Monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. The results should be recorded
and reported externally and internally, as appropriate. The results should also be an input to the review and continuous improvement of the firm's risk
management framework.
Responsibilities for monitoring and review should be clearly defined. The firm's monitoring and review processes should encompass all aspects of the risk management process for the purposes of:
- Ensuring that controls are effective and efficient in both design and operation
- Obtaining further information to improve risk assessment
- Analysing and learning lessons from risk events, including near-misses, changes, trends, successes and failures
- Detecting changes in the external and internal context, including changes to risk criteria and to the risks, which may require revision of risk treatments and priorities
- Identifying emerging risks.
As part of the monitoring process, the thresholds for the risk criteria should be reviewed at the commencement of each risk assessment cycle
to identify the processes that may be subject to increased risks and, as such, would derive the greatest value from the risk assessment.
Monitor & Review
Regularly review risks identified in the firm’s risk register. Document any actions or events that change the status of a risk, for example:
- Changes to a risk evaluation as a result of improvements in controls
- A control breach and near miss should be logged at the time of the event
- A new risk that has been identified.
Partners should review the risk register on a regular basis, such as at a monthly partners’ meeting, to determine if any remedial action needs
to be taken immediately.
Continuous Improvement
The effectiveness of the risk management framework implemented needs to be periodically reviewed to ensure continuous improvement of risk management in the firm.
The purpose of the framework is to embed a risk aware culture within the firm. This can be evaluated in light of breaches and near misses, the effectiveness of communication, and assessing what lessons have been learned and remedial actions taken.
The framework is only effective if the context remains relevant to the firm, as this sets the scope for risk management. Ensure the practice objectives and the internal and external context for risk management are current and accurate.
The assessment criteria used in the risk framework also need to be reviewed to ensure they remain relevant to the size and complexity of the practice.
Example
The key output from the monitor and review stage of the risk management process is ongoing. An example of how this can be documented in a risk register is shown:
RISK IDENTIFICATION |
|
RISK MONITORING & REVIEW |
Event |
|
Method |
Progress and Compliance Reporting |
Status |
Failure to meet compliance obligations |
|
Monthly review at Practitioner/Partner meeting |
1. Compliance review incomplete
2. Research delayed on potential system/tool
|
OPEN |
Loss of Practitioner |
|
Quarterly review of succession plan |
1. Power of attorney in place
2. Documentation of key processes in progress
|
OPEN |
Failure to collect receivables in a timely manner |
|
Report fortnightly on receivables |
1. Receivables tracking under review |
OPEN |
Risk Management Framework