Fundamentals of Risk Management
Approaches to risk management
Download 3.45 Mb. Pdf ko'rish
|
Fundamentals of Risk Management
- Bu sahifa navigatsiya:
- Using a risk register
|
Approaches to risk management
92 records of significant risks held on databases. Where quantification of exposure is required, then a simple risk register held as a document is unlikely to be sufficient. This is true of systems for recording operational risks, where quantification of risk exposure is required. Using a risk register A well-constructed and dynamic risk register is at the heart of a successful risk manage- ment initiative. However, there is a danger that the risk register may become a static document that records the status of risk management activities at a moment in time. The practical implications of this are that senior management may consider that attending a risk assessment workshop and producing a risk register fulfils their risk management obligations and no ongoing actions are required. It is better to think of the risk register as a risk action plan that records the status of the organization with respect to risk management, but also provides a record of the critical controls that are in place, together with the details of any additional controls that need to be introduced. In producing such a risk action plan, the responsibility for undertaking the actions identified will be clearly established. Chapter 26 considers the options for the use of a risk management information system (RMIS) to record the information held in the risk register. Also, the informa- tion held in the risk register may be available on the intranet of the organization, and this will help with risk understanding and communication. In some organizations, the risk register is given the status of a controlled document to be used by internal audit as one of the key reference documents for undertaking an audit of risk manage- ment activities. Even if this is not the case, the information set out in the risk register should be very carefully considered and constructed. For example, the risks set out in the register need to be precisely defined so that the cause, source, event, magnitude and impact of any risk event can be clearly identified. Also, the existing control activities, together with any additional controls that are proposed, must be described in precise terms and accurately recorded. Risk control activities should be described in sufficient detail for the controls to be auditable. This is especially important when the risk register relates to the routine operations undertaken by the organization. Risk registers should also be produced for projects and to support strategic decisions. A project risk register has to be a very dynamic document. An example of a project risk register is provided in Table 7.4. Details of the risks faced by the project, as recorded in the risk register, should be discussed at every project review meeting. As well as risk registers being relevant to projects, they should also support business decisions. In this case, the precise format of a risk register may be less formal. When a strategic decision has to be taken at board level, the risk assessment of that strategy should be attached to the proposal. This risk assessment could include both the risks of undertaking the strategy and an analysis of the risks associated with not undertaking the proposed strategy. Finally, a risk register should be attached to a business plan as a record of the risks that could impact the achievement of that plan. Table 7.5 shows a partially completed |
