Are your risk frameworks, processes and teams effective?


Those charged with governance want to know that their risk frameworks, processes and teams are effective.

This expectation has been formalised in a number of regularly frameworks, most notably ASX Corporate Governance Council recommendation 7.3 which requires that listed boards should:

(a) review the entity’s risk management framework at least annually to satisfy itself that it continues to be sound; and

(b) disclose, in relation to each reporting period, whether such a review has taken place.


This is a new requirement from 1 July 2014 and requires disclosure to investors and the market.


How do we assess whether our risk framework is sound?

The term 'sound' isn't defined in this context, and hence is open to interpretation.  Some might define it as reasonable.  Our preference is to focus on effectiveness i.e is it doing the job required in an appropriate way for an organisation of our size and complexity? 

Unfortunately there is no defined or unified framework for this assessment.

There are various methods available in the market which in our view don't hit the mark.

ISO 31000 is a useful start, but is a set of principles and doesn't go to the heart of the key questions of whether material risks are identified, assessed and managed, and whether the framework is effective.

There are also a plethora of risk maturity models in the marketplace.  Unfortunately these are not comparable nor compatible, and are oriented on continuing on the risk journey, rather than answering the question "are we there yet?".

Using these models generates additional activities to be done, but doesn't always get to the heart of the whether the framework is effective.


Is your risk framework effective?

We have been working with early adopters to answer these questions, with a focus on effectiveness.

Our approach is to work with in-house teams to develop a defined, repeatable assessment that can be used by the first, second and third lines of defence to form a view on the effectiveness of their risk framework.  This in turn drives greater understanding and accountability in key areas.  

Importantly it is a repeatable process that can be performed annually to satisfy these requirements and also be used as the basis for an independent periodic review from time to time.

Contact us to find out more.