2 minute read
HIERARCHY OF RISK MANAGEMENT DOCUMENTS
The policy governs risk management activities and defines roles, responsibilities, and accountability for managing risk. It establishes the basis for stakeholder communication and risk monitoring. The framework describes the processes and tools that operationalise the Risk Management policy.
The risk management process includes steps 1. establish context, 2. Identify risks, 3. Analyse risks, 4. Evaluate risks, and 5. Treat risks
The risk assessment criteria include impact and likelihood ratings which are used to quantify risks and rate control effectiveness
The risk appetite statement details the risk the Group is willing to take to achieve strategic goals.
Risk register(s) capture identified risks, controls and risk ratings. Register(s) are used to monitor and report on the Group’s risk profile.
Risk policies ensure identified risks are managed in a consistent manner and in line with standard industry practice.
Objectives Of Enterprise Risk Management
Risk management is the responsibility of everyone at the Group. It must be administered in alignment with the strategic direction and operational objectives. ERM is an integrated approach to assessing and addressing all risks that threaten the achievement of strategic objectives. The purpose of ERM is to understand, prioritize, and develop action plans to maximize benefits and mitigate the top risks. It therefore cannot be approached from a siloed perspective but instead has to be integrated across all business and support processes.
The objectives of this ERM framework are to:
• Improve accountability and governance.
• Encourage transparency.
• Improve financial management.
• Improve organisational resilience.
• Provide a systematic approach to the early identification and management of risks.
• Provide consistent risk assessment criteria.
• Make available accurate and concise risk information that informs decision making including business direction.
• Adopt risk treatment strategies that are cost effective and efficient in reducing risk to an acceptable level.
• Monitor and review risk levels to ensure that risk exposure remains within an acceptable level.
• Discourage unacceptable and unethical behaviours such as fraud, harassment and money laundering.
Risk Strategy
The Group’s risk management strategy is based on the following 4 principles
• Conscious risk-taking – Stakeholder protection and sustainable operations are central to the Group’s value proposition. The Group thus operates within a clearly defined risk policy and risk control framework.
• Clear accountability – The Group’s operations are supported by clearly defined authority limitations. Individuals are accountable for the risks they authorise / accept on the Group’s behalf; and their decisions are taken within the context of overall business objectives.
• Transparency – Risk transparency, knowledge sharing and responsiveness to change are integral to the risk control process. It creates a culture of trust and reduces ad hoc responses to unexpected and complex events.
• Protection - Safeguard the Group’s as well as its customer assets – human, property and reputation so that value is grown.
Risk Appetite
The Group’s risk appetite is the shared view of the Board, its Committees and the Senior Executive, and refers to the amount and level of risk taking that the Group is prepared to accept or avoid in order to achieve its strategic objectives. In pursuing its vision, purpose and strategic goals, the Group will accept a level of risk proportionate to the expected benefits to be gained and the impact or likelihood of damage.
The Risk Appetite Statement influences and guides decision-making, clarifies strategic intent and helps to ensure choices align with the capacities and capabilities of the Company.
As a general rule, the Group’s risk appetite requires the implementation of action plans that seek to reduce residual risks2 that have been rated above moderate (i.e. Very High or High) to at least moderate or low.
A summary of the Risk Appetite Statement is shown in Table1.
2 Residual risk refers to the amount of risk exposure that is left after taking into consideration existing control measures, the experience of staff, the number of previous occurrences of the risks and similar factors.
