A risk management policy statement is a tool used by companies and other organizations to identify risks and respond to them in a way that minimizes their impact. A risk statement summarizes a potential problem that needs to be addressed. The statement communicates the possible adverse event or condition and its consequences on the objectives of the program if the risk materializes. The statement informs other members of the expanded program team, program leaders, and stakeholders to inform them and possibly help them make risk-taking decisions.
A risk management plan describes how an organization will manage risk. It establishes elements such as the organization's risk approach, the roles and responsibilities of risk management teams, the resources it will use to manage risk, policies and procedures. Risk management planning can seem expensive depending on the size and scope of the project in question. Risk management planning is an ongoing process that requires relentless reporting to ensure that everything works according to standards.
Companies are also exploring how artificial intelligence technologies and sophisticated governance, risk and compliance (GRC) platforms can improve risk management. They focus on the brand reputation of their companies, understand the horizontal nature of risk, and define ERM as the right amount of risk needed to grow. Many risk analysis techniques, such as creating a risk model or simulation, require collecting large amounts of data. The scandal related to the misrepresentation of coronavirus-related deaths in New York nursing homes by the governor's office is representative of a common failure in risk management.
However, as Valente pointed out, companies that define themselves as risk-averse with a low appetite for risk sometimes don't hit the mark in their risk assessment. The risk management discipline has published many sets of knowledge that document what organizations must do to manage risk. Traditionally used as a means of communication with employees, investors and regulators, risk appetite statements are starting to be used more dynamically, replacing checkbox compliance exercises with a more nuanced approach to risk scenarios. In addition to using risk management to avoid adverse situations, more and more companies are seeking to formalize the way positive risks are managed to add business value.
Modern organizations face multiple risks, so it's important to prepare a risk management plan before embarking on any new project. A crucial part of risk mitigation is preparing a contingency plan or a plan B in case the main risk response plan fails. For other ways in which the two approaches diverge, see Traditional Risk Management vs. Definition, by technology writer Lisa Morgan, which will help you identify all the possible risks that could influence your company, to coherently assess the impact of those risks and to determine how you intend to mitigate them.
Access to risk reports and financial analysis allows you to establish acceptable levels of risk for any future project. The steps are simple, but risk management committees should not underestimate the work needed to complete the process.