14.- RISK MONITORING AND CONTROL.
“Risk management plans should be reviewed from time to time to ensure the actions and responses you set are working”.
A risk management program is never finished. Once potential risk levels have been decreased, these gains must be sustained. Staff should be continually identifying, reporting and solving any risks on an ongoing basis. In order to ensure that nothing is missed, that changing circumstances are being taken into account, and that people know that the organization is committed to risk reduction, it's advisable to monitor and review the risk management plan regularly. Control activities should be put in place and evaluated to ensure that all the responses to risks are operating as intended.
It is highly recommended that your organization establish a process to monitor (continual assessment of what has been implemented) and review (a periodic assessment of the effectiveness of your actions and the environment you operate in) your risk management strategy. This is vital because risk is not static. New risks will emerge and existing risks will disappear. Risks that you have already acknowledged may become more or less frequent, severe or relevant to your organization. You have to stay on top of it. Review periodicity may vary according to the criticality and / or size of the different areas of risk.
Your risk management strategy should be a fluid document that is regularly updated to take account of changes in your organization. Changes to your risk profile will result from changes in your organization, and from changes in the outside world that you have no control over. There are a number of useful ways to ensure effective monitoring and reviewing of your risk management strategy:
- Set timelines. You need to set timelines and deadlines for ensuring risks are managed and treated. Make sure the most urgent risks are dealt with first. Write down when things need to be checked and tick them off your risk register when they've been completed. You will also need to make a note of when that area should be reviewed again. The regularity of your review will depend on the activity in question.
- Your records should also include regular reviews of the effectiveness of the risk management strategy itself. Ask questions such as:
- Each process owner is responsible for the constant monitoring of the output and input metrics of his process to ensure the process does not return to its formal state before implementing the risk responses. Control activities contain all the measures and actions required to ensure the risk responses are performed with minimal variation and high effectivity. Performance targets are documented and continuously updated. Performance metrics are collected and compared to those performance targets to monitor process performance. At this stage, statistical tools help evaluate the control activities. Quantifying the relationship of different data sets enhances the process owner’s ability to predict uncertainty. Control charts provide real - time monitoring of both common cause variation and timely evidence of special cause variation requiring immediate management intervention. Finally, hypothesis testing supports the investigation of unexpected results or unusual circumstances.
- Controls should be set for each identified risk. Some of the controls you can create are:
It is highly recommended that your organization establish a process to monitor (continual assessment of what has been implemented) and review (a periodic assessment of the effectiveness of your actions and the environment you operate in) your risk management strategy. This is vital because risk is not static. New risks will emerge and existing risks will disappear. Risks that you have already acknowledged may become more or less frequent, severe or relevant to your organization. You have to stay on top of it. Review periodicity may vary according to the criticality and / or size of the different areas of risk.
Your risk management strategy should be a fluid document that is regularly updated to take account of changes in your organization. Changes to your risk profile will result from changes in your organization, and from changes in the outside world that you have no control over. There are a number of useful ways to ensure effective monitoring and reviewing of your risk management strategy:
- Set timelines. You need to set timelines and deadlines for ensuring risks are managed and treated. Make sure the most urgent risks are dealt with first. Write down when things need to be checked and tick them off your risk register when they've been completed. You will also need to make a note of when that area should be reviewed again. The regularity of your review will depend on the activity in question.
- Your records should also include regular reviews of the effectiveness of the risk management strategy itself. Ask questions such as:
- How effective is our risk management strategy?.
- Are measures and actions working the way they are supposed to?.
- How accurate is the risk assessment process?. Are all risks being identified?.
- Are risk procedures being followed?
- Are risk records accurate, consistent and up to date?
- Each process owner is responsible for the constant monitoring of the output and input metrics of his process to ensure the process does not return to its formal state before implementing the risk responses. Control activities contain all the measures and actions required to ensure the risk responses are performed with minimal variation and high effectivity. Performance targets are documented and continuously updated. Performance metrics are collected and compared to those performance targets to monitor process performance. At this stage, statistical tools help evaluate the control activities. Quantifying the relationship of different data sets enhances the process owner’s ability to predict uncertainty. Control charts provide real - time monitoring of both common cause variation and timely evidence of special cause variation requiring immediate management intervention. Finally, hypothesis testing supports the investigation of unexpected results or unusual circumstances.
- Controls should be set for each identified risk. Some of the controls you can create are:
- Identify risk triggers. In order for you to set controls in your risk management action plan, you will need to take into account risks triggers: what will happen just before risk occurs?, what can we measure to discover risk is about to occur?, how will we know right away when it occurs?. Document these answers in risk response plan. This is your early warning system.
- Re - analyze risks at set periods. Risk reassessments should be regularly scheduled for reassessment of current risks and closing of risks. Monitoring and controlling risks may also result in identification of new risks.
- Risk audits for examining and documenting the effectiveness of risk responses in dealing with identified risks and their root causes, as well as the effectiveness of the risk management process. The risk audits should be performed at an appropriate frequency and defined in the risk management planning. The format for the audit and its objectives should be clearly defined before the audit is conducted.
- Regular scheduled risk meetings. Risk management should be an agenda item at periodic meetings. Frequent discussion about risk makes it more likely that people will identify risks and opportunities or advice regarding responses.
- Variance and trend analysis using performance information for comparing planned results to the actual results, in order to control and monitor risk events and to identify trends. Outcomes from this analysis may forecast potential deviation (at completion) from targets and goals.