The purpose of risk management is to identify potential events that may impact on an entity, quantify the impact and likelihood of occurrence and then manage the risk in accordance with the organisation’s risk appetite.
Risk appetite is the amount of risk an organisation will assume in pursuit of its goals – this should be defined by each organisation.
The risk appetite should be aligned to the risk culture, particularly as the risk appetite of different functions and individuals will impact on the adherence to the official (acceptance) ‘appetite stance’.
Organisations, even with extreme risk appetite, cannot deliberately choose to ignore the law. They may however allocate less resource to ensure strict compliance.
There is no one risk model.
Questions to ask in your business
- Is the organisation’s risk appetite clearly defined, aligned to the risk culture and clearly communicated across the organisation?
- Is the process used for identifying risk supported by a system for managing compliance with the risk management plan?
- Is there a common language and set of metrics for assessing the likelihood and impact/severity to allow comparability across functions and levels?
- Do all staff have appropriate training to understand the risks involved in their role and to manage them in accordance with the risk plan?
- Does the risk policy contain procedures for disciplining breaches of policy?
- Does the risk policy state that the organisation will not tolerate deliberate or negligent breaches of laws and regulations?
- Does your risk management plan cover financial, capital, operational and strategic risks?
- Does your organisation understand that risk management is not about eliminating risk taking, but managing the risk taken in an informed environment?
- Is your risk management reporting system likely to give you early warning of a pending catastrophe?
If you would like to implement an Risk framework, then ACY Advisory can help!