5. Monitor & Review

Risk Management Framework

Monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance. The results should be recorded and reported externally and internally, as appropriate. The results should also be an input to the review and continuous improvement of the firm's risk management framework.

Responsibilities for monitoring and review should be clearly defined. The firm's monitoring and review processes should encompass all aspects of the risk management process for the purposes of:

  • Ensuring that controls are effective and efficient in both design and operation
  • Obtaining further information to improve risk assessment
  • Analysing and learning lessons from risk events, including near-misses, changes, trends, successes and failures
  • Detecting changes in the external and internal context, including changes to risk criteria and to the risks, which may require revision of risk treatments and priorities
  • Identifying emerging risks.

As part of the monitoring process, the thresholds for the risk criteria should be reviewed at the commencement of each risk assessment cycle to identify the processes that may be subject to increased risks and, as such, would derive the greatest value from the risk assessment.

Monitor & Review

Regularly review risks identified in the firm’s risk register. Document any actions or events that change the status of a risk, for example:

  • Changes to a risk evaluation as a result of improvements in controls
  • A control breach and near miss should be logged at the time of the event
  • A new risk that has been identified.

Partners should review the risk register on a regular basis, such as at a monthly partners’ meeting, to determine if any remedial action needs to be taken immediately.

Continuous Improvement

The effectiveness of the risk management framework implemented needs to be periodically reviewed to ensure continuous improvement of risk management in the firm.

The purpose of the framework is to embed a risk aware culture within the firm. This can be evaluated in light of breaches and near misses, the effectiveness of communication, and assessing what lessons have been learned and remedial actions taken.

The framework is only effective if the context remains relevant to the firm, as this sets the scope for risk management. Ensure the practice objectives and the internal and external context for risk management are current and accurate.

The assessment criteria used in the risk framework also need to be reviewed to ensure they remain relevant to the size and complexity of the practice.

Example

The key output from the monitor and review stage of the risk management process is ongoing. An example of how this can be documented in a risk register is shown:

example
RISK IDENTIFICATION   RISK MONITORING & REVIEW
Event   Method Progress and Compliance Reporting Status
Failure to meet compliance obligations   Monthly review at Practitioner/Partner meeting 1. Compliance review incomplete
2. Research delayed on potential system/tool
OPEN
Loss of Practitioner   Quarterly review of succession plan 1. Power of attorney in place
2. Documentation of key processes in progress
OPEN
Failure to collect receivables in a timely manner   Report fortnightly on receivables 1. Receivables tracking under review OPEN

Risk has a dynamic context resulting from the constantly changing external and internal environments. Organisations must monitor not only risks but also the effectiveness and adequacy of existing controls, risk treatment plans and the process for managing their implementation.

AS/NZS ISO 31000:2009