We worked with a company where risk management was receiving increased attention, but they have no risk management framework or a strong governance structure.
Risk Assessment: We performed a risk assessment to identify gaps using a practical, sustainable, and easy to understand process. We focused on measuring and prioritizing risks as follows:
Identify: We determined and distinguished applicable risks.
Assess: We reviewed the risk exposure and confirmed their risk appetite.
Controls / RCSA: We reviewed regular monitoring and testing of controls.
Respond to risks: We looked at risk responses and examine options for risk mitigation.
Monitor and report: We analysed reporting and escalation to the board of directors and relevant stakeholders.
Risk Management Framework (RMF)
Following the risk assessment, we agreed with senior management that it was critical to have a strong risk management framework in place within a governance structure that included conduct risk and culture. To accomplish this, we also needed to ensure that the risk management framework complemented their strategy.
The risk assessment was key to identify the applicable risks, confirm the risk appetite, and identify appropriate risk mitigation. Then, we agreed on the risk management framework (RMF) and the actions to enable the organisation to effectively manage and mitigate risk:
The governance structure needed to be documented. This included policies and procedures, controls, risks associated, systems, continuous improvement, etc.
It was essential to provide all the staff with adequate resources and training in-order to completely comprehend the risk associated and the mitigating controls.