5.3 Reporting considerations
Larger organisations should give thought to how risk reporting and reviews flow down the organisation. Again there is no right way to do this, but it is typical for smaller units to have their own local reviews. The only difference between these and higher-level reviews tends to be the size (impact) of the risks being discussed.
The cadence (timing and frequency) of risk reviews should be based on the business in question and the pace with which risks can emerge, change and be mitigated. There is, therefore, a broad spectrum of review frequencies ranging from daily to annually.
In cases where there is a lower frequency, thought should be given to how exceptions will be reported and key decisions made. This is often done by linking risk to the organisation’s delegated authorities and incident reporting processes. A standard risk review is described below:
Risk committee terms of reference
Download the read-only [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] or the read + write version.
A good risk review will often conduct a review by exception and a deep dive.
The review by exception looks at things that are not as they should be, which would include:
- incidents (risks that have happened)
- control weaknesses (based on near misses or assurance findings)
- mitigation actions that have not worked or are off track
- risks that are greater than appetite (and, in particular, those that will remain so for a long period of time)
- changes to the risk profile, particularly new risks (or new root causes) and risks that are to be closed.
A deep dive will be undertaken as described in Session 6. This should be an opportunity for the panel to review treatment activities (actions and controls) and make sure that they are confident the risk is being appropriately managed.
Take a look at the Reporting Toolkit (read-only).