Feedback on the Risk Management Process to Oversight obviously depends on the level of oversight required. In most organisations, the Risk and Audit Committees are combined. Feedback would, therefore, come from both these bodies.
The Audit and Risk Committee is mandated to oversee the Risk Management process, and provide feedback to the Board (the ultimate level of oversight). In our view, in practical terms, this means that the Audit and Risk Committee must ascertain, and provide assurance, that all key risks within the organisation are being managed appropriately (where “appropriately” not only refers to managing the risk to an acceptable level, but also using existing resources efficiently in doing so). This is a daunting task, especially given the fact that the Audit and Risk Committee normally has non-executive directors as its members.
So, most Audit and Risk Committees are willing to expend some resources in establishing a Risk Management process. The output from this process is a risk register, which the Audit and Risk Committee then elects to utilise to fulfil its mandate as it relates to Risk Management.
How should the Audit and Risk Committee review the risk register to enable it to form a view on whether all key risks are being managed appropriately? We would recommend the following sequential steps:
- It needs to ensure that the risk register is complete, i.e. that it contains all the key risks facing the organisation. To enable it to form this view, the risks have to cascade from commonly accepted entity-wide objectives, and the risk register should, in our view, be business process-based. There also needs to be a clear understanding of the different levels and sub-levels of risks being identified, as well as a clear understanding and agreement on the articulation of risks.
- Once the committee is comfortable that the risk register is complete, it now has a foundation to work from and needs to form a view on whether each of the risks within the risk register is being managed appropriately. It therefore needs to:
- Form a view on the inherent risk ratings, as these ratings would provide an indication on the effort/resources to expend in managing the risk. This is an extremely difficult task for a non-executive, and the suggestion is that a large degree of trust is placed on management. Basing the impact rating of each risk on the attainment of individual business process objectives (instead of the more commonly applied methodology of basing it on the organisation as a whole) makes this step immeasurably easier.
- Form a view on the appropriateness of the current action plans/controls in place. Are they appropriate given the inherent risk rating, and is the residual risk rating appropriate, given the controls in place and the inherent risk rating?
- During the above review, it needs to start forming a view on risk tolerance, i.e. which risks within each business process are currently being managed to an acceptable level, and which are not. Again, it is suggested that management provides its indication or view on acceptability first, and this is then reviewed and interrogated (intelligently and selectively) by oversight.
- The additional management actions, indicated by management against risks that, in its view, are not managed to an appropriate level, can then be reviewed. Logic should be applied here. For example, why would a risk with a residual rating of 9 be acceptable, but another of 6 has additional actions that management wants to implement? The inherent or residual ratings are incorrect, or alternatively management runs the risk of “over-controlling”, at which point oversight should step in. Also, different types of risk may have different acceptability levels (or tolerances). For example, a financial risk would most probably have a lower tolerance than an operational risk. Whilst assessing the appropriateness of additional management actions, oversight also needs to form a view on the applicable deadline: is it realistic, and is it acceptable, given the level of risk exposure?
- To enable an intelligent review of the above, it is suggested a second view of the risk register is supplied to oversight, with the risks sorted based on the residual risk ratings. Oversight can then, over time, formulate risk tolerance levels for different categories of risks.
- It is suggested that the majority of the above tasks are performed once only, where-after the members can focus on changes made on the Risk Register or to the Risk Management process from meeting to meeting. Once the Risk Register is viewed as largely complete and accurate, residual risk ratings and action plans will typically change more frequently than inherent risk ratings and the articulation of risks.
- Finally, oversight needs to be provided with a mechanism to ensure deadline management, i.e. how does it ascertain that previously committed actions have been adhered to within the previously committed deadline?
The Audit and Risk Committee now has to provide feedback to the Board. Again, the content of this feedback is dependent on the needs of the Board members. As a minimum, our expectation would be that the directors who are not part of the Audit and Risk Committee perform the same, once-off steps as the members of the Committee, as detailed above.
Thereafter, the Board should receive feedback on a process level, i.e. the process of identifying and prioritising risks are appropriate (as per the view of the Audit and Risk Committee). And finally, in addition to the process assurance, individual directors should receive and review formalised feedback on the overall operating control environment of their organisation, based on the principles of Combined Assurance.