The infrastructure, process, and analytics needed to support effective risk management in an organisation.
At the very top is risk governance where the board committee defines the goals of the organisation and, in turn, decides on its risk tolerance level. The board may additionally provide guidance on risk budgeting, that is how much or where broad categories of risk should be taken. The board is also involved in setting high-level policies that will affect most risk management processes.
The role of management is to plan and execute value-maximising strategies to achieve the goals set out by the board. The management is required to allocate capital to risky activities to execute its strategies, and the overall risk taken should be consistent with the defined risk tolerance. The planned risk exposures that result from management’s choice of activities should also be aligned with the risk budget. In addition, management participates actively in implementing risk management policies, and establishing procedures that relate to how each of the elements of the risk framework are performed.
The management also establishes a risk management infrastructure where employees and systems are required to identify risks, and to measure and quantify them.
At the monitoring stage, management must check that all the risks are in line with the planned limits of risk exposure, and whether they are in line with the policies and processes. If there is any risk that is not in line, risk mitigation and management actions need to be taken to modify risk levels and to bring them back into compliance.
Another important aspect of a risk management framework is communicating risk levels across the organisation. This communication, at a minimum, should include reporting key risk metrics on a regular and timely basis to assist management in its decision-making process, and the board in fulfilling its governance duties.
Finally, strategic analysis is supported by the risk measurement, reporting, and other steps of the risk management process. The results of the analysis can help the management improve its decision-making process, and the allocation of capital and risk budget most fruitfully.
Taken together, the reporting and strategic analysis are important feedback loops on the risk exposure and effectiveness of the strategies.