Risk Management
Initiating risk, identifying risk, managing and responding to risk, monitoring, reporting and communicating risk.
6. Monitoring, Reporting and Communicating Risk
6.2. Reporting Risk
The literature search has identified three areas of risk reporting that are imperative to effectively communicating risk throughout an organisation. These are: Board assurance, high level risk, and risk register reporting.
The Board Assurance Framework (BAF) provides a structure and process that enables a business to focus on those risks that may compromise achieving its principle annual objectives. It should map out key controls that should be in place to manage those objectives and confirm the Board has gained sufficient assurance about the effectiveness of these controls (Good Governance Institute, 2009). The Department of Health (2002, page number?) paper Assurance: The Board Agenda acknowledges that “the concept of assurance can be a source of misunderstanding and mismatched expectations”.
The Department of Health (2003) guidance Building the Assurance Framework: A Practical Guide for NHS Boards states the BAF should contain the following:
- Principle Objectives
- Principle Risks (linked to objectives)
- Key Controls (linked to risks)
- Assurances on Controls
- Board Reports (and reporting)
- Positive assurances
- Gaps in control
- Gaps in assurance
- Board Action Plan
Both the Department of Health (2002, 2003) and the Good Governance Institute (2009) documents state that the principle objective of the BAF should be updated once a year in accordance with an organisation’s annual business planning process but the associated risks, controls, potential sources of assurance, actual assurance received and gaps in control or assurance determined within the BAF should be updated on an on-going basis.
In addition to the Board Assurance Framework, reporting of high level risks should be compiled by senior management to aid in facilitating the identification, assessment and on-going monitoring of significant risks to the organisation. The report should be formally appraised by the board and reported regularly (Higher Education Funding Council of England, 2014). High level risks should be differentiated from standard risk registers which are reported organisationally below the Board. The Australian and New Zealand Standards (2004, p.23) guidance postulates that “each stage of the risk management process should be recorded appropriately. Assumptions, methods, data sources, analyses, results and reasons for decision should all be recorded.” Risk registers are important for collating and analysing trends but should primarily be used operationally by managers to reduce and manage risk at all levels and organisationally to report risks through organisational governance structures (Good Governance Institute, 2009).