Managing governancerisk is a critical day-to-day function and is the responsibility of the entire organisation and not just the CEO!
In assessing risk, the aim should be to identify specific risks and categorise them on the basis of probability and resulting impact to the organisation. Risk could be categorised as being highly probable, likely and unlikely. The ‘impact’ aspect of risk assessment looks at risk from the perspectives of high impact (e.g. total organisational failure), medium impact and low impact. Combining both elements of risk can help define the risk e.g. unlikely event but with high impact on the organisation.
Once a risk assessment has been completed, a Risk Management Plan can be drawn up for board approval. Risk areas that would feature in such a plan would include financial, technological, human and operational. This plan would serve to mitigate / minimise the identified risks which are most relevant to the organisation's needs.
Thereafter, it should be the organisation's policy to conduct an annual Risk Assessment and to update its Risk Management Plan based on findings therein. This should be driven by the board.