Whiteboard Series: What is a Risk Profile?
Posted on February 2, 2023 | in Operational Risk
A risk profile is a set of risks commonly maintained in a risk register.
Most companies define risk profiles at three different levels: Enterprise, Operational, and Specialist.
Enterprise-level risks arise from the strategic decisions a company makes. Risks at this level are primarily owned by the board, with input from a risk management advisory group. Enterprise risk profiles are reviewed at least once a year as part of the company’s corporate and internal audit planning process.
Operational risks derive from the day-to-day activities that may have enterprise-level effects. Leadership team members are responsible for owning the individually assigned operational risks. Team members should regularly discuss operational risk profiles in management and planning meetings and update them at least quarterly.
Finally, specialist risk profiles, such as health and safety, business continuity, and fraud and security, have external regulations and standards, compliance and reporting obligations, and mandated processes. Risk stewards of specialist risk profiles ensure that these risks are being managed and are visible to the board and leadership as necessary.
The risk management advisory group regularly reviews and approves specialist risk profiles to ensure that they are suitably aligned and visible.
Here are some general guidelines on when to create a risk profile.
- When a company policy or procedure requires a risk profile to be created.
- When an external obligation exists, for example, in legislation.
- When a new process or system is introduced.
- When substantial changes to an existing process or system are introduced.
- In situations that are unique from a business-as-usual operation.
- When entering into significant Partnerships contracts or legal agreements when undertaking activities that may be hazardous to people or property.
Your company’s risk management policy should outline your risk profiles. A policy provides the overarching framework for the consistent identification assessment and management of the full range of exposed risks.