Risk management is dynamic, iterative and responsive to change. As risks and priorities change, risk treatments should be monitored as a part of the risk management process.

The organization’s monitoring processes should encompass all the features of risk management in order to:

·       Ensure that controls are effective and efficient;

·       Detect any changes in existing risks which require revision to risk treatments and priorities;

·       Identify emerging risks.

Monitoring and review are two different and complementary activities, since monitoring involves the routine surveillance of actual performance against expected (or required) performance, while review involves periodic (yearly at least) checking of the current situation for changes in the internal/external context.

The overall responsibility for monitoring and review activities relies on the board and top management: the way the top management reacts to the results of monitoring program will affect the actions of employees.

Monitoring should be an integral part of management, and risks and controls should be allocated to owners, who are therefore responsible for monitoring them. A typical approach for monitoring includes:

·       Environment scanning by risk owners, to monitor changes in risks or in context;

·       Risk treatment plan monitoring by risk owners;

·       Control monitoring by control owners and risk officers, through performance indicators and key risk indicators, according to the quantitative thresholds described in the risk appetite statement (see below).

Monitoring and review activities can also be considered in terms of a hierarchy. Responsibilities can vary according to the kind of risks monitored (corporate, operational, project): operational risks are monitored at business unit level, project risks are monitored within the project management system, and corporate risks are monitored by senior managers (i.e., directors-general or heads of department).

  • No labels