One of the most frequently asked questions is: how often should risks and opportunities be reviewed and monitored? The answer helps us establish whether an organisation’s risk-management process is effective
The answer also has a significant influence on an organisation’s choice of risk/opportunity rating methodology at a given time. Above all, it puts a spotlight on its internal risk and opportunity control environment.
Although not comprehensive, the key questions we are discussing provide an understanding of what one could expect when monitoring and reviewing risks and opportunities.
Are risk and opportunity oversight committees formalised?
The complexity of an organisation usually determines how the various cross-functional structures constitute forums to review risks and opportunities, while taking into account its risk profile.
However, irrespective of the structures, formalised forums have a clear mandate, thus creating value. For example, an organisation with various business units across multiple geographical locations may choose to establish forums to monitor and review risks and opportunities at local or operational levels.
The local levels then report to regional structures, which then escalate key risks/opportunities reviewed to the head office.
The reviews could also be undertaken in other meetings. The challenge I often notice in this scenario, is when the meeting agenda does not make provision for feedback on monitoring and reviewing risks/opportunities depending on the subject matter.
Another challenge is where reviews are rushed, especially if the chairperson is not interested, or sees risk management as a constraint to achieving an opportunity in their jurisdiction.
Are there any changes in an organisation’s business environment?
From the onset, ISO 31000:2018 (Risk Management – Guidelines) states: “The context of the risk-management process should be established from the understanding of the external and internal environment in which the organisation operates and should reflect the specific environment of the activity to which the risk-management process is to be applied.”
This is a good foundation that enables an organisation to be familiar with the pertinent issues when establishing its risk-management framework. The fundamental concern is whether there are potential changes that could trigger risks, which would then impact on an organisation’s strategic direction coupled to its objectives.
When monitoring and reviewing risk/opportunities, we can also pay attention to management systems standards such as ISO 9001:2015 (Quality Management) and ISO 14001:2015 (Environmental Management) respectively in relation to clause 4.1 Understanding the organisation and its context.
I recently came across a thought-provoking read. A preliminary draft entitled: Enterprise Risk Management – Applying enterprise risk management to environmental, social and governance-related risks, was published in February 2018 by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) and the World Business Council for Sustainable Development (WBCSD). It provides practical examples of changes to the internal and external environment as illustrated in the table below.
Are the risk treatment plans effective?
ISO 31000:2018 notes: “Monitoring and review need to be an integral part of the risk treatment implementation to give assurance that the different forms of treatment become and remain effective.”
It further states: “Risk treatment can also introduce new risks that need to be managed.” Just as one would follow up with a doctor on the treatment administered, risk treatment plans should be monitored to assess how effective they are in mitigating the respective risks.
Recently, I was at a car-maintenance workshop, where the mechanic (owner) almost lost sight in his right eye due to a sharp object. This event got me thinking about the risk events that could have led to this accident. Despite the owner being knowledgeable about leading and lagging safety indicators in his workshop, no further actions had been implemented to prevent re-occurrence of an event. One should not be afraid to ask challenging questions on whether the right indicators have been established.
Is data provided to the relevant stakeholders reliable?
The development of an organisation’s risk-management framework should also take into account what data will be made available, and the various risk-information systems being utilised. We often hear of the quote “In God we trust. All others bring data.”
Inevitably, in order to make good risk/opportunity decisions as an outcome of monitoring and review activities, available data should not be misleading. Those familiar with the ISO 9001:2015 standard quality-management principle “evidence-based decision-making” have not taken data reliability for granted.
On the technology side, many organisations have central sources of data, such as risk-management information systems that facilitate the capturing, management and analysis of their enterprise-wide risks.
While this is a worthwhile investment, those responsible for monitoring and reviewing risks and opportunities should validate the integrity of the data to guarantee fair decision-making. This is even more critical when the integrity of data is undisputed when it comes to an organisation’s performance-management appraisal.
Organisations with robust risk-management processes have established frequencies and forums to monitor and review risks and opportunities they encounter or anticipate. The questions selected will further provide a good insight into challenges faced by risk managers to demonstrate to their counterparts the added value of monitoring and review activities in embedding the management of risks and opportunities.
Even when we identify risks and opportunities, they will not just vanish. They have to be monitored and reviewed, while taking into account the respective forums in place, changes in our organisation’s context, asking the right questions and providing stakeholders with reliable data.
Examples of changes to the internal and external environment
|Internal environment||External environment|
|• Changes in strategy or objectives • Rapid company growth • Organisational changes including change to leadership • Mergers and acquisitions • Innovation • Change in risk appetite||• New or pending regulations • Emerging technology • Changing stakeholder expectation • More frequent or extreme weather •Trends or strategies adopted by peer companies • Shifts in global megatrends|