Risk management should be inclusive. Appropriate and timely consultation and involvement of stakeholders enables their knowledge, views and perceptions to be taken into account which results in improved awareness and informed risk management and decision making.
Recording and reporting provide a means of communication that facilitates the integration of risk management across organizational boundaries and communicates information concerning risks to stakeholders. Risk communication can be an efficient tool for demonstrating the effect of risk management on organization’s overall objectives.
Risk management should be inclusive with stakeholders
Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. Stakeholders need to get the right information in appropriate and timely manner, to understand the basis on which decisions are made and be secured that their judgment is adequately considered.
An organization might use a responsibility assignment matrix, also known as RACI matrix, which describes the participation by various roles in completing tasks or deliverables for a project or business process. It is especially useful in clarifying roles and responsibilities in cross-functional/departmental projects, tasks and processes. Reviewers should check whether risk management is inclusive of key stakeholders.
Risk information is integrated into internal management reporting
Mature organizations integrate risk management information into existing management reporting. Management reports should integrate risk and performance information. For some organizations, it is considered good practice to report not on the risks themselves but the effect they will have on the company objectives. Modern risk assessment techniques allow to quantify the probability of achieving each of the business objectives. Management needs to know the current level of achievement (performance) as well as the current level of risk, so some organizations choose to report key strategic and operational targets adjusted for risk.
Dedicated reports may be prepared for specific significant risks that require urgent or special attention from the senior management or key stakeholders.
Reviewers should check whether risk management information has been appropriately integrated into day-to-day management performance reporting and for any reports dedicated to significant risks. Reviewers should also check whether risk management information is readily available on the company intranet website, newsletters or portal.
Risk information is integrated into external reporting
Risk management information should also be provided to stakeholders outside the organization. Mature companies include risk management information into the following types of reports:
- Annual report: usually contains information about overall commitment to risk management, risk management principles and how they are applied by the organization, risk management governance structure, risk-adjusted performance metrics, risk management objectives and key risk management related activities undertaken throughout the year. Annual reports may also include information on the actual risks faced by the organization and their treatment. Financial statements should also include disclosures of risks and measures to treat them.
- Corporate website: usually provides Risk Management policy, may describe the risk management governance structure, makes public references to ISO31000:2009 and provide information on any risk related information as per the requirements of the Stock Exchange or regulator.
- Other examples include reports to the regulator, corporate social responsibility reporting, prospectus (if organization is raising funds) and so on.
– – – – – – – – – – – – – – – – – – – – – – – – –
This is an extract from a comprehensive G31000 risk management maturity model.
Interested in buying the full G31000 risk management maturity model? Click here or contact me directly if you want me to perform a quick gap assessment at your organization or you need help to integrate risk management into a particular business process or decision.