Risk management needs to become part of the way business is conducted. Embedding risk management in the regular, daily affairs of the organisation is not an easy task and requires continuous effort. To achieve this measure of acceptance may take some time; however, a number of steps can be taken to help the process

SUPPORT (Sponsorship) from the Top

The implementation must be sponsored at board level and positively supported by all senior people within the organisation. There are a number of ways this can be done: presentations, devising a risk policy, inclusion on agendas

POLICY

Every organisation should have a risk management policy, whatever the approach by the organisation is to risk. Such a policy should be formal and set a framework within which an organisation has to implement its risk management responsibilities and processes. The policy should include:

• Objectives and the overall purpose of risk management for the organisation (statement of intent). There should be links to other policies, for example audit (internal and external), control, governance, conduct, insurance and so on
• Responsibility for risk management should be clearly set out at board, management and operating levels. This should be repeated in specific functionresponsibilities and job descriptions throughout the organisation.
• If there is an audit and/or risk committee in an organisation their responsibilities for risk management should be clearly stated in their terms of reference. This applies also to internal audit and any other internal or external assurance activity
• Risk appetite, the level of risk the board is prepared to accept to achieve its objectives, in specific circumstances or possible events. Indicating the levels of control that are needed to mitigate against specific risks
• An explanation of the key components that sets out the overall approach to risk management, including the commitment of resources (staff and information systems), training and development
• It is necessary for key risks to be considered on a regular basis and reported up the hierarchy as required. Designated managers at various levels report upwards (on either a quarterly of half yearly basis) on the work done to keep risk and control procedures up to date and appropriate to circumstances within their particular area of responsibility.
• A common risk language, defining the terms to be used

STRATEGY

The organisation must develop a clear articulated and communicated strategy, explaining how risk management will operate according to an implementation plan (timetable). This will be consistent with specific responsibilities and roles set out within the policy

Risk management must be linked into other activities as a matter of routine, such as business plans, project plans, team meetings etc.

Risk management must be a high priority for everyone in the organisation and must be clearly built into both departmental and individual performance objectives.
(more…)