Risk Monitoring and Control: 7 Steps to Manage Threats

In all organizations, there are risks, but the ones that succeed versus the ones that falter, usually have one discipline in common: They are better at observing and managing those risks over time. Without risk monitoring and control, risk management will remain a one-off in a spreadsheet. It’s the continuous activity of identifying risks that are known, identifying new risks, and ensuring the existing controls are effective.

Risk Monitoring and Control

A large number of businesses invest in identifying and evaluating risk, but then fail to update their risk register after. A large number of businesses invest in identifying and evaluating risk and then allow their risk registers to go out of date after the initial assessment is done. There’s trouble, here. Markets evolve, regulations change, supply chains fail, new threats come along every day. Even the best risk assessment is obsolete within months if it is not monitored and controlled.

This guide explains the concept of risk monitoring and control, why it is important and how organisations of any size can establish a system that will detect issues before they escalate to crisis.

What Is Risk Monitoring and Control?

Risk monitoring and control is defined as the ongoing activities of tracking known risks and reviewing the effectiveness of the risks that have been identified and then making adjustments to the plans as circumstances vary. It is the phase of the risk management process after the risks are identified and evaluated.

Imagine a dashboard in a car. You can’t just once check your oil and assume it will never need to be changed again. You monitor the gauges all the time, pay attention to warning lights, and bring the car in when the warning lights tell you to do so. Risk control measures work the same way. They don’t require a single review, they require constant attention.

The process is usually comprised of four successive activities:

Monitoring of identified risks to determine if the risk level or risk impact has changed.
Tracking for new or emerging threats that were not included in the initial assessment.
Evaluating the effectiveness of current controls; Determining if current controls are effective;
Providing information to decision makers for prompt action.

Those organisations that don’t take this as a compliance tick-box exercise but as a discipline are more likely to discover issues before they cause actual harm.

Why Risk Monitoring Matters

The idea of risk management is to think of it as a one-time effort at the beginning of a project or fiscal year. Risks are constantly changing. The supplier may have been a healthy company a year ago but this year could be a tough year. A control that was effective a year ago could have vulnerabilities that newer attacks are taking advantage of.

There is a downside to weak or non-existent monitoring practices:

Financial risks run amuck. Even a small risk can develop subtly if there is no one monitoring for changes in risk or its impact.

Non-compliance is not detected. Regulatory requirements are constantly changing. If organizations are not monitoring, it is possible for them to become non-compliant without knowing it, until an audit or incident brings it to the surface.

Control fatigue sets in. Controls that aren’t tested regularly tend to decay. Employees no longer adhere to the procedures exactly, automation becomes outdated, and the gaps grow silently.

Delay in response. Without early warning detection, organizations are stuck in reactive mode rather than preventive mode.

A risk identified as “low probability” at the planning stage can then be forgotten for months, only to crop up when nobody was monitoring the factors that made it more likely. Continuous risk monitoring fills that gap by maintaining a focus on risks over the course of their life cycle, and not just at the start.

Risk Monitoring vs Risk Control

Monitoring communicates to you what is occurring. Control is what you do about it. They don’t work very well alone. Without monitoring, a company with good controls will not be aware when the controls begin to fail. A company that watches but does not respond to the information gathered is collecting data with no attempt at protection.

Aspect Risk Monitoring Risk Control
Primary Focus Observing and tracking risk conditions over time Implementing measures to reduce or manage risk
Nature Ongoing surveillance and data collection Active intervention and mitigation
Key Tools KRIs, dashboards, audits, risk registers Policies, procedures, technology safeguards, insurance
Timing Continuous, throughout the risk lifecycle Applied once risk is identified and assessed
Output Alerts, trend reports, early warnings Reduced likelihood or impact of risk events
Example Tracking a rising fraud attempt rate Implementing multi-factor authentication

Objectives of Risk Monitoring

There is a specific purpose for a well-designed monitoring function and not simply to produce reports for the sake of producing reports.

Early warning of potential dangers. The key aim is to identify signs of a risk before it becomes a loss event, so the organisation can respond proactively, not reactively.

Effectiveness verification. Monitoring is used to ensure that the risk reduction measures are effective and not just on paper.

Objectives of Risk Monitoring

Informed decision making support. Leadership must have up-to-date and accurate risk information to make good strategic and operational decisions. Keeping track of resources on a continuous basis, not on snapshots.

Regulatory and compliance assurance. Ongoing monitoring is also essential for industries that are subject to regulation, as it will help to provide evidence that they are in compliance during audits and examinations.

Ongoing enhancements of the risk framework. Monitoring identifies indicators, thresholds and controls that require modification as the business and its context change.

Risk Monitoring Process (Step by Step)

If teams are developing or establishing a monitoring program, a structured approach will make it much more manageable.

Step 1: Identify the area of monitoring. Begin with the risks found in your risk assessment. Use the likelihood and impact scores to prioritize – using limited monitoring resources to the risks that matter most.

Step 2: Assign risk owners. All risks should have a risk owner, this could be an individual or a team. If no one owns it, then no one will monitor it.

Step 3: Identify KRIs and thresholds. Define measurable metrics for each priority risk and establish thresholds for review or escalation.

Step 4: Choose your monitoring tools. It can be a shared spreadsheet for a small business to a dedicated governance, risk and compliance (GRC) platform for a large enterprise. The device is not as important as the discipline to use it regularly.

Step 5: Establish a review schedule. Weekly for high priority operational risks, monthly for moderate risks, quarterly for strategic and long term risks. Tune in to the rate of change in your industry.

Step 6: Test controls on a regular basis. Incorporate build control testing into your compliance schedule, not during an audit.

Step 7: Report and escalate. Design basic, standardised reporting forms that deliver the information to the right people at the right time, without drowning out important data in detail.

Step 8: Review and revise the entire system. The risk environment evolves and so should your monitoring. The whole framework is reviewed annually to identify indicators or control gaps that may become outdated.

Risk Monitoring Techniques

Organizations use a combination of methods to ensure that risk visibility is up to date; most of the more advanced programs use multiple methods instead of a single one.

Periodic risk reviews. Pre-arranged meetings to discuss risk owner assigned risks, risk status and changes in likelihood or impact.

Variance analysis. Monitoring the results against the actual plan to identify drift that may indicate a growing risk.

Trend analysis. Monitoring data over time, as opposed to just in time, to differentiate a short-term rise or fall in risk conditions from a real change.

Independent review and audit. Internal or external auditor checks the effectiveness of controls and if the level of risk reported is consistent with what is actually present on the ground.

Surveys and self-assessments. Takes the form of structured questionnaires filled out by department heads or risk owners, which can be helpful to gather qualitative risk signals that are not reflected in hard data.

Automated data monitoring. Feeds of operational, financial or security data that are tracked by software and updated in real time to provide risk indicators.

Key Risk Indicators (KRIs)

Key risk indicators (KRIs) are data points that are measurable that indicate when a risk is in an adverse trajectory. While key performance indicators are metrics that indicate success, KRIs are indicators that something is amiss that could indicate a problem.

For instance, a high employee turnover rate may represent a KRI in the operational risk category as it can signify poor employee morale, loss of institutional knowledge and management issues. If the number of failed logins is increasing, it may be a KRI (cybersecurity risk indicator). The power of KRIs is that they are able to warn of a problem that hasn’t come to a head into an incident.

Key Risk Indicators (KRIs)

Good KRIs have some common characteristics:

They are concrete and specific, not abstract or subjective
They have very clear thresholds that escalate when they are exceeded
They are subject to regular review.
They are directly linked to a particular risk in the register

A frequent mistake is to include too many KRIs. Some good, valuable indicators directly related to your highest risks will always beat a long list of indicators that nobody has time to carefully review.

Risk Dashboards

The risk dashboard provides a visual overview of monitoring data, enabling the risk committee and executives to quickly get an overview of exposure without having to comb through individual reports from each department.

A good dashboard will contain a summary of the top risks by severity, trend lines on key KRIs, a heat map of the likelihood of the risk versus the impact, and a flag on any breaches of KRIs since the last review. Color coding – typically red, amber and green, assists non-specialists in the instant interpretation of the risk status.

The worst mistake with dashboards is to load them up with too many metrics. A dashboard that attempts to communicate everything, fails to communicate anything. The objective is to bring to the fore what is most important, and to be able to give more detail if necessary.

Risk Reporting Best Practices

Monitoring is only effective if it gets to the people who can respond to it. A risk reporting framework specifies who will get what information, how often and in what format. Executive-level leadership usually requires a summary level report with trend data, whereas an operational team might require a granular report based on their specific role.

Some practices that have proven to be useful for enhancing the quality of reporting include:

Match level of detail to the audience. A board’s reporting should be on strategic exposure and trends, rather than granular data which is more appropriate for middle management.

Follow a regular rhythm and structure. Predictable reporting helps to foster trust and helps readers notice any changes between periods.

Emphasize exceptions, not status. If the report reaches a critical threshold, it should be reported, but if it is a routine update, then there is less of a chance that it will be given timely attention.

Have clear escalation steps. If a KRI reaches a certain level, then there should be a predetermined system in place for who is notified and how fast action is expected.

Roles and Responsibilities

Good monitoring requires clear ownership throughout the organisation. The Institute of Internal Auditors has provided a framework in the form of the Three Lines Model.

Operational management (first line): owns and manages risk on a daily basis. They know the job best and are in the best position to see early signs.

The second line of the business, risk and compliance functions, oversee and provide guidance to operational functions, set policy and provide monitoring tools, thresholds, and guidance.

Internal audit (third line) is independent assurance that the entire risk management system (including monitoring and control) is working as planned.

These three lines are usually overseen by a risk oversight committee, which may include senior leadership, that reviews escalated risks and decides on actions that are not taken at the individual departmental level.

Common Challenges

All well thought out systems experience predictable challenges.

Data overload. A lack of prioritization of data collection causes important signals to get lost in noise. Pay attention to quality criteria rather than quantity.

Siloed information. Departments have no visibility across departments if they don’t share data, as when a vendor issue impacts both procurement and IT security.

Stale thresholds. Business conditions may change since the KRI’s were set years ago. Threshhold review and recalibration should be done routinely as part of the monitoring cycle.

Absence of executive involvement. Without action by leadership on the escalated risks, monitoring becomes a ‘paper exercise’ and not a protective measure.

Manual processes at scale. Spreadsheets are great for small operations but start to become inaccurate and slow as an organization grows.

Industry Examples

Financial services and banking. Delinquency rates are used to track credit risk, cash reserve ratios are used to track liquidity risk, and the number of fraud incidents are used to track operational risk. There are regulatory requirements that may specify the frequency of these indicators.

Manufacturing. Risk monitoring in the supply chain involves monitoring the financial health of suppliers, delivery timelines and price volatility of raw materials. Safety risk monitoring monitors incident rates and near miss reporting on the factory floor.

Healthcare. Monitoring of patient safety risk is done via incident reporting systems and compliance risk is done via documentation audits, which are linked to regulatory standards.

Construction and project management. Weather Risk is tracked with forecasts, Budget Risk is tracked on a weekly basis and Supplier Risk is tracked through regular vendor calls on material delivery timelines. If there is a risk trigger, the project team triggers a risk response plan that they have already prepared, instead of reacting on the fly.

Risk Monitoring Tools

Governance, Risk and Compliance (GRC) software platforms have transformed continuous monitoring from a daunting challenge to a more feasible and manageable task, compared to 10 years ago. These tools can automatically extract data from financial systems, HR platforms, IT security logs, and operational databases, enabling the updating of KRIs in near real-time.

As opposed to having to manually compile different departments’ reports, automated dashboards provide risk committees with one place to view exposure throughout the organization. Alerts can be set to send notifications to risk owners as soon as a threshold is exceeded to reduce the time gap between a warning sign being raised and action being taken.

However, technology is only as effective as the data and thresholds that are given to it. A poorly configured system produces false alarms that are eventually ignored – thus doing nothing. To implement a new monitoring technology, it is important to take time to carefully tune the indicators before deploying it organization-wide. If your company isn’t large enough to afford a dedicated GRC solution, you can create effective systems with shared spreadsheets and disciplined review meetings, and the tool itself isn’t as important as the discipline.

ISO 31000 Perspective

ISO 31000 is a widely adopted international standard for Risk Management which stresses that monitoring and review should be a continuous part of the risk management process and not a final step. It emphasizes that the organizations should periodically assess the indicators of risk management performance and reassess them periodically for their appropriateness.

Monitoring and review as part of this framework is not limited to individual risks; it is a process that is ongoing throughout the risk management process. This implies that the whole risk management process, governance, roles and reporting lines should be reviewed, as the internal and external environment evolves, to ensure that the risk management process is fit for purpose.

Another aspect of ISO 31000 is the importance of lessons learned from monitoring to make the risk management process better, not just in terms of the process itself, but in the refinement of the system as a whole.

Best Practices

Prioritize ruthlessly. Prioritize monitoring efforts to those risks that have the greatest chance of occurring and greatest impact, rather than monitoring everything equally.

Maintain meaningful and limited number of KRIs. A short list of carefully selected indicators that are directly linked to the top risks can beat a long list of indicators that is never consistently followed.

Review frequency depending to risk volatility. Frequent review is necessary for quickly changing risks; less often for stable, longer-term risks.

Explicitly make paths for escalation. All involved need to be clear what will happen when the threshold is crossed, rather than having to determine this at the time.

Test controls on a schedule, not just during audits. By the time an external audit finds a control gap, the problem has been around for far too long.

Reflect on the framework on a regular basis. In addition to the personal risks, review the monitoring system at least once a year to determine if it continues to meet the organization’s needs.

Common Mistakes

Considering the risk register as a static document. Any unmaintained register soon becomes out of touch with reality.

Selecting the wrong KRIs that are not measurable or are too broad. Inconsistent indicators do not offer any real early warning.

Ignoring escalated risks. Without action from leadership, monitoring becomes a paperwork activity rather than a protection activity.

Enabling information overload on dashboards and reports. Trying to display all the metrics drowns out the signals that matter.

Taking the controls for granted without testing them. No one knows that controls are deteriorating over time except through regular testing; by the time you find out, it may already be causing damage.

Conclusion

Effective risk monitoring and control transforms risk management from a ‘paper’ system to a ‘living’ and responsive system. Having a properly managed risk register, useful KRIs, easy to use dashboards and clearly defined reporting hierarchies can help organizations identify issues before they become unmanageable. Initiatives such as ISO 31000 and the Three Lines Model provide good points to start with, but it is the repetition and active involvement of leadership that really make the difference. This is a discipline that must be developed over time, but one that can bring a positive outcome: an organization that is not reactive to risk; it is proactive.

Frequently Asked Questions

1. What is the main purpose of risk monitoring and control?

It is intended to monitor the progression of risk over time and to ensure that the controls are effective in lowering risk. It is able to detect the early signs of new threats and maintain an agile and responsive risk management process.

2. At what time should a company review its risk register?

This is dependent on the severity of the risk. Operational risks that are of high priority may require a weekly review and strategic or long-term risks may be reviewed quarterly. Industries that are subject to rapid change require more regular reviews.

3. What is a difference between KRI and KPI?

A KPI is used to measure performance against a goal, a KRI provides early warning of potential trouble. KPIs are forward-looking risk indicators, KPIs are backward-looking performance measures.

4. Is it possible for small enterprises to carry out risk monitoring without costly software?

Yes. Many small businesses begin with a common spreadsheet-based risk register and basic review meetings. The more complex the risk and the greater the amount of data, the more valuable the software will be, but it is not necessary to begin.

5. Who should be accountable for risk in an organization?

There is usually shared responsibility. Risk management and risk and compliance are part of the operational teams, supervised by risk and compliance, and backed by internal audit, based on models such as the Three Lines Model.

6. If a control fails a test what happens?

Failure to be logged, root cause be determined, CA plan to be developed and owner and time line identified. The risk register should be amended to show the current control gap in the risk register until it is addressed.

7. What are the suitable key risk indicators?

Effective KRI’s are measurable, directly related to a particular risk and with clear thresholds that trigger action. Focus on a few high level indicators, not everything at once.

9. Do you think there is a need for a risk monitoring system in small businesses?

No, any organization, project or team with meaningful risk can benefit from having monitoring and control practices. The size and formality of the system should be commensurate with the size and formality of the organization, and should not be eliminated.

Leave a Comment