Reporting Risk Management
Reporting risk management must review and report it for two reasons:
- To monitor whether or not the risk profile is changing.
- To gain assurance that risk management is effective, and to identify when further action is necessary.
Reporting Risk Management Processes should be put in place to review whether risks still exist.
Whether new risks have arisen, whether the likelihood and impact of risks have changed, report significant changes that adjust risk priorities, and deliver assurance on the effectiveness of control.
The overall risk management process must undergo regular review in order to ensure that it remains appropriate and effective. Review of risk management processes are distinct from each other and neither is a substitute for the other. The review processes should:
- Make sure to review all aspects of the risk management process at least once a year.
- Ensure that the same risks are subject to review with appropriate frequency. (with appropriate provision for management’s own review of risks and for independent review/audit);
- Make provision for alerting the appropriate level of management to new risks or to changes in already identified risks. So that the change can be appropriately addressed.
Tools & Techniques for Reporting risk management
In Reporting Risks Management, a number of tools and techniques are available to help with achieving the review process
- Risk Self-Assessment (RSA) is a technique that we have already indicated in identifying risks. The RSA process also contributes to the review process. We report RSA results in the process of maintaining an organization-wide risk profile. (We sometimes refer to this process as CRSA “risk control and self-assessment”);
- “Stewardship Reporting” requires that designated managers at various levels of the organization report upwards (usually at least annually at the financial year-end, and often on a quarterly or half-yearly interim basis) on the work they have done to keep risk and control procedures up to date and appropriate to circumstances within their particular area of responsibility. This process is compatible with RSA; managers may use RSA as a tool to inform the preparation of their Stewardship Report.
- The “Risk Management Maturity Model”, produced by Investors in Risk Management and other risk management companies, provides a tool for evaluating the maturity of an organization’s risk management.
In addition to these formal tools, individuals, workgroups and teams should constantly by considering the risk issues which they face in the work they are doing.
Internal Audit’s work provides an important independent and objective assurance about the adequacy of financial reporting risk management, control, and governance.
We may also use an internal audit by management as an internal consultant to assist in developing the organization’s strategic risk management process.
It will have a wide-ranging view of the whole range of activities that the organization undertakes, and will already have undertaken some form of assessment to inform its planning of systems and processes to be audited. However, it is important to note Internal Audi is neither a substitute for management ownership of risk nor a substitute for an embedded review system carried out by the various staff who has executive responsibility for the achievement of the organization.
Many organizations have specialist review and assurance teams that established for a particular purpose (for example, Accounts Inspection Teams, or Compliance Review Teams).
Their work contributes to the assurances available about the risk and control systems in use in the organization. “Stewardship” assurance mechanisms, whereby line managers give an account of their stewardship of their areas of responsibility, are also important, especially in organizations with highly devolved control structures.
We should request the Accounting Board / Officer from the Audit Committee to:
- Gain assurance that risk, and change in risk, is being monitored;
- Receive the various assurances which are available about risk management and consequently delivering an overall opinion about risk management;
- Comment on the appropriateness of the risk management and assurance processes that are in place.
However, it should be noted that the Audit Committee should not itself own or manage risks and is. as with internal audit, not a substitute for the proper role of management in managing risk.
Some organizations may establish a Risk Committee. The Board need to decide what role it wants to assign to the Risk Committee