Training objective
The objective of this practical and simplified mini-training video is to enable you to develop a risk-based approach.
What you’ll learn
After watching this training video, you will understand what a risk-based approach is and the seven steps for developing a risk-based approach.
Transcript
[Slide 3] Steps for developing a risk-based approach
A risk-based approach helps you identify the highest risks to your organization and make them the priority for controls, policies, and procedures. Once your management actions reduce those highest risks to acceptable levels, you move on to lower risks. The approach you take should reflect the level of risk your organization faces.
You are to identify, prioritize, deliver, manage and measure the controls in line with the organization’s risk management framework and risk-appetite thresholds.
There are seven steps for developing a risk-based approach.
Step 1 – Clarify objectives.
Clearly defined objectives are critical for the development and implementation of a risk-based approach.
For example, a risk-based regulatory approach will require you to consider your legislative mandate, your core purpose for regulated entities, regulation beneficiaries, and the options available to implement regulatory initiatives.
Step 2 – Identify the risks to objectives.
Risk identification is critical for prioritizing your focus, designing tailored initiatives, and allocating limited resources in the most cost-effective way relative to the outcomes you are seeking to achieve.
In this step, identify the highest risks and make them the priority for targeted management actions and mitigations.
Step 3 – Assess and prioritize the risks.
A risk assessment’s purpose is to understand the level of risk through estimating the likelihood of the risk occurring and the consequence of the impact, should it occur. It also helps you understand the root causes of the identified risks or understand the risk characteristics that are common to groups that you are working on.
The risk assessment informs the design of your initiatives and for resource allocation purposes.
You can understand more precisely what the risks of different activities might be. This will enable you to make better decisions about how to prioritize your efforts and how to strategically manage the biggest risks that matter most to you with the limited resources that you have.
Step 4 – Group by risk characteristics.
Prioritize your efforts according to the risk characteristics that are common to groups. The prioritized groups could be designated as a high-risk group, a medium-risk group, and a low-risk group.
In our example of a risk-based regulatory approach, regulated entities are grouped by the regulator based on common risk characteristics. Motorists are often grouped according to age and gender. It is based on the relative risk of road accidents in different age and gender groups.
You could also prioritize according to risk causes that are common to groups.
Step 5 – Allocate limited resources.
Adequate resources should be allocated to initiatives and behaviors that represent the greatest risk to the achievement of your objectives. You should focus the most significant proportion of your available resources on management actions and mitigations that target the highest priority or critical risk areas and behaviors.
Prioritize your actions according to the level of risk:
1. The high-risk group receives ‘high touch’ management actions or mitigations. For example, ‘Priority One’ businesses are audited biannually.
2. The low-risk group receives ‘low touch’ management actions or mitigations. For example, ‘Priority Two’ businesses are audited annually.
You may also need to understand the risk drivers behind the identified risks to develop the most effective management actions or mitigations.
Step 6 – Identify performance measures
Monitor and assess your performance over time to understand the control effectiveness and efficiency of your actions.
To do this, identify and implement timely, relevant, and objective performance measures. Establish performance baselines or benchmarks to monitor changes in measures over time, where corrective action can be taken to improve performance.
Step 7 – Monitoring, reporting, and continual improvement.
Develop a structured and consistent focus on monitoring and reporting. This is critical to ensure that the risk-based approach is achieving its intended objectives.
Where appropriate, continuously improve on the risk-based approach for better outcomes.