Review

Risk management – effectively understanding and governing risk

Risk management processes

The risk management framework makes it clear who has the responsibility for ownership and management of risks and their associated controls. The RAM team are responsible for ensuring that all risks are captured, that their status is recorded on the risk management system and that there is an appropriate evaluation of the potential size and frequency of a risk event occurring. Meetings are held with risk owners on a quarterly or half yearly basis to discuss the status of risks, adequacy of design and performance of controls, and any loss event or near misses.

The Group has over 90 separate risks identified, all of which are defined by event, cause and effect. These are managed and controlled in a number of ways:

Pre-event treatments include:

  • Transferred, for example by way of insurance.
  • Prevented by physical means.
  • Controlled by way of policies, procedures and guidelines.

Post-event treatments include:

  • Detection, for example by way of exception reporting.
  • Mitigation through action taken to reduce financial impact such as debt recovery or business continuity.

During 2008 we are developing the risk management framework so that we are able to evaluate risk net of the effectiveness of both the design and performance of controls and other risk mitigation actions.