Our experience reviewing risk management across various-sized public and private sector organisations, projects and programmes shows there are common lessons to be learnt in achieving an effective risk management environment which helps organisations be more successful. These lessons are:
- A Risk Governance Framework with clear definition of roles, responsibilities and accountability at Board, Risk and Assurance Committee, Chief Executive and Leadership Team.
- Mandate and commitment from the top. Strong risk cultures exist in organisations where the Board, Chief Executive and Leadership Teams lead by example, whereas organisations that are more compliance focused tend to place too much effort in creating risk documentation rather than using risk management to inform decisions to achieve outcomes.
- Risk management must demonstrate value add to an organisation; to do this key risk indicators must be explicitly mapped to company performance indicators.
- Risk management should be integrated within an organisation’s strategic, operational, project, programme and portfolio processes such that risk management informs planning, prioritisation, governance, management and decision–making.
- Risk management should be transparent and inclusive. Involving the right people at the right time ensures risk management remains proactive, relevant and informative.
- Risk management should be responsive to change. As an organisation’s priorities change or project and programme status changes, risk management should inform discussions, re–prioritisation and decision–making, based on the most up–to–date information available provided by all key stakeholder groups.
- Risk management should be tailored to each organisation’s capability, capacity and culture. Organisations need a risk management environment which supports their risk appetite and risk threshold levels. One size definitely does not fit all, various aspects of the business will have different levels of acceptable risk.
- A regular independent review the risk management framework and environment allows organisations to identify areas of strength and improve areas of weakness.
IQANZ’s Risk Management Assurance service independently assesses the effectiveness of your risk management framework and environment. We consider the level of risk management understanding, maturity, capacity and capability, and how risk management is perceived across key external and internal key stakeholders. From this we work collaboratively with you to develop a Risk Management Maturity Roadmap supported by a Risk Management Policy, Strategy, Improvement Plan, Communication Plan and Training Plan to achieve a fit–for–purpose risk management environment which manages your risk profile.
IQANZ’s Risk Management Assurance Framework is based on our professional risk management experience, in conjunction with the pragmatic application of New Zealand and international standards specifically AS/NZS ISO 31000:2009 and AXELOS Management of Risk®