The Internal Environment
In this phase we seek to understand the environment in which the organization operates and the tone of the organization in as far as risk and risk management is concerned and then set the basis for how risk is viewed and addressed by the organization’s people, risk management philosophy and risk appetite, integrity and ethical values.
Policies and procedures are established and implemented to help ensure that the risk responses are effectively carried out.
The set enterprise-wide risk management process from the above seven components is monitored and continuously and modifications made as necessary.
Internal and External events affecting the achievement of the organization’s objectives are identified and distinguished between risks and opportunities.
Appropriate risk responses are suggested to the organization’s management for adoption and implementation. Possible responses may include:- avoidance, acceptance, reduction/control, sharing, transfer (insurance/contractual).
Identified risks are analyzed, considering likelihood and impact as a basis for determining how they should be managed.
Information and Communication
Relevant information is identified and channels and formats of communication and time frames are established. Responsibilities are assigned. Effective communication is encouraged through communication in a broader sense, flowing down, across and up the organization.