Monitoring Area #1: Risk Responses
Action Plans and the Effectiveness of Controls and Mitigations
When a risk to a business or strategic objective is identified, further analysis is done to determine the best response.
As previously implied, this monitoring of a risk response comes in two forms.
Stage 1: the monitoring of action plans put in place following the decision to further reduce or mitigate the current risk (a/k/a risk response decision).
Upon an already established due date or a milestone date, ERM will need to ensure the risk owner is progressing with the mitigation or control they’re tasked with putting in place.
In the case of more complex action plans with multiple milestone dates, ERM should be checking in at each milestone to ensure the “project” is on target to be implemented as scoped by the planned deadline.
Some general questions to ask during these status updates include:
- How are you progressing with your action plan?
- Do you need additional resources?
- Do you have any obstacles or concerns?
Of course, there are other company or situation-specific questions you can and should be asking, but these will give you a good start.
If you’re using an ERM software or GRC system, you should be able to set up these action plans, triggers, and due dates within the system, and receive automated alerts for following up with the risk owner (or even having the system automatically send the risk owner an email asking for an update).
Stage 2: Once the controls or mitigations are fully in place and the action plan is therefore complete, ERM and the risk owner will need to set a date to conduct a re-assessment of the effectiveness of the new control/mitigation.
Some example questions to ask for this specific type of monitoring include:
- Is the mitigation or control working to address the risk adequately?
- Are risk metrics improving?
- Are there other measures we should be taking?
- Are you seeing this control or mitigation having impacts or unintended consequences in your area or others?
As is the case with action plans, there are other situation- or company-specific questions you should be asking.
And while the risk owner will be the primary contact for understanding the effectiveness of risk controls, ERM can also coordinate with internal audit for unbiased information.
When it comes to this step, internal audit’s role is to assess the design and effectiveness of a specific control related to a specific risk, linked to a specific objective. This will provide assurances that the control is working as intended. Keep in mind that, even if a control is linked to multiple risks, it may not be equally effective in reducing risk for all of those risks linked to one or more objectives. (This is why establishing scope – a specific objective – is so important before identifying and assessing risks.)
After this initial review, assessments of mitigations and controls can be conducted as part of regular risk meetings. Changes in context, an audit, or some of the triggers can prompt more detailed or more frequent monitoring, should that be needed.
Continue reading Monitoring Area #2: Risk & Objectives (based on pre-established metrics) for more on the next trigger.
