I find this a very handy tool and while it is not exhaustive, no check list should be – I suggest it is a very good starting point to start.
NOTE: This checklist can be used from different perspectives such as:
- before, or during staged reviews
- when preparing for, or carrying out internal and external risk audits
- when considering a new initiative, such as a major project, entering a new acquisition lifecycle
- when progress reporting to corporate Finance or Treasury
- when preparing to raise commitment to improving the existing process.
Elements needed for the effective risk management risk and the indicators of a successful process include:
- policies for the management of risk and the benefits of effective risk management are clearly communicated to staff
- senior management support, promote, own and lead on risk management
- there is an organisational culture that supports well thought-through risk taking and innovation
- management of risk is fully embedded in the management process of the organisation, including the associated controls and distribution of management information
- the identification and assessment of risk is aimed at actively managing the key risks to the achievement of objectives
- the risks posed by working with other organisations are assessed.
Review of overall effectiveness
- Is management of risk implemented across the organisation to all line management and business management, as well as project and programme management?
- Is there a formal documented policy for the management of risk? Does the policy address the following:
- the corporate view of risk management?
- processes and procedures?
- the desired benefits to be achieved?
- roles and responsibilities?
- facilities/tools required?
- documentation standards?
- Is the management of risk policy regularly reviewed?
- Are business continuity and contingency plans in place in the event that risks result in adverse consequences?
- Are these plans tested (regularly reviewed and re-tested)?
- Are those responsible aware of their roles with regard to each plan?
- Is there a clearly identified authority to make the decision to implement the plan?
- Are copies of the plan held off-site? (and still accessible in an emergency?)
- Is there increasing visibility of risk and appropriate communication to staff so they understand their responsibility for being alert to risks?
- Are staff being trained or receiving guidance in risk management?
- Are risks being raised to the appropriate level?
- Are major risks assigned owners?
- Are you applying existing approaches/practices to address risk problems?
- Are you following the standard processes and procedure for addressing problems in managing risk?
- Is there clear identification of types/categories of risk?
- Are risk evaluation criteria clearly identified and articulated?
- Are risk responsibilities assigned for reporting and managing identified risks?
- Is the effectiveness of risk treatments monitored and reviewed?
- Is there appropriate communication and consultation with others within your organisation and with stakeholders?
- Is the risk documentation appropriate?
- Is the documentation consistent throughout?
- Where appropriate, are you following the risk profile model in accordance with Cabinet Office guidelines?
- Is risk management ongoing and integrated with other procedures?
Risk Management so vital in any endeavour and yet so many organisations pay lip service to it! Using this simple tool will provoke thought and provide material to discuss – after all discussion and communication that leads so identification of potential problems has to be a good thing – right?
Any support on this subject is available, just ask.
Thanks for reading.