As with any process, there will be opportunities to make improvements. By monitoring and reviewing your program you will find what is working well and what is not.
4 Ways to Check Your Program
A cursory glance or quick thought about the risk management program is not going to be useful. Instead consider surveillance, monitor, review, and audit as four different levels of rigor for checking your program.
Surveillance is taking time to observe the operation of your risk management framework. It is operational, is it identifying appropriate risks, and are risks mitigated appropriately?
Monitor is the gathering of data and comparing results or metrics to targets. Your project may have key performance indicators concerning budget, time, quality, scope, timeliness, and costs.
Review is a periodic evaluation of the risk management program, organization, and competitive and customer landscape. The review may focus on elements used during the planning of the framework for the organization, such as environment, situation, or context. This is a check to determine if the implemented framework is suitable given changes since its design.
Audit is the detailed objective evaluation of the implemented framework. It addresses the ability of the implemented framework to meet the appropriate standards, such as ISO 31000.
Surveillance and monitoring are ongoing and routine checks of the program. The framework implementation should include scheduled reviews and audits as they take resources to make happen.
Why Do the Check Step?
Things change. From individuals within your organization, to duties and responsibility, to product technology and customer expectations, things change.
The ability to implement a risk management program that has the ability to identify, communicate, and mitigate salient risks requires ongoing adjustments and improvements to the program. The range and scope of potential risks will change, and a risk management program that worked well two years ago may miss critical risks today.
As an organization matures and as customers shift expectations, the organization’s risk appetite and risk tolerance will change as well. These changes may alter key elements of your program.
Risk controls, metrics, and reporting that works with a smaller team will become inadequate for a larger organization. Plan to evolve your program as your organization evolves.
Whether an interview review or extensive audit by an external agency you will learn how to improve your risk management framework implementation. Individuals within an organization tend to focus on what is measured, monitoring, reviews, and audits are the measure of program.
The output of the check step actions is a list of action items to enhance, improve, or adjust the organization’s risk management program. It is an ongoing process and built into the risk management framework.