conduct frequent internal auditsFinancial ControllerQ1 2025Planned
F09Impact of geopolitical risks on asset valuationStrategicHighPossible– Regularly review geopolitical updates – Conduct country risk assessments– Increase focus on stable markets – Adjust asset valuation models for geopolitical risksRisk ManagerQ4 2024Ongoing
F10Fraudulent activities affecting financial integrityFraudHighUnlikely– Strong internal controls, including separation of duties and regular audits – Whistleblower policy in place– Implement stronger fraud detection software – Increase frequency of internal auditsInternal Audit HeadQ2 2024Active

Key Points:

  • Risk ID: Unique identifier for each risk.
  • Risk Description: Brief description of the risk.
  • Risk Category: Type of risk (Financial, Market, Regulatory, Operational, etc.).
  • Impact: Assessment of how severe the risk’s effect would be (Low, Medium, High).
  • Likelihood: Probability of the risk occurring (Unlikely, Possible, Likely).
  • Current Controls: Actions or measures currently in place to manage the risk.
  • Proposed Actions: Additional steps to further mitigate or control the risk.
  • Risk Owner: Person responsible for overseeing the management of the risk.
  • Deadline: Target date for the completion of mitigation actions.
  • Status: Ongoing updates on the current state of risk management actions (In progress, Delayed, Active, etc.).

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a Reply