You've done a great job to date with your risk management efforts - you've communicated extensively, established the context in which your risk process was conducted, identified, analysed and evaluated the risks and finally decided on which risks needed further treatment.
Does that mean you're done? No!
The very nature of the world we live in means that things change - some risks become less relevant and new risks emerge all the time. And the pace of change seems to be accelerating.
In short, managing risk is a never ending task - but it doesn't have to be a chore.
So what do the two elements - monitor and review - actually involve?
The monitoring component is about checking in and observing the organisation's risks to ensure that the performance is as expected - that is, no deviations from the planned outcomes. It should include checking that agreed risk treatments have been implemented, that they are understood and are being performed as required. If there are actions outstanding, there should be dates for completion and a responsible person nominated to complete them.
Monitoring should also test the effectiveness of these treatments along with the effectiveness of any existing controls. Importantly, this is where any identified Key Risk Indicators (KRI's) are tracked and form the basis of reporting for Management and the Board.
The review element of this step is about reviewing the applicability of the current risks - are they still relevant, and are the risk ratings still appropriate - and well as determining if there are new or emerging risks that need to be considered.
Should a new risk be identified, it should go through the whole assessment process to ensure it is rated and treated as appropriate.
If there has been a sub-standard performance with any of the identified risks, be they a threat or opportunity, the review step should also be used to analyse and document what went wrong. Learning lessons from these events or incidents further strengthens the risk management process. What has worked, what didn't - all contributes to better understanding of the businesses risk environment.
One other thing to keep in mind during the overall Monitor and Review step is that it is worth checking that the context hasn't changed - remember that the context in which the organisation, division, function or project operates is key to any successful risk activity.
As indicated earlier, one of the key functions of the Monitor and Review step is to provide the Board and Management with assurance about the effectiveness of the risk management framework and risk management process. As such, it's an on-going activity rather than an annual, twice yearly or quarterly event like the risk identification step tends to be.
This blog effectively concludes my review of the 7 steps in the risk management process - I hope it has in some small way provided clarity to your thinking about risk management.
My business, Proximity Risk & Assurance, has developed a training program called "Risk Basics" designed to educate and up-skill those in the first line of defence about their role in risk management. I can also assist these teams in implementing and embedding the risk management process into their function.
Please contact me via my website or my mobile (0404 829 040) should you wish to discuss your risk management challenge and how I may be able to assist.
Keep an eye out for my next blog post!