Key Definitions:
Risks are defined as the events that can enhance or mar the achievement of goals and objectives.
Enterprise risks are events that can mar or enhance the achievement of business goals and objectives.
Risk Management is the process adopted by a business to control the negative risks and optimize the positive risks. Listed below are the key activities covered by the process:
- conducting risk assessment (risk identification, rating, ranking and prioritization),
- setting risk appetite and tolerance levels,
- determining risk responses in accordance with the company’s risk appetite, needs and applicable laws and regulations,
- designing controls to mitigate the risks,
- performing continuous monitoring of the risk movement and control effectiveness
- analyzing the findings and root causes,
- reporting the findings and providing opinions and value add advise and recommendations,
- Implement the recommendations by taking appropriate actions for the best interest of the organisation,
- conducting periodic internal and external quality reviews on the continued relevance of the enterprise risk management framework, updating the framework and implementing the changes,
- continuous communication of the risk information, documents and changes,
- facilitating awareness and competency enhancement training across all levels in the organisation.
Internal Control system is one of the key responses that management adopts to deal with the identified risk exposures.
Enterprise risk management frameworks are the organizational structures, infrastructures and mechanisms used by organizations to effectively manage their business risk exposures. Listed below are the typical organizational structures, infrastructures and mechanisms that make up enterprise risk management frameworks:
- Reporting lines – business units, job positions, roles and responsibility definitions/job descriptions,
- Policies, processes and procedures,
- Human capital resources,
- Physical and non-physical infrastructures,
- financial resources,
- Documents, data, information, reporting and documentation templates
Responsibility for risk management:
Everyone is responsible for making risk management in their organisation work. However, the business management led by the Managing Director/Chief Executive Officer has direct responsibility for risk management while the company board provides oversight, control and direction to the managing director and executive teams. The assurance functions which include the internal audit, risk management, financial control, Health Safety, Environment and Quality Management functions provide objective assurance over the risk management activities and provide report of findings, advice and recommendations to the executive management and board. The regulators set the operational guidelines/standards to ensure consistency of methodology, common understanding and interpretation of the risk taxonomies.