Monitoring changes in the internal and external risk environment enables the organisation to obtain information that may signal a need to re-evaluate objectives, policies and appetite fo risk, internal control, information needs or related information systems.
Monitoring involves the determination of the effectiveness and appropriateness of management strategies and systems set up to implement effective controls, the risk management plan and system as a whole.
The process of monitoring and review can be prioritised to focus on:
- Risks posing the greatest probability of damage to the organisation, including business projects with significant risks attached.
- Key controls relied on in achieving an acceptable level of residual risk.
- More effective or lower cost RM alternatives, such as by the use of technology.
- Business projects where the incidence of change is high.
Monitoring and review practices should be appropriate to the organisation. Practices might include:
- Continuous monitoring via routine measures and checks, including risk and control indicators.
- Line management reviews of risks and their controls.
- Analysis of actual losses and near misses.
- Internal and external audit to check processes, systems and controls.
Effective monitoring typically includes undertaking regular inspection of actual performance for comparison with preset objectives, expected or required performance.
