RMG 211 - Element 9: Reviewing a Risk Management Approach

As an entity’s environment, objectives and capabilities change over time, so do its risks, its risk appetite and its exposure to existing risks. To ensure new risks are identified, and existing risks remain appropriately managed, entities need to periodically review their risk management framework and the risks being managed. The frequency of review is dependent on the entity, its operating environment and the nature of the risks it is exposed to.

Effective risk management programs require regular review and evaluation mechanisms, both formal and informal. This guides whether the entity’s risk management approach is consistent with its objectives, ensures that the risk management framework is continuously improved and that good risk management practice is recognised. These mechanisms also provide assurance to the accountable authority on the effectiveness of the entity’s approach to risk management.

To review the performance of an entity’s risk management framework and identify potential gaps, three key aspects can be considered:

• Value add: the degree to which risk management is contributing to the achievement of the entity’s objectives and its effectiveness in identifying and managing risk.
• Maturity: whether the risk management framework is fit for purpose for the entity and represents the appropriate application of better practice.
• Compliance: the extent and the consistency of the application of the risk management framework in practice across the entity.

Reviewing an entity’s approach to managing risk has four key steps:

1. Review the entity’s risk management framework, including its risk artefacts, its governance arrangements and allocation of resources to oversee the framework
2. Review compliance with and the application of the framework
3. Review the entity’s risk profiles
4. Review individual risks and the controls that are in place to manage them.

A review of an entity’s risk management approach should be undertaken in order to ensure that the risk management function and framework is up to date and commensurate with the entity’s risk profile. For example, an annual review that covers compliance and the effectiveness of the framework could be undertaken. While leading practice might involve a review of the appropriateness, effectiveness and adequacy of the risk management approach and framework by independent reviewers every three years. The frequency and scope of the review will be driven by the nature of an entity’s activities, risks and operating context.

Whilst there is no prescriptive requirement for entities to undertake a review after a certain period of time, there are certain situations that could warrant the need for a review of an entity’s risk management approach:

• Changes in an entity’s internal operating environment: a significant change in an entity’s personnel, controls, processes or systems could create some uncertainty and potential misalignment within the entity’s operating environment. A review process could identify a need for change, or provide some assurance and validation to the accountable authority that the risk management function is operating effectively.
• Changing risk profiles: as an entity’s risk profile evolves, it is important that an entity’s risk management approach is in synch with its operational, strategic and project risks.
• Changes in an entity’s external operating environment: the emergence of new technology, changes in the supply chain, or a change in government priorities should trigger a review of an entity’s risk management approach. In order to ensure that the entity is operating efficiently and considers these changes.
• The emergence of new risk: new or emerging risks could change the entity’s risk profile. Therefore it could be necessary for an internal review of the risk management framework to prepare an entity for any new challenges.
• The identification of ‘near misses’ or unsatisfactory risk management: near misses are incidents that do not materialise but have a potentially detrimental impact on an entity. Recurring incidents or examples of situations where the entity has been negligent or careless in its management of operational, project, strategic and/or enterprise risks could warrant a review of the entities approach to managing risk.

• Establish a rigorous process of ‘near misses’ or incident reporting, analysis and review. This allows an entity to share lessons learnt dealing with issues, crises, problems and successes. This can include sharing of information with partners or like entities to identify cross entity patterns or trends.
• Ensure that the senior executive schedule time to discuss and debate the entity’s risk profile. This may include the rolling review of individual risks in detail, a complete review of the entity risk profile, and occasionally opportunities to consider the entity’s risks from a fresh ‘clean sheet of paper’ perspective.
• Include risk issues in the entity’s annual audit plan and commission independent reviews where necessary.
• Align the review and oversight of risk management with similar business processes and governance arrangements. In particular, review the relevance of the risk management framework each time the entity’s corporate planning processes are revised.
• Develop KPIs when reviewing an entity’s risk management approach in order to measure the performance of your risk management activities and identify opportunities for improvement.
• Consider a range of information sources when reviewing the entity’s risks and the effectiveness of its risk management framework. These can include insurance data, benchmarking data, internal audit outcomes, internal reviews, financial performance data, loss event information or anecdotal feedback.
• Benchmark the entity’s risk management performance against its peers and meet regularly with counterparts in other entities to exchange good practice.