IRM ERM M1U4.3 Monitoring & Reviewing Risks Flashcards
ISO Monitoring and reviewing risks
ISO 31000 (2018) combines monitoring and reviewing of risks, stating that “the purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation and outcomes”. ISO 31000 also notes that monitoring is ongoing whereas review is ‘periodic’.
Monitoring and review are used interchangeable by many authors and organisations. We are going to split these two terms and consider them separately, where:
Monitoring and reviewing of the status of risks, controls, causes, consequences and any changes in these, as well as changes in the context and objectives
Reviewing is checking the effectiveness of controls in place to manage risks and the risk management process, with the review being perhaps on a less regular basis.
Three methods to monitor risks
Three of the core methods to monitor risks are the use of key risk indicators, key control indicators and the risk status.
Key risk & control indicators
Where key risk indicators provide information on the changes in risks, key control indicators measure the effectiveness and, therefore, changes in controls.
Key control indicators examples
Key control indicators could include the monitoring of the:
Number unauthorised trades.
Percentage of employees receiving supervision.
Regularity of disaster recovery plan testing.
Key control indicators can be used in addition to the assurance regimes of compliance and internal audit, to provide perhaps a more timely warning that risks may be changing because the controls are becoming more, or usually less effective.
COSO The benefits of an ERM approach
the perceived added value from an ERM approach is secure, compliant, legal and competitive operations that bring success to the organization.
The cost of implementing an ERM approach should be less than the benefits obtained.
COSO benefits, including:
Increasing the range of opportunities: By considering all possibilities (both positive and negative aspects of risk), management can identify new opportunities and the challenges associated with current opportunities.
Identifying and managing throughout the risk organization: Every organization faces risks and a risk can originate in one part of the organization but impact a different part. Management identifies and manages these organization-wide risks to sustain and improve performance.
Increasing positive outcomes and advantage while reducing negative surprises: ERM allows organizations to improve their ability to identify risks and establish appropriate responses, reducing surprises and related costs or losses, while profiting from beneficial developments.
Reducing performance variability: Performing beyond expectations may cause concern and ERM allows organizations to anticipate the risks that would affect.
Leading and lagging indicators
KPIs, KRIs and KCIs are all measures of performance, used for slightly different purposes. When using indicators, some look to past performance, whereas others are indicators of potential future performance.
Leading indicators look to the future and provide early warnings of changes. Examples of leading indicators include measures of customer engagement or brand and reputation.
Lagging indicators look to the past and measure outcomes and results, such as financial results including profit and loss, or the number of similar audit findings or the number of findings in a particular area of an organisation.
As such, KRIs tend to be leading and KCIs tend to be lagging measures, however, both are useful in highlighting changes in risks.
Big data and KRI Development
According to Oracle, big data is defined as data that contains variety, arriving in increasing volume and more velocity – also known as the 3 Vs. This amount of information is often so large that traditional data processing is unable to cope but is very valuable for those organisations who can and want to use it to help understand risks.
The key actions to utilise big data is the integrate information systems within an organisation and to provide the technology to manage and store the information and to analyse it.
Using these machine-based sources of information could enable the identification and management of threats and opportunities and easily support the development of KRIs.
Different datasets when monitoring risks
When monitoring risks, ideally you want to be making use of all the different datasets available to you to recognise changes in the status of risks, controls, context, objectives and so on. These data sets can be considered in a four quadrants using the axes of internal versus external data and human versus machine sourced information
Most organisations only use a small amount of data, from the top left quadrant – human and internal sources of information. Some organisations go further to collect data from external sources, in the top right quadrant. As the maturity of technology and use of data mining increases, coupled with changes in requirements for information, more organisations are looking for data from different, new, more complex and much larger sources, for example the internet of things or Big Data.
Risk status
Risk status
We have considered monitoring changes in risks, controls, context, objectives and so on, and there is a further tool to help maintain focus on those risks that require active management.
This technique considers the lifecycle or status of the risk. Dr David Hillson (2020) developed the risk status approach to illustrate the various stages in the risk lifecycle. Using the key status levels, with a slight adaption, focus can be given appropriately to risks throughout their lifecycle:
Draft – the risk has only just been raised and needs to be assessed to ensure it is a real risk and that is belongs in the scope of the activity being addressed
Active – we are actively dealing with a real risk, and further actions are required to manage it to an acceptable level. Active risks and their controls should be monitored regularly to ensure controls are effective and the risk is moving from the current to target level
Ongoing – we have managed the risk to an acceptable level, but it has not been closed and may change. Ongoing risks are reviewed less frequently, and KRIs and KCIs should be developed to help recognise underlying changes to the risk.
Closed / managed – the risk can be closed due to successful management and lessons can be learnt to ensure risks of this type are managed in a similar manner in the future
Closed / occurred – the risk can be closed because it has occurred, and lessons can be learnt to ensure risks of this type can be better managed in the future