What is a risk management plan?
Risk management plans are one way of dealing with risk. Much risk faced by organisations can be managed through a range of other methods. Risk can be:
- avoided (through discontinuation of the activity that generates it);
- prevented (by introducing controls or checks to assess activities for risk);
- corrective controls (such as back-up systems); or
- transferred to another party (through insurance, outsourcing, etc.).
In cases where the risk is considered acceptable, creating risk management plans to deal
with that particular event is an appropriate and necessary part of overall risk
management. Determining that a risk plan is the most appropriate method of
dealing with risk will depend on the nature of that risk.
Risk management plans and the board
It is the role of the board of directors to oversee the setting of its organisation’s strategy and risk appetite, with due consideration given to its capacity to bear risk, its purpose and relevant stakeholders. The board should also ensure it has a risk management framework to identify and manage risk, including plans to mitigate the impact of material risks on the organisation. Advisory committees play a significant role in larger organisations, although the ultimate responsibility of risk oversight lies with the full board of directors.
Components of a risk management plan
The contents of a plan will vary depending on the risk and the organisation, with certain components suiting one but not another. The priorities are to craft a response to a risk occurring that takes into account the full impact that such an event might have, and to make the information in the plan clear and relatively concise for ease of comprehension. Graphics, spreadsheets and maps are some elements to consider including in your plans to increase readability and improve engagement with the plan’s intended users. If your organisation operates internationally, a map to display the risk’s potential impacts across these jurisdictions might be helpful, for instance. Graphs provide a way to lay out actions against a timeframe, while spreadsheets can be used to assign responsibilities among stakeholders.
After an event has occurred
Risk plans should be reviewed and refreshed on an ongoing basis to ensure they take into account any change with respect to that risk. If an event does occur and a plan is put into action, it is important to examine what served the organisation well and what did not, and to implement that knowledge in future plans. Boards should make time to discuss risk management practices across the whole of the business and whether lessons from an event indicate that business strategy and priorities need reconsideration.
For more on risk management plans
We have a collection of Director Tools to assist your board. Discover more about risk management plans with our tool on Risk management.
For not-for-profit organisations looking to examine their practices regarding risk management, see Principle 5 of our NFP Governance Principles, which deals with risk management.