A risk management framework is a key component of an overall governance framework. As the name suggests it focuses on risks faced by the business. Typically, a governance framework will document the approach an organisation takes to managing risks and include details of:
- Risk appetite – being a measure of the level of risk an organisation is willing to assume;
- Risk tolerance – being a measure of the amount of risk an organisation is capable of absorbing; and
- Risks – being details of the types of risk which the organisation faces and seeks to avoid, mitigate or accept.
In developing a risk management framework an organisation should refer to AS ISO 31000:2018 Risk Management Guidelines which sets out the process principles and framework for risk management.
Risk management framework
The risk management guidelines refer to risk management as a cyclical process beginning with the design and implementation of the risk management framework. Followed by evaluating its effectiveness and developing enterprise wide improvements. The process of integrating the risk management framework into an organisation is an iterative process requiring an ongoing commitment from the organisation’s leaders. That is from the board of directors.
Risk management process
The process of developing or designing a risk management framework begins with understanding the scope and context for risk management within the organisation. It is this which gives overall direction. Where an organisations main areas of risk relate to information security the scope context and criteria for the risk management framework will be very different to that of an organisation where the board of directors may be held personally liable for personal injuries which occur, on a mine site for example.
In light of the scope the organisation will need to carry out a risk assessment whereby it:
- identifies risks;
- analyses those risks;
- evaluates each risk; and
- based on its findings, determine which risks need to be actioned and develop risk treatments where appropriate.
Having undergone a risk assessment process, integrating these treatments into an organisation requires effective change management. That said, the communication and consultation process encapsulated in effective change management is a continuous process which begins at the scoping stage of any risk management project.
Like all continuous improvement exercises, the iterative cycle of risk management requires, both ongoing recording and reporting on risk events, and monitoring and review of the risk management framework. These are activities which must occur enterprise wide.
Risk management principles
In designing, developing and integrating a risk management framework, AS ISO 31000 guides risk managers to pay attention to eight (8) core principles which aim to create and protect the value of an organisation.
Those principles are:
- Risk management should be integrated throughout the enterprise as a whole.
- The risk management process should be structured and comprehensive, within the scope of the undertaking.
- Any risk management framework will need to be customised to the needs and unique features of the organisation.
- The process should include a broad range of stakeholders including employees, suppliers, shareholders and the broader community as applicable.
- The process should be dynamic or agile and able to adapt to a changing environment or increasing levels of risk.
- In undergoing risk assessment and partaking in continuous improvement, those involved should rely on the best available information.
- Like any change management exercise the process must take into consideration the human and corporate culture factors within the environment in which the framework is integrated.
- Risk management is an iterative process which undergoes continuous improvement.
Application
A knowledge and understanding of risk management is essential to anyone involved in governing organisations. The recognition of an organisations risks have implications throughout the business and impacts:
- how the entity contracts with its employees, suppliers and customers;
- internal processes and interactions with external stakeholders;
- compliance, privacy and information security; and
- board processes.
Implementing enterprise risk management aims to create an protect the value of your business.
Links and further references
Standards
- AS ISO 31000:2018
Further information about corporate governance
If you need assistance in understanding the process of risk management or need assistance implementing risk treatments, contact us for a confidential and obligation-free discussion:
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
Related insights about corporate governance
-
What is a risk management framework?
A risk management framework is essential for any organisation. It outlines risk appetite, risk tolerance, principles of risk management, application to compliance, privacy, and information security. Learn how to build a framework using the AS ISO 31000:2018 Risk Management Guidelines.
-
What is a Corporate Governance Framework?
Businesses need to ensure their advertising and marketing materials comply with the Australian Consumer Law (ACL). Our experienced team can provide advice on structuring promotions, drafting terms and conditions, and obtaining permits for competitions and games of chance, helping businesses avoid costly penalties from the Australian Competition and Consumer Commission (ACCC).
-
Criminal liability shifts away from company officers
The Personal Liability for Corporate Fault Reform Act 2012 (Cth) was implemented to ensure personal criminal liability for corporate fault is imposed in line with corporate governance principles, reducing risk and compliance issues for Company Officers.
-
Corporate Governance – A leverage point
Good corporate governance is essential for any successful business. Learn how Directors and Senior Management can make it a priority, and how it can provide value and security to the business in today’s competitive global economy.
