What You Will Get

This innovative electronic assessment tool, is bundled with:

1. Corporate Governance and Risk Management: A Guide to the Integrated Tool (PDF version)

2. A data entry program to populate the risk management and corporate governance management matrix

3. A reporting tool which reports on the content of the matrix

What Reports It Will Generate

Risk Responsibilities Mandates

This report outlines "who does what" (or "who should do what" if the Tool was completed in pro forma rather than current practice) in risk management. For each level of authority in the organization, specific responsibilities in the area of risk management are listed. Under each risk management responsibility, individual risks are ranked from highest impact to lowest. This report is meant to ensure that individuals and teams are aware of their responsibilities, of others' responsibilities, and to help them focus their energies on the most significant risk areas.

Risk Operating Chart

This report illustrates the decision-making process for each group of risks in the organization (the operational flow of decisions and therefore information.) It is meant to alert the responsible individuals and teams to the need to communicate and co-ordinate with one another, and for the risk champion or overseer to ensure this co-ordination. Among other uses, organizations may want to set up ad hoc or virtual cross-functional teams comprising all the individuals responsible for managing each group of risks. This report shows which risks have (or should have) documentation or material backing them up (policies, procedures, reports, etc.) and then those risks which do not. It is meant to be used for audit trail and internal control purposes, as well as to alert the organization to possible gaps in control and documentation.

Risk Documentation Report

This report shows which risks have (or should have) documentation or material backing them up (policies, procedures, reports, etc.) and then those risks which do not. It is meant to be used for audit trail and internal control purposes, as well as to alert the organization to possible gaps in control and documentation.

Business Unit Champions Report

This report indicates who the "champion" ("owner" or co-ordinator) is for each set of risks in the organization. Boards, executives and staffs can use this report to locate the right person when they have questions about risk management, or to form cross-functional teams of champions/owners to co-ordinate interdependent or enterprise risks. The report also indicates those risks for which a "champion" has not been identified, to alert the organization to possible gaps and a need to assign these.

Risk Action Report

This report groups risks according to the action identified in inputs to the Tool, and then lists all risks where no action has been identified. It can be used to check if the appropriate actions are being taken, to assess the level of risk aversion at the organization (e.g. if few risks are "accepted" or "controlled" and most are "transferred" or "eliminated".) It can also be used for other management purposes, e.g. when evaluating insurance policy coverage, by checking all risks "insured".

Risk Impact Report

This report ranks all the organization's risks according to their significance or impact. This number (listed from highest impact 25 to lowest 0) represents the product of the extent of the risk (how much would we stand to lose/gain if this event occurred?) and its likelihood (how probable is this event to occur?), each rated from 0 (low) to 5 (high). These rankings can be used for the board and management to set risk tolerances and to determine priorities and cut-offs for resources, risk management, reporting, etc.

Interdependent Risk Report

This report lists all risks that have been identified as interdependent or affected by each risk. It is meant to alert the organization to the need to communicate and co-ordinate management of these groups of risks, and for the risk champion or overseer to ensure this co-ordination. Organizations may want to set up ad hoc or virtual cross-functional teams comprising those responsible for managing the risks within each interdependent group.