This is part 1 of our video series on "Disparate and Disconnected Risk Processes and Information". In this video, David Tattam talks about the key building blocks of a good risk management framework and how these can  help form an integrated view of risks in your organisation.

HubSpot Video

Video Transcription

Hi, I'm David Tattam, Director of Research and Training at the Protecht Group. One of the common issues we find when we talk to clients about implementing and managing a risk management framework is they'll often highlight that they face a series of disparate and disconnected risk processes and, as a result, disparate, disconnected risk information.

The second problem is that a lot of the information they use is at a point in time, and often that point in time is historical, and as a result is not overly valuable. The solution to this is really two fold:

  1. Number one is to identify what the key building blocks of a good risk management framework and, as a result, what risk information should look like. What are the parts?
  2. Secondly, once we understand those parts, how do we bring all that information, those processes, to an integrated combined view?

The Building Blocks of Risk Management

Let's go back to the building blocks. There are six:

  1. Risk taxonomy
  2. Risk assessment
  3. Control effectiveness
  4. Risk metrics (Key Risk Indicators)
  5. Incidents
  6. Control weaknesses and gaps

The first building block is to come up with a really good series of risk descriptions. We often call these the risk categories, the risk taxonomies. This allows us to aggregate risk up to the highest level, the board by using the risk information underneath.

The second one is to carry out a periodic risk assessment. This identifies the risks that we face together with the key controls.

Thirdly, once we've identified the key controls, we should then be doing periodic control effectiveness assurance to let us know or tell us how effective our controls are.

Fourthly, because our risk assessments aren't very dynamic, we should also be collecting risk metrics. We call these key risk indicators that give us a more up to date view of our risks and our key controls.

Fifthly is our past incidents. What has actually gone wrong? What can we learn from those mistakes?

And lastly, from all of this we may identify areas we are not happy with. We call those control gaps or control weaknesses and out of those we can come up with actions to improve and make ourselves stronger.

Once we have those building blocks we then move on to bringing them all together into a consolidated view. We call this a dynamic risk profile. We at Protecht call this RiskInMotion.


So please check our other blogs and our other videos, and until then take care.

What's next?

Watch a recording of our Risk Taxonomies webinar and learn about the common mistakes we see in risk libraries and what you can do to deploy a strong and consistent risk taxonomy:

New call-to-action

Other videos in this series:

Related Articles

feature image
Enterprise Risk Management, Risk Reporting, Risk Management Software, Risk Management Framework

4 Ways Marketplace Will Change Your Enterprise Risk Management

Establishing an ERM system can be as daunting as building a house from the ground up. There are hundreds of decisions to be made that will affect how...
Read more
feature image
Compliance Management, Risk Management, Risk Reporting, Videos, Compliance Professionals

Modern Slavery - Being Prepared

Do you know what the Modern Slavery Act is and how it will impact your business? We had the opportunity to have Associate Professor Justine Nolan...
Read more
feature image
ERM, Risk Controls, Risk Manager, Risk Management Software, Videos, Webinars

Controls Assurance Webinar

Awesome Controls Assurance: The Confidence to Go Faster This event was done live on Oct.22nd 2019. Access the recording here. “The greatest potential...
Read more