Example of procedure for Conducting Risk Monitoring & Treatment

ISO 31000:2018 6 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/12/Risk-Monitoring-and-Treatment-Procedure.wav

PURPOSE:

The purpose of this document is to describe the risk monitoring and treatment process for ABCD. Specifically, this document shall guide the execution of the procedures for conducting Risk Monitoring and Treatment, resulting in detailed understanding of the existing status and exposure to risks.

SCOPE:

The processes mentioned in this document are internal processes and its implementation is applicable for all entity within ABCD.

  • Customer: All entity within ABCD
  • Outsourced Service: Not applicable.
DEFINITIONS I ABBREVIATIONS:
Advisor: ABC employee or organizational team who  provides guidelines and/or feedback to any process, plans, presentations, or reports 
Approver: ABC employee or organizational team who exercises the authority to endorse, change or reject plans, reports, proposals, or findings after judging their applicability and suitability
Centralized (risks treatment): Risk mitigation/ treatments mainly for “portfolio owner” combination of risks which have multiple relationship (in managing the  risk) within ABCD. Centralized risks treatment provide I leverage on ability to pool more resources to treat such risks.
Contributor: ABC employee or organizational team who provides data, information or estimates for any process, procedure (or sub- procedure) and to participate in any discussions, presentations, or analyses thereof
CRMD: Corporate Risk Management Department
ERM: Enterprise Risk Management  
 Local (risk treatment): Risk Mitigation and treatment that is within the means of single Team/Group within ABCD. Local risk treatment utilizes available pool/resources for the Team/Group to treat such risks.
 Portfolio Owner: In the context of risk assessment, a portfolio owner is the individual responsible for managing and overseeing the risk management of a specific portfolio, which may include a group of projects, assets, or business activities. The portfolio owner identifies, assesses, and monitors risks within the portfolio to ensure that the overall risk exposure aligns with the organization’s risk tolerance and strategic objectives.
Presenter: ABCDs  employee  or  organizational  team  who  delivers  any presentation, reports, or findings to an audience
Risk Coordinator: appointed by Team Leader or Manager or higher management, to act as the focal point for specific Team or Group or Directorate.
Risk Register: Operational Risk System or ORS, also known as Avanon.
 Responsible: ABCDs employee or organizational team who is accountable for the implementation, adherence to a procedure (or sub-procedures) and for any other action items related to that procedure (or sub­ procedure)
Reviewer: ABCDs employee or organizational team who read and/or analyse reports, questionnaires, presentations, estimates etc. and judge their suitability with regards to correctness and adherence to guidelines & quality standards
RMI: Risk Management & Insurance
ROC: Risk Oversight Committee

RESPONSIBILITY FOR APPLICATI ON:

  • Risk Oversight Committee
  • Group Risk Management Manager
  • Team Leader, Risk Management and Insurance
  • Senior Risk Analyst
  • Risk Analyst

CONDUCTI NG RISK MONITORI NG AND TREATMENT PROCESS:

Process Overview General Description

RMI and Risk Coordinators are constantly required to interact; to measure; aggregate; communicate; and treat risks. In order to perform comprehensive risk treatment activities, RMI is required to obtain and analyze internal as well as external data to ensure detailed understanding of the current status and exposure to risks. Centralized and local risk treatments activities should then be performed accordingly, with reference to the Risk Monitoring and Treatment Plan. Preparation and distribution of reports is required to ensure systematic monitoring of risk exposures, violations, and the completeness and effectiveness of risk treatment activities across ABCD. 

Process Objectives:

  • To create risk specific guidelines for treatment & monitoring.
  • To gather enough information to determine and analyze risk exposure across ABCD.
  • To monitor and report risk exposures and risk limit violations.
  • To perform and evaluate centralised and local risk treatment.
  • To create and share risk monitoring  and treatment reports  (including information on risk exposure, effectiveness of risk treatment, etc.) with the ROC and ABCD Management

Participants:

The process has the following participants:

  • RMI provides guidelines, calculates risk exposure, work with teams to facilitate identification of risk treatment plans, aggregate and evaluate risk treatment performance information, and distribute risk management reports.
  • Teams provide inputs to RMI to calculate risk exposures, monitors risk management performance and perform local risk treatment.
  • Risk Coordinators act as point of contact for concerned team.
  • Portfolio Owners provide the status of risk treatment activities in progress and the aggregated monitoring data about risk metrics.
  • Single Risk Owners provide all risk treatment related information and updates to the Portfolio Owners.

Triggers

This is an ongoing process and the monitoring and treatment plan for each risk portfolio has its own triggers (the process could be periodic or triggered by specific events, like: new contract; new counterparty, etc.).

Inputs to the Process

  • Existing risk register.
  • Existing risk monitoring & treatment plan.
  • Inputs  from  Teams on risk management  (e.g., data on defined risk metrics,  results  of risk monitoring and treatment, etc.).

Outputs from the Process

  • Guidelines on metrics/ limits/ risk treatment issued by RMI IAffiliated Teams to other teams.
  • Risk management reports (risk exposure, results of risk monitoring and treatment).
  • Treatment of risks.

Operation Procedures

1. Provide Guidelines

The procedure provide guidelines aims at studying the existing exposure of ABCD to risk and its causes and providing high level guidelines to Teams in order to measure and track risks.

  • RMI team to study the current exposure(s) of ABCD risks and its causes.
  • RMI team shall provide high level guidelines to teams in order to measure and track risks.

This is not a trigger for initiating a treatment plan but is essentially a starting step which allows ease of data collection post an event or trigger.

2. Collect Inputs

The procedure Collect Inputs focuses on producing clear, accurate, systematic and detailed documentation on internal and external information collected pertaining to risk measurements and current monitoring and treatment activities.

  • Risk Coordinators from each team I group representative shall collect information requested and update/report them to RMI.
  • Required items to be collected/conveyed for reporting such as Risk ID from existing risk, risk name, risk descriptions, risk likelihood and risk impact.
  • RMI Team responsible to collect the team input, review and organize information received.
  • RMI Team also responsible to collect external input (such as change in Political environment I generic analysis of political conditions)

3. Calculate Risk Exposure

The procedure Calculate Risk Exposure focuses on producing periodic reports on risk exposures and risk limit violations, based on sufficient and accurate information provided by respective teams.

  • RMI team responsible and as the reviewer in calculating ABCD exposure to risk, utilizing data /information collected from teams as input to risk metrics/severity.
  • RMI team responsible to monitor/ compare risk exposure to agreed limits.
  • RMI Team has the responsibility to report risks exposure (include report on risk exposure and items exceeding the limit @ risks that is considered VH Risk) and share with ROC and Top Management.
  • RMI Team needs to review the calculations and analysis as well prepare required reports.
  • RMI team shall decide for any limit exceptions (Risk with severity in Very High Status),
  • Risk needs to be treated (given prioritization I centralized or local risk treatment)
  • Risk that has not exceed limit exceptions (Risk not in Very High Category) shall be reviewed and reported /documented as regular risk register at local risks treatment.

4. Treat Risks

The procedure Treat Risks focuses on performing central and local risk treatment activities by the relevant parties.

  • Portfolio owner /Risk owner shall decide if the mentioned risk could be treated centrally (refer to specific risk monitoring and treatment plan), else it can be treated as Local risk treatment.
  • Central Risk Treatment activities for risk that cannot be effectively treated by any single team shall be the responsibility of Portfolio owner.
  • Activities and performing local risk treatment (risk mitigation with jurisdiction of the team) shall be under responsibility of the team (risk owner)

5) Track Performance

The procedure Track Performance focuses on tracking the performance of risk treatment activities, based on sufficient and detailed analysis of information provided by the respective teams.

  • Risk Coordinators or Portfolio owners are responsible to provide performance information by collecting the performance and progress of risk treatment activities & reporting such information to ERM Team
  • RMI team are responsible in tracking risk management performance by aggregating, evaluating, and reviewing the risk performance info and progress.
  • In the event of further information required regarding risk performance, RMI to collect further info from Portfolio owner or Risk Coordinators (whichever applicable)
  • RMI shall proceed to report /update report for all other risk

6. Report

The procedure Report focuses on producing periodic reports on ABCD’s risk management activities and outcomes for the ROG and ABCD Top Management. These reports should incorporate clear and concise documentation of all relevant information, either internal or external.

  • RMI Team responsible for Reporting Risk Management Performance
  • RMI team shall prepare and report risk management performance to ROC and ABCD Top Management & Portfolio Owner (if any). Key Risk / Very  High-Risk Report are requested by KPC on quarterly basis.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply