Monitor, document and report risks

When monitoring and reporting risks, you should take into account

• internal and external changes in the operating environment
• changes in risks, and
• the need to change the risk criteria.

With monitoring and reviewing, you can ensure that the risk management methods are effective and efficient.

The organisation must create a reporting process that the employees are aware of and which is used at all levels of the organisation. The reporting process informs specialists and management of any identified risks as quickly as possible and the risks can be taken and processed in the risk management process quickly and efficiently.

It can be useful to organise risk workshops for employees. The workshops should

• define the operating environment for risk management
• identify, analyse and assess risks
• handle risks where possible, and
• set risk management methods.

As risk management is carried out across several sectors, you should involve specialists of different topics, fields and functions in the risk management work. Such fields include

• different areas of digital security (such as information security and data protection)
• legal
• human resources
• suppliers.

This will ensure that risk management in digital security is as comprehensive as possible.

Risk management concerning the entire organisation

• have a broad impact on the organisation’s activities, or
• they might affect all employees in the organisation.

Let the whole organisation know about any organisation-wide risks extensively.

In risk management, you should distinguish between general and detailed risks. The same applies to choosing the risk management methods. The distinction between general and detailed risks also makes it easier to

• prioritise risks
• handle risks, and
• report risks to the right parties.

Your entire organisation is responsible for ensuring that risk management works well and efficiently. In addition to your own organisation, risk management should take into account your organisation’s customers and other groups and organisations related to its operations, that is, the stakeholders.
As a representative of the employees, you might often be the first one to notice potential threats and realised risks related to the organisation’s everyday activities. Therefore, it is important that you know how to

• detect risks
• report the risks forward in accordance with the risk management processes.

You can get information about the current risk management processes from your supervisor and the management of the organisation.

Key risks must be reported regularly to the senior management of the organisation. Management usually deals with the broader policies related to the organisation’s operations, so risk reporting should identify especially the key risks.

You should keep the party who reported the risk informed of the processing progress. This way, the reporter will be aware of

• how the matter has been handled and
• what measures have been taken.

The reporter can also comment on possible management methods if necessary.

The documentation must be carefully prepared. It should be

• maintained and updates as the operating environment changes and
• stored so that all relevant parties can access it.

Effective and appropriate risk management requires high-quality risk information. The quality of risk information must be actively monitored and developed to ensure that risk management is effective and can evolve to the desired level.