ISO 31000

Mandate and Commitment

Design of Framework

Implement risk managment

Improve framework

Monitor and review framwork

Adopt suitable risk assessment procedures and an agreed risk classification system

Risk management policy must always be up to date because this demonstrates that risk management is a dynamic activity fully supported by the board

Establish risk significance benchmarks and undertake risk assessments

Determine risk appetite and risk tolerance levels, and evaluate the existing controls

Risk register and Risk appetite

Risk assessment techniques and Benchmark tests of significance

Risk description and Risk classification systems

Identify intended benefits of the enterprise risk management initiative and gain Board mandate

Risk management policy should contain the following sections:

  • Risk management and internal control objectives (governance)
  • Statement of the attitude of the organization to risk (risk strategy)
  • Description of the risk aware culture or control environment
  • Level and nature of risk that is acceptable (risk appetite)
  • Risk management organization and arrangements (risk architecture)
  • Details of procedures for risk recognition and ranking (risk assessment) q List of documentation for analyzing and reporting risk (risk protocols)
  • Risk mitigation requirements and control mechanisms (risk response)
  • Allocation of risk management roles and responsibilities
  • Risk management training topics and priorities
  • Criteria for monitoring and benchmarking of risks
  • Allocation of appropriate resources to risk management
  • Risk activities and risk priorities for the coming year

Plan the scope of the ERM initiative and develop common language of risk

Establish the risk management strategy, framework, and the roles and responsibilities

Risk management policy and Risk architecture

Upside of risk and Stakeholder expectations

Benefits of ERM and Embedding risk managmet

Ensure cost-effectiveness of existing controls and introduce improvements

Embed risk aware culture and align risk management with other management tasks

Monitor and review risk performance indicators to measure ERM contribution

Report risk performance in line with legal and other obligations, and monitor improvement

Risk improvement plans

Control environment and Risk communications

Risk reporting and Legal requirements

Audit plan and risk reviews and Sources of risk assurance