Framework - Worth Knowing

Customers, stakeholders, shareholders, insurance providers, boards, risk and audit committees, and also governments and relevant regulators have a strong expectation or even require organisations to implement an effective risk management framework (Framework).

Examples include:

→ ASX Principle 7 (Corporate Governance Principles and Recommendations - ASX Corporate Governance Council) related to ASX listed entities

→ tpp 15-03 — Internal Audit and Risk Management Policy for the NSW Public Sector

The Framework is an organisation's set of rules determining how risk management is performed in this organisation*. It provides a structure that facilitates the use of a consistent process to manage any risk having an effect on the organisation's objectives.

RISIKO understands that typically, the head of an organisation:

→ Owns the Framework

→ Provides direction regarding its specifications

→ Approves its content

The Framework should be consistent with ISO 31000:2009 — Risk management - Principles and guidelines (the Standard) — the internationally acknowledged, comprehensive risk management standard.

A good method to receive external recognition of an organisation's Framework is the ability to demonstrate consistency between the implemented Framework and the Standard. 

How to get there?

Usually there are two client scenarios:

→ Organisations that have Frameworks in place that are consistent with the Standard to varying degrees, however, their implementation has not progressed as expected

→ Organisations that have no documented Framework in line with the Standard, yet.

For those organisations which already have a Framework in place and wish to progress its implementation further, RISIKO offers:

→ As a first step, an analysis tool consisting of a set of questions related to all key sections of the Standard that a framework consistent with the Standard would be able to answer. RISIKO then helps its clients to identify and close potentially existing gaps.

→ As a second step, if requested, support with regards to an Implementation Plan (Plan). The Plan outlines section by section the activities to be performed to achieve the objectives of the Framework and the related deliverables. The Plan allows clients to allocate the responsibility for the execution of each activity to members of the business. This would typically include timeframes and cost estimation. 

For organisations that are yet to have a documented Framework, RISIKO offers:

→ As a first step, a Framework format consistent with the Standard being applied to the client's organisation. This approach helps clients to:

  • Identify areas where, if they desire to be consistent with the Standard, need to commit to implement these requirements 
  • Customise areas where the Standard offers different options to meet its requirements
  • Define areas where their Framework requires their input and direction

→ As a second step, if requested, support with regards to an Implementation Plan, as outlined above.

The application of risk management to all aspects and levels of an organisation is often referred to as ‘enterprise risk management’. This term can be seen as an implied requirement of the Standard for organisations to develop a whole-of-organisation view of their risks. However, the Standard does not mention the term, as such.

*ISO Guide 73 defines a risk management framework as a set of components that provide the foundations and organisational arrangements for designing, implementing and monitoring, reviewing and continually improving risk management throughout an organisation.