RISK MANAGEMENT ASSURANCE
POINTS TO LOOK OUT FOR.
This document has been designed as a guidance note to auditors but can also be used by managers for self assessment purposes. Risk management encompasses all the processes involved in identifying and assessing risk, judging its significance, assigning "ownership", taking action to reduce risk exposure, and monitoring and reviewing progress. The document’s purpose is to highlight the main elements to be considered in auditing whether such procedures are in place and action is occurring.
N.B. Risk is usually viewed as something to be avoided. However it is also important to acknowledge the reverse side of risk. This is the risk of missed opportunities and missed improvements caused by being risk averse. Both types of risk should be considered when trying to identify risks.
- Are there high level leadership and direction responsibilities laid down in relation to risk management requirements?
- Are there clear, laid down procedures and responsibilities for the various stages of risk management (as listed in the introduction)?
- Is there a mechanism for staff undertaking risk management to obtain guidance on the "risk appetite" of the organisation?
- Is there a requirement to link material risks to main objectives of the organisation? Where no link can be found is high level consideration taken as to why such a risk should be incurred?
- Is there a policy of clear reporting of material risks so that decision makers can understand their potential likelihood and impact and therefore assess them against opportunity for improvement?
- Is there a mechanism for staff to obtain guidance on whether to communicate potential risks, and (proposed) actions to reduce them, to interested parties or the public generally?
- Do responsibilities for risk management correspond to an individual’s general managerial responsibilities?
- Do the procedures require that the risk management of perceived major risks are considered at an executive board level?
- Has guidance been given to staff on the level of "horizon viewing" that should be undertaken to anticipate unusual risks and are any constraints put on this activity?
- Do the procedures include both top down (e.g. key risk themes for attention) and bottom up (e.g. control risk self assessment) guidance?
- Has guidance been given as to the level of potential risk considered material to the risk management assurance exercise so that a decision can be made to either cover in detail or ignore (having documented its identification and initial assessment)?
- Do the procedures include a recognised mechanism such as "likelihood and impact" charts by which risk can be consistently assessed?
- Do the procedures require the identification of citizen/service user risks (linked to the organisation’s responsibilities) as well as organisational/management risks?
- Under the citizen/service user risks are the headings of health and safety; economic; and "general" well being adequately covered?
- Under the organisational/management risks are the headings strategic/corporate (including reputation); operational (including legality and new developments); resources (including staff , property, ICT and finance) adequately covered?
- Is there guidance about who is responsible for identifying and assessing risks that cross over more than one area of responsibility?
- Is there guidance about whether to include incidences where it is considered some risk may have been transferred to a partnership or contractor?
- Is there laid down responsibility for co-ordination either by the executive board, central staff management team or named individual(s)?
- Do their duties include challenging results and seeking (signed) assurance on compliance to laid down procedures?
- Is there (documented) evidence that these duties have been undertaken?
- Have the individuals designated with responsibility for risk management been given training and/or guidance in undertaking their task?
- Is there an opportunity for these individuals to share good practice and/or benefit from peer reviews?
- Do procedures include a requirement to state how material risks have been considered in relation to transfer; tolerate; treat; terminate (the 4 T’s)?
- Do procedures ask for proposals on how to reduce high risk exposure, the perceived effect of this on likelihood and impact and the operational and financial implications of this?
- Do the procedures require clarification as to what ensures risk management is considered and updated e.g. required for various stages in a project or "embedded" as part of a control assurance statement?
- Do the procedures require a (signed) statement as to what testing of risk exposure reduction methods, such as controls, insurance cover or contingency plans, have been carried out to ensure they are operating as intended?
- Do the procedures require a documented audit trail to provide retained evidence of the outcome of such tests and/or outcome reviews?
- Does the executive board or staff management teams have a mechanism for learning of important risks that have materialised elsewhere and assessing their relevance to the organisation?
- Does the executive board have a mechanism for periodically having reported to it risk outcomes in relation to its designated risks and reviewing changes to its list of major risks?
- Are the risk management procedures reviewed periodically to take account of events and lessons learnt?
- Are changes communicated down to those with responsibility to implement them?
- Do the procedures require the maintenance and retention of clear summary documentation of risk management stages? In particular are proposed actions with stated timetable and acknowledgement of implementation by a stated date included?
- When risks materialise and have a significant impact, is evidence taken in relation to the risk management documentation and subsequent action by staff before apportioning any form of blame?
Page Last Updated: 8 April 2003