What three elements make up the RASP acronym that refers to the RM framework, or risk “context”?
Risk Architecture, Strategy and Protocols
Explain what is meant by the ‘architecture’ element of the RM framework and what this consists of.
Architecture describes how risk is communicated throughout the organisation. It includes:
- committee structures and ToRs
- roles & responsibilities
- internal reporting requirements
- external reporting controls
- RM assurance arrangements
Explain what is meant by the ‘strategy’ element of the RM framework and what it consists of.
Describes the overall objectives that the org is trying to achieve through risk management. Includes:
- RM philosophy
- arrangements for embedding RM
- appetite and attitude to risk
- benchmark tests for significance
- specific risk statements and policies
- risk assessment techniques
- risk priorities for the current year
What is meant by the ‘protocols’ element of the RM framework and what does this consist of?
Systems, standards and procedures in place to ensure the strategy is achieved. Includes:
- Tools and techniques
- Classification systems
- Risk assessment procedures
- Risk control rules and procedures
- How to respond to incidents, issues and events
- Documentation and record-keeping
- Training and communication
- Audit procedures
- Reporting/disclosures/certification
What documentation should be included in a Risk Management Manual?
Should include:
- RM & internal control objectives
- Risk strategy (statement of attitude)
- Description of the control environment
- Level and nature of risk that is acceptable
- RM organisation and arrangements (architecture)
- Procedures for risk identification and rating (risk assessment)
- Docs for analysing and reporting risk (protocols)
- Risk mitigation requirements and control mechanisms
- Allocation of roles and responsibilities
- Criteria for monitoring and benchmarking risks
- Allocation of appropriate resources
- Risk priorities and performance targets
- RM calendar for the coming year.
What kind of RM guidelines and protocols might be required for an RM strategy to be effective?
The following should be considered:
- Risk assessment procedures
- Risk control objectives
- Risk resourcing arrangements
- Reaction planning requirements
- Risk assurance systems
Give four examples of protocols/guidelines for “risk assessment procedures”
o Turnbull procedures
o response to significant risks
o projects and Cap-Ex approval
o procedures for strategy & budgets
Give four examples of protocols/guidelines for “risk controls objectives”.
o Brand management guidelines
o Health & Safety at work
o Environmental protection
o Contract risk management
Give four examples of protocols/guidelines for risk resourcing arrangements:
o Opportunity management
o Project resource allocation
o Insurance programme
o Captive insurance arrangements
Give four examples of protocols/guidelines for reaction planning requirements.
o Loss & claims management
o Disaster & recovery planning
o Cost containment procedures
o Risk management record-keeping
Give four examples of protocols/guidelines for risk assurance systems
o Risk register maintenance
o Corporate RM committee
o ToR for audit committee
o Control self-certification arrangements
Explain why the RM manual should be updated annually.
- Ensure it employs best practice
- Identify risk priorities for the coming year
- Ensure appropriate attention is paid to the significant risks
- Ensure the board pays attention to RM and its dynamic nature
The amount of documentation will be proportionate to the level of risk in an org. What details should the RM Manual include as a minimum?
- Board member responsible for risk
- Language and perception of risk in the organisation
- Framework for identifying significant risks
- Role of the risk manager and internal auditors
- ToR for the RM committee/s
- RM structure/architecture (which can be presented as a diagram)
Explain why it is important to set out the risk architecture.
Lines of communication are defined and the responsibility for managing risk can be clearly posited with the risk owner.
Describes pathways for escalating risk and whistleblowing.
There are clearly defined lines of responsibility in terms of setting the strategy, implementing the agreed standards and procedure and auditing compliance.
Where in the RM Manual does the risk strategy usually appear and what does it include?
RM Policy. Includes:
- Risk appetite
- How the RM arrangements will support the orgs STOC goals
- How RM will be aligned with other business activities
Describe what documentation might be used for ‘risk governance’
- RM Policy and priorities
- Specific risk statements e.g. H&S
- ToR for the risk/audit committees
- Risk protocols and procedures
- Risk awareness training records
Describe what documentation might be used to support ‘risk response’.
- Risk assessments/risk register
- Risk control standards
- Risk improvement recommendation
- Risk assurance reports
- Business continuity/disaster recovery plans
Describe what documentation might be used in relation to ‘event reports’.
- Loss/claim reports and recommendation
- Legal and litigation reports
- Enforcement action/customer complaints
- Incident and near miss investigations
- Business performance reports/KPIs
Explain what is meant by ‘establishing the context’.
ISO31000 describes this as the first stage in the RM process. It’s about understanding the RM Context (RASP, which underpins and shapes the RM process, setting appetite responsibilities and means for understanding level of exposure) the Internal Context (which includes culture, resources available, how RM outputs are received and governance of RM) and the External Context (stakeholders, competitors, regulations and economic environment)
