The board’s responsibility for risk governance
|
4.1. The board should be responsible for the governance of risk
|
This responsibility must be demonstrated.
|
No difference
|
|
4.2. The board should determine the levels of risk tolerance
|
The board should understand the risk levels that it has the ability to tolerate versus the risk that it is willing to take (risk appetite).
|
No requirement to articulate risk appetite/tolerance
|
|
4.3. The risk committee or audit committee should assist the board in carrying out its risk responsibilities
|
The board can delegate the responsibility to a committee of the board.
|
No difference
|
Management’s responsibility for risk management
|
4.4. The board should delegate to management the responsibility to design, implement and monitor the risk management plan
|
The risk management plan requires specific activities to be completed.
|
No requirement in respect of a risk management plan
|
Risk assessment
|
4.5. The board should ensure that risk assessments are performed on a continual basis
|
The board should ensure that risk assessments are performed on a continuous basis (minimum annually) using a top-down approach.
|
Minimum of annual assessment
|
|
4.6. The board should ensure that frameworks and methodologies are implemented to increase the probability of anticipating unpredictable risks
|
Risks should be prioritised and ranked to focus the responses and interventions on those risks outside the board’s risk tolerance limits.
|
No explicit requirement on the adoption of frameworks and methodologies
|
Risk response
|
4.7. The board should ensure that management considers and implements appropriate risk responses
|
Annual risk management plan approval, implementation and monitoring.
|
No requirement in respect of a risk management plan
|
Risk monitoring
|
4.8. The board should ensure continuous risk monitoring by management
|
Annual risk management plan approval, implementation and monitoring.
|
No requirement in respect of a risk management plan
|
Risk assurance
|
4.9. The board should receive assurance regarding the effectiveness of the risk management process
|
Combined assurance requires active consideration of the assurance the board receives on the risks to which the organisation is exposed.
|
No requirement
|
Risk disclosure
|
4.10. The board should ensure that there are processes in place enabling complete, timely, relevant, accurate and accessible risk disclosure to stakeholders
|
The board should disclose how it has satisfied itself that risk assessments, responses and interventions are effective as well as any undue, unexpected or unusual risks and any material losses.
|
Disclosure only on how risk management is applied
|