The Institute of Internal Auditors has described the stages of risk maturity for organisations, with risk enabled as the top level. At this level, the organisation is using risk management processes to improve performance and decision-making. Discussions about risks take place as part of the planning processes and regular performance monitoring and risk assessment is not a separate activity. Trustees, managers and staff understand the levels of risk they are responsible for managing and report upwards when they notice a change in the ranking of a risk or activity. The risk management process needs to be led by the trustees and senior management team, but it needs to be clear that operational managers have their role to play and are responsible for managing risks as part of their job. It is usual to have an annual process in place for operational managers to report on how they manage risks. Note that the emphasis is on managing risk, so the process focuses on actions to control risks.

Want to discuss further?