Why It’s Important to Document the Needs of Risk Management

by John Thackeray

Good documentation is a prerequisite in the successful implementation of risk management, acting both as a delivery and message mechanism.


Risk is all around us. Thus, risk management will inform our decision making and, in some cases and depending on the maturity of the program, create a competitive advantage. The purpose of risk management is to challenge the assumptions of management decisions in the areas of strategic planning, as well as budgeting and performance management.  It is a tool to make any management team aware of the pitfalls of intended actions and at least give them the ability to change course if necessary. Risk management is important because of its message and disclosure. It effects and defines the engagement with internal and external stakeholders. Thus, risk management must be defined to reflect the organizations’ culture, attitude and commitment.

Risk management is evidenced in enterprise-wide risk management (ERM) which is a structured and continuous process across the whole organization. ERM responds to opportunities and threats that affect the achievement of its objectives. The board has overall responsibility for ensuring that risks are managed and will delegate the operation of the risk management framework to the management team. One of the key requirements of the board is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. The starting point and most foundational step in this assurance will be the existing risk management document inventory. This inventory will clearly outline the organization’s current commitment and attitude towards risk. Well-written documentation will be evidence reflecting the organization’s evolution in risk management.

Good documentation is a prerequisite in the successful implementation of risk management, as it acts both as a delivery and message mechanism. Documentation must deliver a consistent message, speak a common language and have clear objectives allied to the maintenance of the organizations objectives, capable of being constantly reviewed and evaluated.


  • How risk management is integrated within the organization
  • Understanding the organizations appetite and attitude for risk
  • The principles in governing risk
  • Risk and its impact on organization roles and responsibilities
  • The Control environment
  • The communication channels, protocols for risk escalation and risk discussions,
  • Risk methodology and analysis,
  • Risks tools (risk materiality, stress testing, scenario design)
  • Risk management roles and responsibilities, risk management KPIs
  • Integration of risk information into management reporting
  • Policy and Procedures
  • The auditing risk management effectiveness

The nature and number of documents will depend largely on the size of the organization. Some documents may have a utilitarian purpose and incorporate many of the components listed below. The sample list below is not intended to be exhaustive but rather to give an idea of what risk documentation requirements may incorporate:

  • Risk appetite statement
  • Risk management framework
  • Risk materiality
  • Risk register
  • Risk taxonomy
  • Risk charters and mandates
  • Risk management policy and procedures
  • Methodologies
  • Risk escalation process
  • Risk metrics
  • Risk communications
  • Risk training courses


Good risk documentation will exhibit the following characteristics:

  1. It must be relevant (meeting best practices).
  2. It is easily understood.
  3. It is stored in a well-organized risk library and easily accessible to employees.
  4. It is a living document e.g. able to be amended and capable of tracking changes.
  5. It meets Industry and Regulatory standards.
  6. It has a clear approval process and time frame.
  7. It is reflected in both internal and external communications.
  8. It must be evidenced throughout the organization from training to decision making.

To achieve clarity, the risk documentation should be written by someone, independent of the organization, who can challenge known assumptions with a questioning mind. The risk writer will still need input from the business, seek collaboration and guide the organization towards ownership of the final document. As a result, the document will be an objective piece of writing, speaking the language of the organization whilst being understood by the outside world.

John Thackeray is the CEO of risksmartinc.