Principle
The organisation has a process by which it can identify, assess and mitigate the significant risks to the achievement of its business objectives.
Minimum standards
Process to identify all significant risks
The organisation has a process to identify all significant risks to the achievement of its business objectives. Formal risk identification is undertaken at least annually, and updated regularly – in line with the changing risk profile of the organisation.
View further guidance on the process to identify all significant risks
Risk assessed using appropriate techniques The organisation assesses risk using appropriate qualitative and/or quantitative techniques, which include consideration of risk aggregations and correlations. Risk assessment considers both the likelihood that the risk could occur and the impact were it to occur. The organisation assesses inherent risk (i.e. risk before controls) and residual risk (i.e. risk after controls). View further guidance on how risk is assessed using appropriate techniques
System of internal control The organisation has in place internal controls designed to manage its risks to acceptable levels. The organisation should regularly consider the effectiveness of controls in managing risk and balancing risk and appetite.
View further guidance on system of internal controlIdentification and assessment The identification and assessment of risk and control prompts action where necessary.
View further guidance on identification and assessmentRisk register
The organisation captures details of all significant risks in a risk register, typically including:
- a description of the risk;
- the assessment of risk and control;
- causes and influencing factors, both internal and external;
- effects and outcomes – financial, reputational, or other; and
- controls and actions currently in place to manage elements of the risk.
View further information on the risk register
