5 The Risk Management Plan (RMP)
This framework will be looked at again in later sessions, but for now consider a specific approach for the first risk management activity. The first task in setting up risk management for any new activity is to create a document called a ‘Risk Management Plan’ (RMP). The purpose of an RMP is to set a standard and ensure consistent and seamless application of risk. This step, referred to as Scope, Context, Criteria in the ISO 31000 risk management process, sets the tone for what will follow.
RMPs can exist for small activities all the way up to risk activities for an entire organisation. An organisation-level RMP will be partly driven by the regulatory requirements, which will define some minimum requirements for governance and reporting. Listed companies in certain countries have to comply with corporate governance codes which may set a minimum requirement for the things the risk management system needs to cover. Corporate governance requirements are discussed further in Session 7.