Risk Management Program Review
The assessment of a risk management program involves discussions with key personnel and a review of associated documentation. The assessment references the relevant ISO 31000 standard but is not designed to be a strict audit of risk related processes. It is focused less on the detailed methodology and more on the scope of the program and its ability to deliver robust outputs.
The key sample questions to be considered are as follows:
Governance
P.S And we'll also find some way to work this diagram into the discussion:
The key sample questions to be considered are as follows:
Governance
- Does the company’s approach to risk management match the corporate culture, balance sheet, and internal and external contexts?
- Does the governance structure and practices ensure there is sufficiently rigorous oversight to adequately assess the risk management program and outputs?
- Does the risk manager (et al) have sufficient experience, authority, and executive/board support to implement the risk management program?
- Are board and sub-committee members satisfied with the risk management program and outputs?
- Is there general agreement on what are the key risks to the organisation?
- Does the risk management program follow a conventional Plan-Do-Check-Act model?
- Are there key formal risk management program documents – e.g. policy, framework, annual plan, register?
- Does the program cover the entire enterprise?
- Does the program integrate well with other management systems (e.g. Quality/Safety/ Environmental, Procurement, Finance, Insurance) such that key risks are identified and communicated?
- Do each of the key business units identify and assess their risks in a way that is broadly consistent across the organisation?
- Is there sufficient attention paid to high consequence/low probability risks?
- Are suitable emergency response and business continuity management systems in place to respond to high consequence/low probability risk events?
- Are compliance and regulatory risks explicitly identified and assessed?
- Are key risk controls identified and assessed?
- Is there a formal reporting format and schedule?
- Are risks above an agreed defined threshold communicated to the board and board sub committees?
- Does the company have a continuous improvement ethos that is demonstrated in the risk management program?
P.S And we'll also find some way to work this diagram into the discussion: