5 The Risk Management Plan (RMP)

This framework will be looked at again in later sessions, but for now consider a specific approach for the first risk management activity. The first task in setting up risk management for any new activity is to create a document called a ‘Risk Management Plan’ (RMP). The purpose of an RMP is to set a standard and ensure consistent and seamless application of risk. This step, referred to as Scope, Context, Criteria in the ISO 31000 risk management process, sets the tone for what will follow.

Maximise

Figure 1 ISO 31000 diagram – Scope, Criteria, Context

Show description|Hide description

This is the ISO31000 standard, it consists of 3 core steps; Step 1: Scope, Context, Criteria, Step 2: Risk Assessment, Step 3: Risk Treatment. Step 2 is further broken down into 3 further steps: Risk Identification, Risk Analysis and Risk Evaluation. Two parallel process operate across these steps: Communication and Consultation and Monitoring and Review. Recording and Reporting sits as a step across all activity. For this image, Step 1 is highlighted in green.

Figure 1 ISO 31000 diagram – Scope, Criteria, Context

RMPs can exist for small activities all the way up to risk activities for an entire organisation. An organisation-level RMP will be partly driven by the regulatory requirements, which will define some minimum requirements for governance and reporting. Listed companies in certain countries have to comply with corporate governance codes which may set a minimum requirement for the things the risk management system needs to cover. Corporate governance requirements are discussed further in Session 7.