If your business is to demonstrate risk management,
As specified by the law and international standards,
You must demonstrate monitoring and review.
Both monitoring and review should be a planned part of the risk management process and involve regular checking or surveillance.
It can be periodic or ad hoc.
Responsibilities for monitoring and review should be clearly defined.
The organization’s monitoring and review processes should encompass all aspects of the risk management process for the purposes of:
ensuring that controls are effective and efficient in both design and operation;
obtaining further information to improve risk assessment;
analyzing and learning lessons from events (including near-misses), changes, trends, successes and failures;
detecting changes in the external and internal context, including changes to risk criteria and the risk itself which can require revision of risk treatments and priorities;
identifying emerging risks.
Progress in implementing risk treatment plans provides a performance measure.
The results can be incorporated into the organization’s overall performance management, measurement and external and internal reporting activities.
The results of monitoring and review should be recorded and externally and internally reported as appropriate, and should also be used as an input to the review of the risk management framework.
Recording the risk management process.
Risk management activities should be traceable.
In the risk management process, records provide the foundation for improvement in methods and tools, as well as in the overall process.
Decisions concerning the creation of records should take into account:
the organization’s needs for continuous learning;
benefits of re-using information for management purposes;
costs and efforts involved in creating and maintaining records;
legal, regulatory and operational needs for records;
method of access, ease of retrievability and storage media;
retention period; and
the sensitivity of information.
To test this within your business, select 1 traveller and 1 trip.
Now demonstrate all the above, as it applies to that specific traveller and that specific journey.
Now apply it to 10 travellers and 10 business trips.
Is the monitoring and review, clear, documented, unique and specific to each traveller and trip?
If not, you don’t have adequate evidence to demonstrate travel risk management, in addition to having an inadequate system of monitoring, review and record keeping.
To learn more about business travel risk management and your obligations,
In this series we have covered all 7 steps of the 7 steps required for travel risk management.
These are not optional or selective, your system and business must demonstrate all 7 steps in full before risk management compliance and conformance can be claimed.
Failure to have adequate risk management systems means you don’t have travel risk management.
Safe work systems and enterprise risk management, inclusive of business mobility and travel.