A risk management framework (system)[1] provides the infrastructure for delivering, maintaining and governing risk management throughout the organization. As a part of this framework, an organization should set up:
a. A risk management mandate, that is the board’s statement for setting the direction and priorities for risk management, and through which “who does what” is established, and the proper authorization and necessary resources are given. This is the main expression of the governance of risk, through which the organization’s board engages stakeholders in locating the different responsibilities for managing risks.
b. A risk strategy, that points out how risk management supports the organization’s overall strategy and related objectives. It takes into consideration the external and internal context, focusing in particular on key stakeholders’ demands.
c. A risk policy that provides a clear and concise outline of the organization’s requirements for risk management within the organization’s overall approach to governance. It includes the risk appetite statement, the human resources training program for supporting the risk management process, as well as a definition of risk assessment criteria.
d. An integrated risk approach supports quality management in improving statistical data integrity and quality, through identification, analysis and treatment of risks inherent to statistical and over-arching processes.
[1] The AS/NZS 4360:2004 standard uses the following definition of risk management framework: “set of elements of an organization’s management system concerned with managing risk”. Within this draft the clauses “RM framework” and “RM system” are being used as synonyms.