In his articleJohn Thackeray describes how a well structured ERM system allows an organization to navigate, with some certainty, the risks posed to its business objectives and strategy. Without useful documentation and steps to broadly communicate the elements, the best planned ERM system will fail. In this article John describes what it takes to document your ERM system.
Efficacy of Risk Documents
Good written risk documentation is both an art and a science; in the perfect world blending the writer and subject matter expert as one. Unfortunately, we do not live in a perfect world and this blend is difficult to find. Too many risk documents have either been badly written by the subject matter expert and or have been deemed content light and aspirational by the writer.
To achieve clarity, the risk documentation should be written independent who can challenge known assumptions with a questioning mind. The risk writer will need input from the business, seek collaboration and guide the organization towards ownership of the final document. As a result, the document will be an objective piece of writing, speaking the language of the organization while being understood by the outside world.
Good documentation is a prerequisite in the successful implementation of risk management, acting as a delivery and message mechanism. Documentation must
- deliver a consistent message,
- speak a common language,
- have clear objectives allied to the maintenance of the organization’s objectives
- be reviewevaluate
affects and defines the engagement with internal and external stakeholders, articulating and defining the organization’s culture, attitude, and commitment towards risk.
SIGNALS OF EFFECTIVENESS
The board has overall responsibility for ensuring that risks are managed delegate the operation of the risk management framework to the management team. One of the key requirements of the board is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. he board a comfort and assurance level that risk documentation is being used and isdirecting the organization achieving its objectives.
Here are three signals of effectiveness.
1. Cultural attitude towards risk: This establishes and confirms clear roles and responsibilities that reinforce ownership, accountability and responsibility. Documentation underpins standard practices and policies, so a commitment to the guidelines speaks to the adequacy of a firm’s internal control environment.bindsto of scorporate
attitude. For instance,with 360 degree feedback or . Bothtransparency
Moreover, this will be evidenced through training. A commitment to training will speak volumes about the tone set from the top of the organization. Indeed, reinforcement through regular training will drive the corporate message home, ensuring a commonality of standards and purpose.
2. The right metrics. Metrics gauge the operational efficiency of documentation and selecting the right ones will ensure that employees are compliant in terms of key performance and key risk indicators. Too few or too many of these metrics can paint a distorted picture; the chosen metrics must therefore be material and relevant to the documentation. Regular reviews of these metrics will indicate whether the documentation is fit for purpose..
3. Continuous assessment and review of policies and procedures. Reviews should consist of assessments based on representative samples and must include testing and validation by all engaged stakeholders. Documentation needs to be recalibrated if your organization has too many – or too few – “escalation incidents.” These exceptions and escalation would be actively tracked to gain an understanding of the validity of the documents.With limited resources only core and material documents would have to be reviewed and tested especially in the light of changing working conditions and impactful legislation . A structure which enforces this oversight is a sign that risk mitigation is part of the organization’s DNA.
These three signals are interlinked, each providing a layer of evidence that risk is being taken seriously by the organization.
Risk Documentation is where the written word the spoken word: ionsaligned – makes for a better world.