Risk Documentation is where the written word captures the spoken word

Risk Documentation is where the written word captures the spoken word, documenting the enterprise risk management ensures intentions and actions are aligned – which makes for a better world.

?Good written risk documentation is both an art and a science; in the perfect world blending the writer and subject matter expert as one. Unfortunately, we do not live in a perfect world and this blend is difficult to find. Too many risk documents have either been badly written by the subject matter expert or have been deemed content light and aspirational by the writer.

To achieve clarity, the risk documentation should be written?from an?independent?viewpoint?by someone?who can challenge known assumptions with a questioning mind. The risk writer will need input from the business, seek collaboration and guide the organization towards ownership of the final document. As a result, the document will be an objective piece of writing, speaking the language of the organization while being understood by the outside world.

Good documentation is a prerequisite in the successful implementation of risk management, acting as a delivery and message mechanism. Documentation must:

·??????? deliver a consistent message,

·??????? speak a common language,

·??????? clear objectives allied to the maintenance of the organization’s objectives

·??????? be?easy to?review,?evaluate and update?frequently.

The documentation?affects and defines the engagement with internal and external stakeholders, articulating and defining the organization’s culture, attitude, and commitment towards risk.

3?SIGNALS OF EFFECTIVENESS

The board has overall responsibility for ensuring that risks are managed. They?delegate the operation of the risk management framework to the management team. One of the key requirements of the board is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level.?Therefore, the board?requires?a comfort and assurance level that risk documentation is being used and is directing the organization?toward?achieving its objectives.

Here are three signals of effectiveness.

1. Cultural attitude towards risk: This establishes and confirms clear roles and responsibilities that reinforce ownership, accountability and responsibility. Documentation underpins standard practices and policies, so a commitment to the guidelines speaks to the adequacy of a firm’s internal control environment. Most companies will have a risk charter which?binds?the Board and senior management?to?a fiduciary duty?of?their responsibilities.?It will impose?a structure and governance?affording a value add?which directs?the performance of?corporate?objectives in a controlled fashion.

Part of this cultural?attitude?towards risk is evidenced in?the?Review and Challenge.?Asking the right questions and verifying the correct answers demonstrate an organization’s comfort level with its governance and documentation processes. There must be a structure in place that allows?employees to challenge these processes, when necessary.?But beware history teaches us a lesson ?courtesy of Boeing , whereby the safety /risk culture has been toxic to trust for years. The ?fundamental issue of distrust inherent within the Boeing culture makes these procedures and policies ineffective.

2.?The right metrics. Metrics gauge the operational efficiency of documentation and selecting the right ones will ensure that employees are compliant in terms of key performance and key risk indicators. Too few or too many of these metrics can paint a distorted picture; the chosen metrics must therefore be material and relevant to the documentation. Regular reviews of these metrics will indicate whether the documentation is fit for purpose. Return on Equity, Risk adjusted capital return, return on investment are some metrics that can be adjusted for with regard to risk.

3.?Continuous assessment and review of policies and procedures. Reviews should consist of assessments based on representative samples and must include testing and validation by all engaged stakeholders. Documentation needs to be recalibrated if your organization has too many – or too few – “escalation incidents.”?and or exceptions.?These exceptions and escalation would be actively tracked to gain an understanding of the validity of the documents. With limited resources only core and material documents would have to be reviewed and tested especially in the light of changing working conditions and impactful legislation . A structure which enforces this oversight is a sign that risk mitigation is part of the organization’s DNA.

Passing thoughts

These three signals are interlinked, each providing a layer of evidence that risk is being taken seriously by the organization, with the emphasis on seriously.

?Call to Action

If you need a rethink, the choose Riskink