What is a risk management framework?

A risk management framework is a key component of an overall governance framework.   As the name suggests it focuses on risks faced by the business.  Typically, a governance framework will document the approach an organisation takes to managing risks and include details of:

  • Risk appetite – being a measure of the level of risk an organisation is willing to assume;
  • Risk tolerance – being a measure of the amount of risk an organisation is capable of absorbing; and
  • Risks – being details of the types of risk which the organisation faces and seeks to avoid, mitigate or accept.

In developing a risk management framework an organisation should refer to AS ISO 31000:2018 Risk Management Guidelines which sets out the process principles and framework for risk management.

Risk management framework

The risk management guidelines refer to risk management as a cyclical process beginning with the design and implementation of the risk management framework.  Followed by evaluating its effectiveness and developing enterprise wide improvements.  The process of integrating the risk management framework into an organisation is an iterative process requiring an ongoing commitment from the organisation’s leaders.  That is from the board of directors.

Risk management process

The process of developing or designing a risk management framework begins with understanding the scope and context for risk management within the organisation.  It is this which gives overall direction.  Where an organisations main areas of risk relate to information security the scope context and criteria for the risk management framework will be very different to that of an organisation where the board of directors may be held personally liable for personal injuries which occur, on a mine site for example.

In light of the scope the organisation will need to carry out a risk assessment whereby it:

  • identifies risks;
  • analyses those risks;
  • evaluates each risk; and
  • based on its findings, determine which risks need to be actioned and develop risk treatments where appropriate.

Having undergone a risk assessment process, integrating these treatments into an organisation requires effective change management.  That said, the communication and consultation process encapsulated in effective change management is a continuous process which begins at the scoping stage of any risk management project.

Like all continuous improvement exercises, the iterative cycle of risk management requires, both ongoing recording and reporting on risk events, and monitoring and review of the risk management framework.  These are activities which must occur enterprise wide.

Risk management principles

In designing, developing and integrating a risk management framework, AS ISO 31000 guides risk managers to pay attention to eight (8) core principles which aim to create and protect the value of an organisation.

Those principles are:

  • Risk management should be integrated throughout the enterprise as a whole.
  • The risk management process should be structured and comprehensive, within the scope of the undertaking.
  • Any risk management framework will need to be customised to the needs and unique features of the organisation.
  • The process should include a broad range of stakeholders including employees, suppliers, shareholders and the broader community as applicable.
  • The process should be dynamic or agile and able to adapt to a changing environment or increasing levels of risk.
  • In undergoing risk assessment and partaking in continuous improvement, those involved should rely on the best available information.
  • Like any change management exercise the process must take into consideration the human and corporate culture factors within the environment in which the framework is integrated.
  • Risk management is an iterative process which undergoes continuous improvement.


A knowledge and understanding of risk management is essential to anyone involved in governing organisations.   The recognition of an organisations risks have implications throughout the business and impacts:

  • how the entity contracts with its employees, suppliers and customers;
  • internal processes and interactions with external stakeholders;
  • compliance, privacy and information security; and
  • board processes.

Implementing enterprise risk management aims to create an protect the value of your business.

Further references


  • AS ISO 31000:2018

Further information

If you need assistance in understanding the process of risk management or need assistance implementing risk treatments, please telephone me for an obligation free and confidential discussion.

Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
Telephone: (07) 3221 0013 | Mobile: 0419 726 535
e: mburrows@dundaslawyers.com.au



This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

Send this to a friend