6.

Reporting and Monitoring risk management procedures

6.1 The Reporting Structure

When organizations establishes their risk management frameworks, a reporting hierarchy should also be
established. The reporting structure will differ depending on the complexity of risk management program.
Some common setups include:

a) A part-time risk manager;

b) A risk management committee;
c) A full-time risk management champion;
d) A risk management team; and
e) A risk management department with an internal audit team.

6.2 Reporting and Monitoring Framework

An organization will need to develop a checklist of items that will need to be reported on and monitored
on a regular basis. This checklist should include:

a) What data is to be gathered;

b) What form it is to be presented in;
c) Templates to be used;
d) When data should be gathered and reported; and
e) Who is responsible for measuring, reporting, and monitoring.

6.3 Reporting Checklist

Items that will need to be reported on include:

a) Changes to risks;
b) Near misses and incidents;
c) Changes that will affect the risk management program, such as legislative changes, industry
developments, and changes in supporting elements of risk planning.

Depending on your organization, you may also need to provide reporting according to external guidelines,
such as Sarbanes-Oxley or Turnbull.

6.4 Monitoring Checklist

Items that should be monitored include:

 a) Effectiveness of risk controls
b) Cost of controls vs. benefit achieved
c) Laws and legislation
d) Industry climate
e) Alignment of risk management plan with corporate goals

6.5 Reviewing and Evaluating the Framework

A Review Checklist

A plan for periodic review and evaluation of the risk management framework is a critical element of any
risk management program. Typically a thorough review is performed annually.

Things that should be covered in the review process include:

a) Analysis of risk response measures and whether they achieved the desired result, and did so
efficiently;
b) Review of reporting and monitoring procedures;
c) Knowledge gap analysis for risk assessments (Were people able to find the information they
needed?);
d) Compliance check with appropriate regulations and organizations;
e) Opinions of key external and internal stakeholders;
f) Self-certification;
g) Risk disclosure exercise, to identify future risks;
h) Repeat of risk assessment;
i) Lessons learned; and
j) Recommendations and implementation plan.

Remember, the review should be proportionate to your organization. If your organization is small, an
afternoon meeting to review your risk management program may be sufficient. For larger organizations,
the review process may take weeks or even months and require outside assistance.

The efficacy of risk management procedures

Risk management plan, policy and procedures are only as effective as the people who implement them.
Risks that were identified at the inception of the risk management plan can change as circumstances,
people and processes change. It is the responsibility of every employee to identify and report new risks
that are identified in the course of their daily work, to ensure that these new risks are incorporated into
the risk management plan. Below is a checklist designed to help public sector organisations evaluate and
improve their risk management frameworks and strategies. The checklist is based upon the criteria
outlined in an international risk management performance audit. The checklist identifies the elements of
good practice that, if effectively applied, would ensure that an organisation's risk management framework
is appropriate, effectively implemented, integrated with governance structures, and addresses all risks.
At this stage of learning about risk management, the checklist serves the purpose of checking your
awareness of risk management practices in your organisation.

6.6 Reporting

The procedure for reporting the statistics on permits is in place, but according to the report and
communication, this procedure is not being adhered to, resulting in a loss of data integrity and a poor
reflection on the Department. This could be as a result of role-players not being aware of the importance
of reporting the statistics, the uses thereof and the consequences of poor statistics. Should the
communiqué have been sent at the inception of this exercise (when the need for reporting statistics was
identified) and stakeholders been informed of their role in the "big picture", a better rate of response and
submission may have been received.

The workflow diagram, or "Big Picture" of data on issuing permits, is illustrated in the graphic above.
 6.7 Revising procedures and incorporating changes

Within every quality management system (risk management is part of a quality management system),
there should be a policy that addresses continuous improvement of the system through regular revision
and updating of policies and procedures, that also prescribes the frequency of revision. The review date
of a procedure is usually recorded on the document, either on the cover page of the procedure or in the
footer of the document. Should shortcomings in a procedure be identified before the published review
date, there is usually a procedure that informs on how to submit a proposed change within the quality
management framework (a specific format/form), before the prescribed review date.