Risk Management Best Practices

Proven Leading Practices to Improve Risk Management Operations

Risk Management

Risk Management Best Practices

Proven Leading Practices for Risk Management Operations

Risk Management Best Practices Guide

Learn More

Develop and Clearly Document Risk Assessment Policies to Improve Future Understanding

Best Practice (Good)

Develop and clearly document a risk assessment policy that defines how often such assessments are performed, how risk is to be defined and how identified risks should be addressed and mitigated. Document clearly the how and why of a risk rating as well as the risk assessment process as a whole to allow management, regulators and future risk management employees to fully understand the assessment.

Typical Practice (Bad)

Allow risk assessment employees to use their "gut" when determining how often risk assessments are to be performed, the how and why of a risk rating, and how risks should be addressed and mitigated. It is the responsibility of employees within the Risk Assessment function to properly perform risk assessments on time and to ensure that any and all questions concerning the risk assessment (whether the questions are made by management, a new risk manager, etc.) is addressed.

Benefits:

Developing and clearly documenting a risk assessment policy (typically details how often risk assessments are performed, how risk is to be defined and how identified risks should be addressed and mitigated) not only ensures quick understanding by anyone who reads developed risk assessment reports, but also reduces the number of questions risk assessment employees will have to field because of ambiguous language or an overwhelming amount of unstructured data. This then frees risk assessment employees to work on other tasks. Furthermore, when a new risk manager or compliance officer takes over the risk assessment program, the tools, data and methodology of past risk assessments will allow them to start their new duties immediately. Such detailed risk assessment policies also allows examiners to see evidence that the company is reviewing and updating the risk assessment throughout the year, which is especially important when a change is made on the rating of a risk, an asset, or the company's compliance control.

Periodically Revisit Risk Assessments to Keep Them Up To Date

Best Practice (Good)

Revisit documented risk assessments on a periodic basis to evaluate the assessment's effectiveness and to identify areas where enhancements might be needed. Periodic updates to the company's risk assessment, furthermore, allows the Risk Management Group to continuously focus on the assets and compliance controls that are considered to be critical to the company.

Typical Practice (Bad)

Revisit documented risk assessments only in preparation for examination by an appropriate regulatory body (typically done on an annual basis) and/or whenever an area of risk the business faces is observed or predicted to increase (e.g., expansion into other countries or lines of business, acquisition of another company, etc.) so as to keep risk assessment costs low and to free up risk management employees to perform other tasks.

Benefits:

As part of integrating risk management into organizational operations, companies need to regularly review their assets, risks and compliance controls to ensure they're up-to-date and comprehensive. Asset lists expand and contract (the company may want to expand into other lines of business, acquire another company, etc.), assets may become more or less important over time, and so on. As such, companies need continuously revisit documented risk assessments to ensure that the ever changing risks the company faces is efficiently identified and mitigated. Updating risk assessments only to appease regulatory bodies and/or when an increase in risk is directly observed or predicted can leave the company vulnerable to new or unmitigated risks such as new hacking techniques and so on.

Use Tailored Training Programs to Improve Company-Wide Procedural Compliance

Best Practice (Good)

Ensure that the Compliance Department takes reasonable steps to communicate periodically, and, in a practical manner, its standards and procedures to directors, officers and employees throughout the company, by conducting effective training programs. Such training programs should be tailored to the needs of each particular segment of the company. For example, sales and marketing personnel should receive training in antitrust and competition, while senior officers and those travelling outside the U.S. should be trained on the Foreign Corrupt Practices Act ("FCPA") and the OECD Anti-bribery Statutes.

Typical Practice (Bad)

Brief all new employees on compliance policies, best practices and procedures during their introductory period within the company. Any changes to compliance policies should then be distributed via email and paper notices posted in high traffic areas so as to ensure that the maximum number of employees will see it.

Benefits:

Using thorough and periodic training programs to educate the company's directors, officers and employees on appropriate company standards and procedures increases the number of compliance incidents reported because employees will be able to identify those incidents easily, cutting down on fines or fees that could potentially result from not addressing the incident more proactively. Furthermore, by ensuring that such training programs are tailored to the needs of each particular segment of the company, employees are able to obtain in-depth understanding of what to look out for in the procedures they practice every day, instead of those they will never practice (e.g., sales and marketing employees should receive training in antitrust and competition standards instead of the standards employees in the Collections Department have to comply with).