Define the principles that underpin the organization's approach to risk management. Define, review, make accessible, and comply with risk management policies.
Provide leadership direction in relation to the risk management programme and the organization's risk appetite and risk tolerance. Establish and maintain a plan/strategy that outlines the scope and overall approach of the risk management effort.
Establish risk management governance structures. Outline the composition and scope of risk management governance bodies, decision rights, and authorization. Identify and establish reporting arrangements, issue escalation protocols, roles in complying with obligations and overseeing governance activities, and rules to govern and control the application of risk management authority within the organization.
Integrate IT risk management with digital leadership and governance structures, and with overall Enterprise Risk Management (ERM) policies and approaches.
Complete job and business process designs to identify the required roles for risk management tasks, and assign employees with the requisite knowledge and experience to the identified roles. Define and allocate the associated responsibilities and assign accountabilities to those who will be answerable for the achievement of risk management objectives.
Establish and make available a risk management training curriculum and other employee development mechanisms to enhance skills and competences. Record employee participation in risk management training and development initiatives, and recognise and acknowledge their achievements (e.g. courses completed, certifications, skills and competence levels acquired).
Inform stakeholders of key developments (e.g. objectives, policies, approaches, activities, risks, and outcomes) to build a shared understanding of how they can contribute to the realization of risk management objectives. Report on the effectiveness/efficiency of the risk principles, policies, controls, strategy, and activities.