Risk Management: Policies, Procedures and Processes

Spread the love

Risk Management: Policies, Procedures and Processes


We can’t discuss about risk management without talking about Risk. Therefore, Risk is define as the probability of not achieving, or reaching, certain outcomes. Risk are always measured in terms of the effect that an event will have on the degree of uncertainty of reaching stated objectives.

Risk management is a process in which business identify, assess and treat risks that could potentially affect their business operations. Risk management can also be referred to as a system by which the firm seeks to manage its over-arching (and occasionally, conflicting) public-interest obligations combined with managing its business objectives.

In relation to accounting profession, the process of Risk management requires a consideration of the risks around governance, business continuity, human resources, technology and business, financial and regulatory environments.

Also, Risk Management Policy statement is documentation of the risks involved in performing a specific action. Any activity can have some risk involved, companies create a risk management policy statement as a way of defining those risks.

However, in business, risk management procedures involves five steps which are combined to deliver a simple and effective risk management process, which are identifying the risk, Analyzing the risk, Evaluating or ranking the risk, Treating the risk and Monitoring and reviewing the risk.

When designing risk management framework of an entity; the entity requires policies and procedures which will be developed to identify, assess and manage the key organizational risks being faced.

The risks in any form of organization fall into eight (8) areas and they are:-

  • Business Continuity Risks
  • Governance Risks
  • Financial Risks
  • Business Operational Risks
  • Technology Risk
  • Human Resources Risks
  • Regulatory change risks
  • Stakeholder risks.

Hence, any risk management policies, procedures and processes to be developed in an organization must depend on the afore-outlined risks.

 Risk Management: Policies, Procedures and Processes

As part of risk management, it’s important to have clear policies, procedures and processes in place. These generate standards and help everyone to know how to operate.

If a company has a policies and processes on ground for their employee, then they are clearly creating standards for their business and this can also improve the way their customers and employee relate with the business. Some points that can help an organization in making better policies and process in their business are:-

  • Identifying the key processes and tasks in the organization, and develop standard operating procedures (Standard of Operations) for each.
  • Allowing their staff to contribute to the Standard of Operations and regularly reviewing the processes
  • Ensuring that company policies are documented and accessible.
  • Making important procedures such as first-aid and emergency exits clearly visible (This is straightly related to risk)
  • Communicating company’s policies to the employee and helping them to understand them and why they are significant.
  • Educating employee on procedures that are directly related to a certain role.

An effective risk management process is important in today’s business environment. Identifying the potential risks facing your business and having a plan in place to deal with them should in case they occur can make the difference between success and failure.

A key factor in any risk management process is the leadership of the firm, as it is the case that is set and maintained by the Firms leadership that sets the tone for the rest of the firm. Subsequently, adopting a risk-aware culture by a Firm is dependent on the clear, consistent and frequent actions and messages from and to all levels within the Firm. These messages and actions need to constantly emphasize the Firm’s Risk Management policies and procedures.

In Risk management, risk assessment is an important but difficult step and it deals with identifying the range and extent of risks to your information is the basis for formulating and implementing the appropriate controls that mitigate or reduce any identified risks.

However, Policies contain high-level principles that a certain department or functional area of the organization must follow, as formally agreed upon by management.  Also, Procedures are connected with particular policies and define lower-level processes, such as daily, weekly or quarterly functions and job activities. Procedures bring a set of related functions and organizational processes together, which can then be joined in a well-defined category—such as hiring and termination in HR or access management in IT.

Likewise, Processes are usually contained within procedures, defining in detail how regular business functions are performed, whether on an iterating or as-needed basis. A process has both a start and finish, and shows interrelationships and reliance with other processes and organizational areas or technologies. It also provides insight into standard functions and key risk and control points that need to be monitored and taken into consideration for risk assessment, mitigation and audit efforts.

The fact is that, in any organization, all the risks they are open to, must be managed and in managing them, polices, procedures and processes has to be put in place. That is why is so pertinent to have the idea of what all of them entails.

A well-defined policies, procedures and processes will provide a basis for an organization to analyze how to move from their existing state to a target state. Gaps can be identified by outlining current requirements, interdependencies, operations, risks and controls. And by doing this, we can now say a company has successfully and intelligently entrench the right controls into the right processes.


Risk Management Process according to ISO 31000: 2018

In risk management, the first thing to do is to identify the risk, this is call Risk Identification. Risk identification requires reasonably foreseeable risks that have the potential to have a meaningful impact on the organization to be identified. A risk is any event or action that has an unsure effect that may impact on an organization objectives. Furthermore, risk arise as much from the possibility that opportunities will not be realized as they do from the possibility that threats will materialise, errors be made, or damage occur.

The next process according to ISO 310000: 2018 is Risk Analysis and  this involves developing an understanding of the risk and provides an input to risk evaluation and to decisions on whether risks need to be treated, and if so, on the most appropriate risk treatment methods. This analysis can also provide input into the options to address risks and inform the decision making required across different types and levels of risk.

All risks within an organization are assessed using a common scale that lay emphasis on:-

  • The potential consequences if the risk were to occur
  • The likelihood of the organization being impacted in that way.

And lastly, we have Risk Evaluation, this assist in making decisions based on the outcome of risk analysis about which risks need treatment and the priority for treatment implementation. Under this risk evaluation, decision makers should take cognizance look at the context of the risk and include consideration of the organizations appetite and tolerances across categories of  the company’s activity as well as the actual and observed consequences to external and internal stakeholders. Risk evaluation identified those risks where the inherent risk is greater risk tolerances where risk treatment is required to further manage the risk.

Differentiating Between Policies and Procedures

A policy is a predetermined course of action, which is established to provide a guide toward accepted business strategies and objectives. It can also be said to be a direct link between an organization’s vision and their day to day operations.  Policies tends to identify the main activities and provide a general strategy to decision makers on how to handle issues as they arise in the organization

Meanwhile, Procedures in an organization, provides employee in an organization a clear and easy plan of action required to carry out or implement a policy.  Good procedures actually allow managers to regulate events in advance and prevent the organization (and employees) from making costly mistakes. You can think of a procedure as a road map where the trip details are highlighted in order to prevent a person from getting lost or ‘wandering’ off an acceptable path identified by the company’s management team.

In relation to Risk management, policies and procedures are required when there is a need for consistency in an organization day-to-day operational activities. This tends to provide clarity to to any employee when dealing with accountability issues or activities that are critically important to the organization such as legal liabilities, regulatory, requirements or issues that have serious consequences.

An organization must ensure that their employee complied with all policies, procedures and processes set up in relation to risk management. That is it is so important for an organization to seek for the help for a business or financial consultants when commencing operations. Business analyst will help the organization identify the risks they are probably going to encounter and as well help them outline how those risks can be managed (risk management) by the use of various policies, procedures and processes.

In ensuring that employee comply with the lay down policies and procedures in relation to risk management in an organization, five steps are outlined below.

  • Meeting with the divisional leaders of each Division in an organization to ensure that the policies and procedures are feasible.

 This has to do with ensuring that compliance begins with involving the leaders of each      section of the organization. Policies are often created by someone within an organization       not have a comprehensive understanding of the daily tasks within each department.     Involving others, even if just for a 30 minute interview surrounding a policy, ensures new policies.

  • Determining the best format policies for the company’s audience

  Different departments consists of different personalities, schedules, and daily experiences.           To ensure compliance with policies and procedures, an organization must make sure that         they deliver their employees through vessels they are comfortable with. A benefit to meeting with their divisional leaders is that they can leverage more information from them including the policies will be best received. Examples of different vessel requirements include situations where employees do not access computers during the work day but m   company smart phone, making them a better candidate for a video presentation of their     policies and procedures.

  • Making Policies and Procedures easily accessible to the Employees

  Do Company employees know where to look for their policies and procedures, or are   they overwhelmed by a minefield of folders on a shared-drive with a naming convention   only be interpreted by code-breakers? Not only should time be spent ensuring that the organization of policies and procedures makes logical sense, you should also make sure         that an employee from any department, and any level of management, should be able to   find the policies that apply to them within 3 clicks. This will help ensure they do not get frustrated and abandon attempt at being compliant.

  • Setting deadlines for each policy and procedures to be acknowledge

 Setting deadlines for acknowledgment does not just mean establishing an Outlook Calendar reminder on their effective date. Once the policies and procedures have been   created and are accessible, weekly meetings will be set up with all managers to ensure   they have a successful plan in place to ensure employees compliance understanding. If you send out surveys to each employee, send scheduled email reminders for them to guarantee they have received the policies and procedures, and know the deadlines Include a contact number and email address within their reminders in case they have questions.

  • Determining the best way to measure understanding

Each policy and procedure is an individual, and should be treated as such. Standardized   accepted responses are okay for some standard policies, but ensuring compliance.      Depending on the task or field, taking quizzes, scheduling practice runs, or the  combination of both can dramatically increase your employee compliance with policies and procedures.

Below is the Sample Risk Management Policy and Procedure of an organization (HABYNEX REAL ESTATE CONSULTANCY

  1. Purpose and Scope: This policy institutes the process for the management of risks faced by Habynex Real estate consultancy. The aim of risk management is to maximize opportunities in all Habynex Real estate consultancy activities and to minimise adversity. The policy applies to all activities and processes associated with the normal operation of Habynex Real estate consultancy. It is the responsibility of all Board members, staff, students and volunteers to identify, analyse, evaluate, respond, monitor and communicate risks associated with any activity, function or process within their relevant scope of responsibility and authority. This policy does not detail consumer risk management. See xxx Policy.
  2. Definitions: Risk is the likelihood is the likelihood that a harmful consequence (death, injury or illness) might result when exposed to a hazard. Risk is described and rated by considering two characteristics: 1. Probability or likelihood (L) of occurrence; and 2. Consequence (C) of occurrence. This is expressed as R (risk) = L (likelihood) x C (consequence). Likelihood is a qualitative description of probability or frequency. Consequence is the outcome of an event, being a loss, injury, disadvantage or gain. There may be a range of possible outcomes associated with an event. Risk control means taking action to first eliminate health and safety risks so far as is reasonably practicable, and if that is not possible, minimising the risks so far as is reasonably practicable. Eliminating a hazard will also eliminate any risks associated with that hazard Risk Assessment is the process of evaluating and comparing the level of risk against predetermined acceptable levels of risk. Risk Management is the application of a management system to risk and includes identification, analysis, treatment and monitoring.

Risk Owner is the person(s) responsible for managing risks and is usually the person directly responsible for the strategy, activity or function that relates to the risk.

  1. Principles: Risk management is a key governance and management function. Habynex Real estate consultancy is proactive in its approach to risk management, balances the cost of managing risk with anticipated benefits, and undertakes contingency planning in the event that critical risks are realised. Habynex Real estate consultancy has the primary duty to ensure the health and safety of workers and other persons at the workplace or on the field. A duty to ensure health and safety requires Habynex Real estate consultancy to manage risks:
  • By eliminating health and safety risks so far as is reasonably practicable; and
  • If it is not reasonably practicable to eliminate the risks, by minimising those risks as far as is reasonably practicable.

Deciding what is ‘reasonably practicable’ to protect people from harm requires weighing up certain matters, including the likelihood of a hazard or risk occurring and the degree of harm that would result, and then making a judgement about what is reasonable in the circumstances.

However, Effective risk management involves:-

  • A commitment to health and safety from the Habynex Real estate consultancy Board of Directors
  • The involvement and cooperation of Habynex Real estate consultancy’s workers
  1. Outcomes: As far as is reasonably practicable, workers, consumers and other persons are not put at risk from work carried out by Habynex Real estate consultancy. The organisation is protected from adverse incidents, reduces its exposures to loss, and mitigates and controls loss should it occur. The company has ongoing, unhindered capacity to fulfil its mission, perform its key functions, meet its objectives and support its consumers. The costs of risk to the organization, and its funders, is reduced.
  2. Functions and Delegations: A person can have more than one duty and more than one person can the same duty at the same time.
Position Task/Delegation
Board of Directors Exercising due diligence to ensure that the organization complies with the Real Estate and Surveyors Act and Regulations.
Management CEO

Ensure, so far as is reasonably practicable, that workers and other persons are not put at risk from work carried out by the organisationi

Staff Compliance with Risk management policy, and they will also contribute to the establishment and implementation of risk management systems for all functions and activities of Habynex Real estate consultancy.
  1. Risk Management: All Board members and staff contribute to the establishment and implementation of risk management systems for all functions and activities of Lalakula. Risk management practice aligns with all federal and state legislation of Real Estate and Surveyors.
  2. Policy Implementation: Risk management forms part of strategic, operational and line management responsibilities, and is integrated into strategic and service planning  processes. Risk management is embedded in all policies and procedures, with workers  contributing to risk management systems.
  3. Policy Detail: The organization aims to achieve better practice in the management of risks that threaten to adversely impact on them, its functions, objectives, operations, assets, staff, consumers or members of the public. The organisation does whatever it can (whatever is  reasonably practicable’) to ensure its workers, consumers and other people are not harmed by its activities. Risk management involves four steps
  4. Identify hazards – find out what could cause harm
  5. Assess risks – understand the likelihood of a hazard causing harm and how serious it could be.

iii. Control risks – implement the most effective control measure that is reasonably practicable in the circumstances, and

  1. Review control measures to ensure they are working as planned. Many hazards and their associated risks are well known and have well established and accepted control measures. In these situations, the second step to formally assess the risk is unnecessary. If, after identifying a hazard, we already know the risk and how to control it effectively, Habynex Real estate consultancy just implements the controls.

Therefore in preparing a risk management policies, procedures and processes of an organization, the above sample can be used a guide to prepare your entity’s own. An entity can further breakdown their own policies, procedures and processes for more clarification for their employees.

 Definitions of Risks in an Organization

  • Business Continuity Risks: This includes physical security breaches, such as unauthorized building access, vandalism to a building and its facilities, fraud and civil
  • Governance Risks: This refers to a company’s coordinated strategy for managing the broad issues of corporate governance, enterprise risk management (ERM) and corporate  compliance with regard to regulatory requirements.
  •  Financial Risks: This generally deals with the odds of losing money. This is possibility    that an entity cash flow will prove inadequate to meet its obligations. This is any various   types of risk associated with financing.
  •  Business Operational Risks: This relates to activities carried out within an entity, arising from structure, systems, people, products or processes. This is the prospect of loss resulting from inadequate or failed procedures.
  • Technology Risks: This is any potential for technology failures to disrupt a business such as information security incidents. And this form of risks are becoming more    prominent and more dangerous in the business world.
  • Human Resources Risks: This risks includes sabotage, violence, theft, fraud employee replacement due to sudden illness, an unplanned occurrences in the organization,  accidents and so on. This is in relation to employee or employer in an organization.
  • Regulatory change Risks: This is a risk that a change in regulations or legislation will affect a security, company. This is a potential that changes to laws, regulations or    interpretations will cause a company losses.
  • Stakeholder Risk: According to Freeman (2004), stakeholders was define as any group or individuals who are crucial for an organization’s survival and can affect and be  affected by an organization’s objectives. Therefore, involving stakeholders in risk management means seeing risk management through the same lens.


Risk is a pervasive and rising component of delivering professional accounting services to clients, and is not confined to taking on client work that can put the entity’s reputation into decline.

 Risk management systems needs to be properly and adequately documented, so that all necessary requirements can be complied with, and referred to. When it comes to risk management, the form and content of the documentation is a matter of judgment, and depends on a number of factors.

This proper and adequate documentations enables the Risk management policies and procedures to be effectively communicated to the entity’s personnel.

Finally, the main message that must be included in all such communications is that each individual in an entity has a personal duty for Risk management and are required to comply with all such policies, procedures and processes.     

About the Writer

Olusipe Abiodun Yinka is an Audit Associate in Bulls Capital Limited. He has a National Diploma in Accounting from Abraham Adesanya Polytechnic, Ijebu-Igbo, Ogun State; as well as a Degree in Accounting from Alex Ekwueme Federal University, Ebonyi State. He is a creative writer and a Trendsetter. Apart from writing, Olusipe is also an entertainer.

To know more about how we can help with this service, please call 08023200801, 08075765799, email: sales@bullscapitalltd.com. Alternatively, you may complete our request for proposal form hereunder.