So you have successfully integrated a Risk Management Scheme into your organisation, but that isn’t the end…

The ongoing improvement of risk management can only be determined by the longer term plans of monitoring and reviewing risk management strategies.

Monitoring and Reviewing is used in two ways.

1. It assesses the effectiveness of our treatment controls
2. It ensures that we are always identifying new organisational uncertainties.

Assessing the effectiveness of our controls

As organisations reach the stage where they feel that they have implemented efficient controls to reduce the risk level, they must re-assess each risk in the risk register. This will involve re-completing the risk assessment stage in our risk management scheme taking into account the controls put in place. If the treatment controls have been successful, the level of risk should have reduced to an acceptable level (as decided by the organisation). If the risk levels remain high, then the organisation should reconsider their risk treatment controls and aim to improve their effectiveness or implement more.

Continual identification

Continual identification builds on the idea that risk management is a continuing process, not just a procedure conducted by businesses on a one-off basis. Business risks are always changing in both internal and external environment and the alteration of these provoke changes in our risk register.

Internal factors – Alterations from within the organisation that spark alterations in the risk register. Examples may include purchasing of new equipment or implementing new control methods.

External factors – Changes from outside of the organisation which present new risks or provoke risk register alterations. Examples could include new/revised governmental law and standards.

As new risks become apparent as business activity changes, these can be added and updated in the risk register accordingly. The periodic review of our risk management strategies is essential in the long term because it will leave the business one step ahead when new threats and opportunities arise.

To cover changes in the risk register the organisation should ask themselves the following questions:

1. Have there been any changes in relation to risk treatment controls since the risk register was last checked?
2. Has any new equipment been installed since our last review?
3. Has the government changed policies that now need to be taken into account in our risk register?

The risk register should then be updated accordingly in consideration of these changes.