Embedding risk management

Another challenge for audit committees is knowing when risk management has been embedded in an organisation. One committee identified the following situation:

  • an "ad hoc" approach to risk management;
  • little or no focus at the executive or audit committee level;
  • a largely reactive focus on risk management;
  • frustration at the board level about how issues were dealt with and reported, and always after the fact;
  • an appetite to more proactively identify and manage risk but little expertise or use of frameworks; and
  • a health and safety issue that highlighted the lack of a risk framework.

They used the following steps to improve the visibility of, and knowledge about, risk management in the organisation:

  • the board facilitating a discussion about identifying strategic risk with the chief executive and key executive members;
  • establishing a risk management framework that identified key strategic/operational and people risks;
  • including risk monitoring as a standard agenda item at each audit meeting;
  • the audit committee obtaining assurance that the executive team ran a process to identify and update risks; and
  • reviewing and considering major issues within the context of the risk framework.

The result:

  • a risk framework was in place and the top three risks in each category were discussed at audit committee meetings;
  • the audit committee was confident that the executive team had a robust process to monitor risks;
  • a more proactive approach to identifying the relationship between issues and risks and managing and mitigating those risks occurred in the organisation; and
  • a regular discussion by the board about risk management occurred.

Having said that, the committee acknowledged that there were still some challenges in ensuring that risk management was a key focus of the executive team. For example, risk management had yet to be included in the chief executive's job description.