IRM ERM M1U4.4 Reviewing risks Flashcards
Risk reviewing
Reviewing is checking the effectiveness of controls in place to manage risks and the risk management process, with the review being perhaps on a less regular basis. In addition, a review is a more formal assessment of risks and risk management, with the intention to instigate change if it is felt necessary.
The review of risks and their controls is undertaken to provide assurance that the risks are being managed effectively. Reviews are retrospective where we consider ‘how did we do?’ They are usually held on a planned basis, depending on the level within the organisation and / or the timescale of the activity being undertaken. Some key considerations on the timescale for reviewing risks include:
Is this a scheduled review?
Have there been any changes found through the monitoring process?
Have improvements been identified to controls?
Have there been any incidents or near misses?
Have there been reports or issues raised (internally or externally)?
Risk reviewing by Board & Internal Audit
For example, the UK Corporate Governance Code states that Boards should carry out a review the effectiveness of a company’s risk management and internal control systems at least annually, which should cover all key controls. As part of the internal control system, audit may review controls in different areas of the business as part of yearly audit planning. Many projects and operational activities will require formal reviews in alignment with project or team updates.
Risk Control Self-Assessment
Risk review considers whether those well-designed controls are being implemented effectively. Remember that the verification process for real controls considers the implementation of controls, not just the gathering of data or the provision of guidance.
These risk reviews are in addition to data from key control indicators but are often informed by them. Many organisations, especially in the financial services sector undertake ‘self’ reviews of controls and key risks, using formal techniques such as Risk Control Self-Assessment. Other organisations will ask internal risk specialists to review risks and their controls. Most organisations will employ internal audit to undertake an independent review of controls to assess their effectiveness in managing risks. Some organisations will use all three approaches.
COSO, ISO Regular review of risk management framework
UK Corporate Governance Code states that Boards should carry out a review the effectiveness of a company’s risk management and internal control systems at least annually, which includes a review of the risk management process.
One of the COSO:2017 ERM framework principles (17) requires organisations to pursue improvement of enterprise risk management. ISO 31000:2018 Principle (h) requires that risk management be continually improved through learning and experience.
Apart from being a requirement, it is good practice to review the risk management framework and process on a regular basis, which many organisations do. This is often on a three-year cycle, which allows for the review to be undertaken, improvements to be identified, agreed, and implemented, and give time for those improvements to take effect.
RM review benchmarks
Regular reviews of risk management are often undertaken by external independent subject matter experts, either instead of or in addition to internal audit reviews. These reviews are usually based on and benchmarked against:
Relevant regulations, such as health and safety, environmental or financial stability requirements.
Risk management standards and frameworks, such as ISO 31000:2018 and COSO: 2017.
Relevant industry or sector best practices, based on the subject matter expert’s knowledge and experience.
Outcome of Risk Reviewing
These reviews should be undertaken through a desktop study of all relevant risk management documentation, as well as discussions with key individuals at all levels of the organisation, based on an agreed set of interview questions tailored to assess relevant aspects of framework and process and its implementation. Depending on the depth and breadth of the review, surveys are sometimes also used to gather information.
The outcome of these reviews usually includes information on the:
Reason for the review.
Benchmarking criteria (relevant to the organisation).
Questions asked in the interviews and / or surveys.
Key observations, including relevant comments from the discussions.
Suggestions or opportunities for improvement.
Key recommendations.
Learning benefits of undertaking risk reviews
Some of the learning benefits of undertaking reviews of the whole risk management process include:
To ensure our responses are effective and efficient, including the identifying and closing of any holes or gaps in our control defences.
To identify and manage potential adverse side effects and unintended consequences of our responses.
To build up knowledge to improve risk identification and analysis.
To better link risks to objectives, key dependencies, core processes and stakeholder expectations.
To detect and prepare for changes in our internal or external context..
To detect and prepare for changes and trends in our risks.
To identify and prepare for new and emerging risks.
To identify good risk management practice, build on it and disseminate it to other parts of the organisation
Examples of negative near-miss incidents
Examples of negative near-miss incidents include:
A small fire that was detected early enough to prevent any damage.
A small fraud that was detected before money was lost.
A plane that makes an emergency landing.
A disaster that affects a competitor, but which could, just as easily, have affected us (think of the lessons to be learned by other oil and gas companies following the BP Deepwater Horizon event in 2010, and by individuals, organisations, sectors, industries, and countries following the Covid 19 pandemic).
Outcome of reviewing the near-miss
By reviewing the near-miss event we can understand better:
Why it occurred.
Whether we had previously identified it as a possible risk.
Why it did not have a big impact.
Whether we had correctly analysed its likelihood and impact.
