I’ve completed the second module of the IRM Certificate in Risk Management
I have finished the Risk Strategy module of the IRM’s International Certificate in Risk Management on time and on schedule.
The last time I wrote I was tackling the question of risk registers. I’ve learnt that these are a useful tool to record the risk management process but that they need to be dynamic in order to function as an action plan for the organisation.
A risk register covers all the significant risks facing an organisation as well as the controls needed to mitigate them. They are an important tool and sometimes they're used by internal Audit to test the effectiveness of risk management processes.
The Risk Strategy module also describes who is responsible for risk management in the organisation; I found this section particularly interesting.
There are a number of people responsible for risk management in the typical organisation, these include; the insurance risk manager, corporate treasurer, finance director, internal audit, compliance, health and safety manager and the business continuity manager.
External advisors, like brokers, insurer and consultants, are also involved.
Crucially its important that risk management is embedded into the culture of an organisation and its core business processes. Risk management also needs to be high profile.
Company directors need a good understanding of risks so they are in a position to fulfil their statutory duties.
Non-executives have an important audit role to play, but executive management is probably in a better position to understand the risks that the organisation faces, says the IRM reading.
While Chief Risk Officers (CRO) are becoming more and more of a feature in corporations (even outside the financial sector), the IRM reading claims that a “guardian of the risk management strategy and protocols” (GRASP) may be a better description of what’s needed.
During the second module I was also introduced to the concept of Risk Communication. This is vital for organisations to adopt a risk management culture, I’m told.
Organisations with a good risk culture are founded on mutual trust and a shared perception of the value of risk management.
The reading also gives a good explanation of the components in creating a risk culture, these include: leadership, involvement, learning, accountability and communication (or LILAC).