An entity’s risk management framework is a set of components and arrangements that articulate the directions and approach for managing risk. It should be practical and tailored to the entity. Risk management frameworks will differ depending on the size and the operations of an entity as well as the nature and complexity of the risks they face.
An entity’s risk management framework should include a risk management policy and a risk appetite statement. A risk management policy is a statement of the overall intentions and direction of an organisation in relation to risk management. A risk appetite statement describes the overarching amount and types of risk an entity is willing to accept in order to achieve its objectives. It is supported by risk tolerance statements that operationalise an entity’s risk appetite by specifying the levels of risk taking that are acceptable.
A risk management framework is a set of components and arrangements that articulate the directions and approach for managing risk. It is the overarching structure that supports the consistent and systematic management of risk in an entity. Formalising a risk management framework can assist the prioritisation of activities and identification of opportunities.
Each entity needs to determine if its risk management framework is the best fit for the entity’s purpose, structure, size and operating environment.
An entity’s risk management framework is most effective when:
- It is consistently applied, integrated and aligned across the entity.
- It details the required actions for designing, implementing, monitoring, and reviewing risk in the entity.
- It is used by officials at all levels to inform decision making.
- It is aligned with other business processes including:
- governance and assurance arrangements
- change and business improvement
- program and project planning and management.
There is no standard format or structure for a risk management framework. The nature of the work undertaken by an entity will determine the design and sophistication of its risk management framework. However, framework elements used by many entities include:
- An overarching risk management policy
- An overview of the entity’s approach to managing risk
- Key risk management responsibilities
- How risk is reported to internal and external stakeholders
- The attributes of the culture the entity aspires to
- The entity’s approach to managing shared risk
- An overview of how risk management arrangements are periodically reviewed.
- Include a document map in the risk management framework to clarify and differentiate between policy, guidance and process documents.
- Structure documents into a logical hierarchy that are separated into strategic and operational level guidance. Also, separate enduring guidance such as the risk management policy statement from ‘living’ documents such as risk assessments and registers.
- Link the entity’s risk management policy to other elements of the risk management framework such as detailed procedures, templates and guidance materials. Think about it from a user perspective and ensure all aspects of the framework are easy to understand and their relationship clear.
- Include a visionary statement from the entity’s accountable authority or CEO in the risk management policy that outlines what the entity is seeking to achieve through good risk management and key goals for the risk management program in the future.
- Provide training and ongoing support to officials so that they are aware of, and understand, the entity’s risk management framework.
- Use the entity’s risk management policy and its accountable authority instructions to link the risk management framework to other corporate frameworks and processes.