Wednesday, 24 August 2011

Strategic Risk management: Risk Reporting and Treatment (2)

In an earlier article, Tempering the Pursuit of Profits, I discussed about how profit and non-profit seeking organisations can manipulate the way they make profits. One central component in that piece was matching risk and reward. Organisations face a choice of taking higher risk ventures with higher reward and then effectively and efficiently manage those risks or taking a lower risk venture with low return. Taking on high risk activities involves a strategic risk management approach. In the last article on risk management, I discussed how taking risk involves an extensive risk management from assessment to evaluation. In this article I am looking risk reporting and communication as well as risk treatment.  

Risk Reporting and Communication
For internal reporting purposes different levels within the organisation need different information from the risk management process. For example while the board of directors would like to know about the most significant risks facing the organisation, business units within the organisation would be aware of risks which fall into their area of responsibility, and individuals would understand their accountability for individual risks.

External reporting enables a company to report to its stakeholders on a regular basis setting out its risk management policies and the effectiveness in achieving its objectives. Good corporate governance requires companies adopt a methodical approach to risk management.

Risk Treatment
The process of selecting and implementing measures to modify the risk is called risk treatment. This process includes risk control/mitigation and extends to risk avoidance, risk transfer, risk financing, etc. A system of treatment should have a threshold of efficient and effective operation of the organisation; effective internal controls; and compliance with laws and regulation.

Making a detailed risk analysis assists the effective and efficient operation of the organisation by identifying those risks which require attention by management. Risk control actions are prioritised in terms of their potential benefit to the organisation. Effectiveness of internal controls is the extent to which the risk will either be eliminated or reduced by the proposed control measure by a cost/benefit analysis. Compliance with laws and regulations is not an option. Understanding the applicable laws and implementing a system of controls to achieve compliance is a must.

Further reading:

No comments: