Most modern-day risk managers are familiar with developing a risk management framework or procedure documents. These documents capture risk management roles and responsibilities, outline risk management processes as well as other aspects of risk management. Risk management framework documents became so common, that nowadays they don’t require much effort to develop and there are plenty of free templates available online. The only problem is that nobody in the organization, except the risk manager and the internal auditor, reads them.
Over the years, we have discovered a much better way to document risk management frameworks, procedures and methodologies. Instead of writing a separate risk management framework, companies should upgrade its existing policies and procedures to include elements of risk management where appropriate. One investment company that we interviewed documented risk management methodology in the investment management procedure instead of creating any new risk management documents. This essentially changed how the investment process works, made risk management a critical step in investment decision making, gave investment managers a sense of ownership and had a huge positive impact on the risk culture within the organization.
The same approach can also be used for any other business process. Instead of creating a single, centralized risk management framework or procedure document, risk managers should review and update existing policies and procedures to include elements of risk management. Some procedures may require a minor update, with only a sentence or two added while others may need whole appendices written to include risk management methodologies. This approach also reinforces the need to create separate risk management tools and methodologies for different business processes.
This is an extract from a comprehensive G31000 risk management maturity model.
Interested in buying the full G31000 risk management maturity model? Click here or contact me directly if you want me to perform a quick gap assessment at your organization or you need help to integrate risk management into a particular business process or decision.
Check out other risk management books
RISK-ACADEMY offers online courses
Informed Risk Taking
Learn 15 practical steps on integrating risk management into decision making, business processes, organizational culture and other activities!
ISO31000 Integrating Risk Management
Alex Sidorenko, known for his risk management blog http://www.riskacademy.blog, has created a 25-step program to integrate risk management into decision making, core business processes and the overall culture of the organization.
Advanced Risk Governance
This course gives guidance, motivation, critical information, and practical case studies to move beyond traditional risk governance, helping ensure risk management is not a stand-alone process but a change driver for business.
One thought on “RISK MATURITY: How to build a risk management framework”