Fundamentals of Risk Management
Risk management documentation
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
- Bu sahifa navigatsiya:
- Risk management context 253
|
Risk management documentation
Table 21.4 indicates the extent of risk management guidelines or protocols that may need to be produced by an organization. This should not be seen as an exhaustive list and other types of protocols, guidelines or procedures may be necessary, depending on the exact nature of the organization and the risk strategy that it is following. Preparation of a risk management manual, including the policy statement, is a good opportunity for an organization to establish detailed procedures on a range of risk management topics, as well as setting out the risk management priorities for the following year. For example, many organizations produce an annual health and safety and/or environmental policy and procedures, and this should be an integral part of the risk management documentation. Many organizations face significant risks that need routine or even constant management attention. This is particularly true in the case of hazard risks, where the health and safety policy and procedures, business continuity plans and disaster recovery plans (for example) need to be routinely updated. Risk management context 253 For many organizations, the risk guidelines will be established in writing. Other organizations will operate a more informal means of embedding risk management into management activities. The risk guidelines will often include details of the risk management structure in place in the organization. Also, details of the risk strategy and risk protocols will need to be included in the risk guidelines. They should also include details of the (internal) control responsibilities of managers. The structure described in Table 21.4 reinforces the importance of the activities involved in the risk management process. Each of these activities produces several outputs, and the required outputs can be discussed in the risk guidelines. The guidelines need not include a set of risk control or loss control standards, but should describe how risk control decisions will be taken, implemented and audited. In fact, the risk guidelines for a diverse group of companies cannot include physical control requirements and standards. Each unit, division or department should set its own standards for risk control, including health and safety, fire safety, physical security, information security and environmental protection. This may be appropriate because of the diverse nature of the different units within the organization. The risk guidelines should define the means by which embedded risk management is to be achieved in the organization. The setting of strategy, standards and pro- cedures needs to be undertaken within the framework of the risk guidelines. The format for the risk guidelines will depend on the organization and the nature of the risks that it faces. Typically, these guidelines will contain information on at least the following: ● ● financial and authorization procedures; ● ● insurance arrangements; ● ● managers’ control responsibilities; ● ● project risk management; ● ● incident reporting and investigation; ● ● event and reaction planning; ● ● physical risk control objectives and responsibilities. Table 21.2 sets out the range of risk management documentation that may need to be kept by an organization. In order to successfully embed risk management, it is necessary to maintain a range of risk management records. These records will include details of various risk management activities, including: ● ● risk management administration; ● ● risk response and improvement plans; ● ● event reports and recommendations; ● ● risk performance and certification reports. Embedded risk management will be achieved when the cycle of risk management activities is fully aligned with the planning cycle of the organization. A primary purpose of risk guidelines is to help managers understand the risk management framework of the organization. This understanding will ensure that managers pay appropriate attention to risk implications when making decisions. |
