Identifying and mitigating risk is crucial to the effective management of any organisation.
However, while most are aware of this, in our experience many fall short by failing to test the adequacy of the control measures in place. Without this vital step, they’ll struggle to reassure the Board that they’re on top of this critical area.
How to ensure your Board sleeps well at night.
Most businesses will have high level policies and processes in place to manage risk. Some will have identified and documented the controls required to mitigate risk. Few, however, will be able to give their Boards the confidence that the effectiveness of those controls has been robustly assessed.
Good governance requires that the Board sets a strong risk and compliance framework. But while the Board is usually involved in setting the organisation’s risk appetite and the subsequent risk identification and rating processes, this is often where their involvement ends.
For organisations with a mature approach to risk management, this isn’t necessarily an issue. But for others with a less mature process, the reliance placed on controls and safeguards to mitigate risk may be unfounded – and fraught with danger.
Regular monitoring and review of controls and safeguards, therefore, is critical.
That’s why we strongly recommend that Boards initiate a control assessment and testing plan to confirm the existence of the identified safeguards and controls and to assess their effectiveness. Particular attention should be focused on those controls that are relied on to reduce a high risk rated event to a much lower level.
Five Steps to Residual Risk Assessment Comfort
- Check appropriate safeguards and controls have been identified for each risk
- Have key management and staff document an assessment of the effectiveness of the identified controls
- Determine which safeguards are responsible for the highest reduction in risk (i.e. reduce high inherent risks to low residual risk)
- Test safeguards and controls to confirm existence and effectiveness
- Establish a plan to address any deficiencies and either improve those controls or reassess for an alternate mitigation strategy
Having an engaged Board and well documented policies and procedures are the basis of a comprehensive risk management framework. However, unless the key mitigation controls and safeguards are tested and confirmed as being reliable, the documented strategies may not do the job when it really matters.
So, how effective are your risk reduction strategies? For more information or assistance with undertaking a risk assessment, we recommend you seek professional advice.