One of the most critical factors affecting the efficiency and effectiveness of the organization’s risk management process is the establishment of an ongoing monitor and review process. This process makes sure that the specified management action plans remain relevant and updated. In today’s continuously changing business environment, factors affecting the likelihood and consequences of a risk are very likely to change also. This is even truer for factors affecting the cost of the risk management options. It is therefore necessary to repeat the risk management cycle regularly.
To make Risk Management become a part of the organization’s culture and philosophy, the organization must collect and document experience and knowledge through a consistent monitoring and review of events, treatment plans, results and all relevant records. This information, however, will be pertinent to information risks. Technical details concerning operational issues of the underlying technology have to be filtered out.
Each stage of the Risk Management process must be recorded appropriately. Assumptions, methods, data sources, results and reasons for decisions must be included in the recorded material.
Besides being an extremely valuable information asset for the organization, the records of such processes are an important aspect of good corporate governance provided of course that they are in line with:
- the legal, regulatory and business needs for records,
- the cost of creating and maintaining such records,
- the benefits of re-using information.
Finally it is very important to point out that Risk Management records along with all relevant documentation contain extremely critical and confidential information that should be treated with the appropriate classification level requirements.