AL Refs: RAP01, GOV25
Purpose
The Risk and Control Management Policy sets a formal methodology for identifying, assessing, treating, monitoring and reporting the risks that threaten the achievement of AssuranceLab’s objectives and the control activities that mitigate those risks. This should be used in conjunction with the defined company objectives.
Example Risk Management Framework
Responsibilities
Board of Directors
The Board of Directors is accountable for the risk and control management of AssuranceLab. The Board should be informed of critical risks and an executive summary of the risk and control assessment activities performed.
Senior Leadership Team
The Senior Leadership Team are primarily responsible for the management of risks and controls that reside within their operational areas. This also includes effectively liaising with other members of the management team to ensure cross-function risks are appropriately identified and managed.
Risk Manager
The Risk Manager is responsible for coordination of the risk assessments and ongoing evaluations to verify and manage the identified risks and control practices.
Control Owners
The Control Owners are responsible for performance, review and ongoing management of their assigned control activities. This includes periodically reviewing the controls to ensure they remain accurately defined, effective and consistent in practice, and any failures or potential improvements are identified.
All Employees
All employees are responsible for identification and management of risks, and the performance and adherence to the defined control activities within the scope of their role. This includes raising new and emerging risks to the Risk Manager and Senior Leadership Team, as well as ongoing cooperation and feedback on the existing risks and control practices.
Risk Management Process
The risk management process is a cyclical approach to identify, assess, treat, monitor and report on the risks that threaten achievement of AssuranceLab’s objectives. The risk assessment is a quarterly review process that should include the Senior Leadership Team, the Risk Manager and the Control Owners if applicable.
Risk Identification: Risks should be identified considering the operating environment of AssuranceLab, the nature of the services provided to customers, and the services procured from third-parties, and the company objectives. Areas to consider include:
- Regulatory and compliance requirements
- Information assets
- External threats and system vulnerabilities
- Misuse of Information
- Data leakage
- Process failures and policy breaches
- The potential for fraud:
- Inappropriate employee or customer user behaviours
- Rogue or malicious employee
- Significant operating changes:
- Disruption of service or productivity
- Changes or failures by critical vendors
- Changes in key personnel
Risk Assessment
The Risk Assessment considers the identified risks, including new and existing. It populates, updates or confirms each risk into the Risk Register with the appropriate risk ratings based on the Risk Assessment Criteria. This should also consider the control activities that directly mitigate the risk to determine a residual risk rating. Where the residual risk rating is beyond an appropriate level of tolerance, as determined by the responsible management, risk mitigation plans should be identified and agreed to further mitigate the risk and reduce the risk rating. The final ratings and Risk Register should be approved by the Senior Leadership Team to conclude the risk assessment process.
Risk Treatment
Risk Treatment is the ongoing process of addressing the risks to reduce their risk rating to a level that is within tolerance. These activities are usually defined in the risk mitigation plan formed in the risk assessments and updated thereafter. The risk treatment may include avoiding or reducing activities that give rise to the risk, controlling the risk through new control activities or improvements that further mitigate the risk, by transferring or sharing the risk with another party (eg. Insurance, partnerships), or ultimately by accepting the risk as it stands. This acceptance may be the result of a cost vs. benefit consideration where further treating the risk is not feasible and the resulting risk is therefore within managements tolerance.
Monitoring and Reporting
Monitoring and reporting of the operational environment provides a feedback loop into the risk identification and assessment process. Operational events like incidents, policy breaches, system vulnerabilities, employee exits, and various other events, can indicate a new risk, or highlight changes in the risk ratings or approach to an existing risk. In order to support risk governance the executive level outputs from the risk and control management should be prepared on at least an annual basis for the Senior Leadership Team and the Board.
Control Effectiveness
The internal controls that mitigate each risk are considered to determine whether the residual risk is within a tolerable level of AssuranceLab. This includes considering whether the controls are effective or further actions can be taken to implement additional controls or improve the effectiveness of existing controls. The Control Framework is used to supplement the Risk and Control Management Policy with the detailed listing of control activities identified and mapped to the relevant standards and requirements.