Establishing a Risk Management Framework

Establishing a Risk Management Framework

20 Feb 2023


News & updates from BulliesOut

View Profile

This informal CPD article on Establishing a Risk Management Framework was provided by BulliesOut, one of the UK’s most dedicated and ambitious anti-bullying charities.

Risk management is the process by which management, subject to Board oversight, assesses the nature and scope of risks applicable to a company; designs and applies appropriate controls to minimise the risks; and monitors the controls to ensure that they are working effectively. 

Managing risk is a central part of a company’s management strategy. The risk management framework should set out the principles and priorities for the way risk is managed. Its purpose is to demonstrate how continuity of service will be delivered to support decision making, improve efficiency and deliver value for money.

The risk management process is intended to provide a systematic, effective and efficient way by which risks can be managed at different levels throughout the organisation. This is a continuous process by each area of service and is an integral part of their decision making process.

The activities of the organisation are overseen by the Board which meets on a regular basis. Any separate Audit Committee may be responsible for overseeing the management of risk within the organisation. The ultimate ownership of the corporate risk remains with the Board. The Board should review the Corporate Risk Register on a quarterly basis.

Risk register approach

The conventional risk register approach can be split into 4 steps as follows:

1. Identification of the risk

2. Analysis and Evaluation of the risk

3. Treatment of the risk

4. Monitoring of the risk.

However, there are a number of shortcomings of using the conventional risk register approach:

  • The quantitative evaluation of impact and likelihood implies more accuracy than may be sensible
  • Risks are considered and evaluated one by one whereas in practice a number of risks may hit in succession. Several risks occurring at once are more dangerous
  • Risks are usually thought of as particular events, rather than as potential causes which could give rise to a variety of unwanted effects
  • Risks are identified, assessed and dealt with in a serial or linear fashion but almost every risk arises from a combination of factors and cannot easily be predicted
  • Risks are often considered in isolation and not related to organisational objectives or the benefits which can accrue from taking the risk – so the risk should be balanced against the potential rewards
  • A risk register can give false accuracy and the impression that all risks are known and under control
  • A one-off process in which risks are identified and assessed may soon be forgotten and have no effect on how people do their jobs
  • Once completed, the risk register is largely ignored
  • People may be unaware of or fail to identify the biggest risks

Risks are identified using a number of methods. Strategies to ensure that the correct and appropriate risks are identified involve the detailed analysis of the specific business activities of the company. Most organisations face potential or perceived risks which can be managed through acceptance of the risk, transfer of the risk, treatment of the risk or removal of the risk. 

 Assurance is evidence from a mix of internal and external sources that controls are in place, and are well-designed to mitigate and reduce risk.  Assurance mapping provides a mechanism to demonstrate that all risks are subject to internal control, and that assurance has been obtained that the internal controls are, in fact, adequate and are operating consistently in order to manage appropriately the level of risk.

It is important that not all assurances have the same value. Some assurances will have greater credibility, integrity or relevance. The quality of the assurance obtained will depend on a number of factors; the independence of the provider of the assurance, the complexity of the area under review, the expertise of the assurance provider, the age of the assurance and the prime purpose for which the assurance work was undertaken.

We hope this article was helpful. For more information from BulliesOut, please visit their CPD Member Directory page. Alternatively, please go to the CPD Industry Hubs for more articles, courses and events relevant to your Continuing Professional Development requirements.

Related Articles



For more information from BulliesOut, please visit their CPD Member Directory page. Alternatively please visit the CPD Industry Hubs for more CPD articles, courses and events relevant to your Continuing Professional Development requirements.

Want to learn more?

View Profile

Get industry-related content straight to your inbox

By signing up to our site you are agreeing to our privacy policy