Methodology
Risk Framework Development Assets/Examples
All assets, images, documents, and other files presented in this section are meant to be examples of ways to manage risk and write policies to do so. These items do not represent how Endaoment handles or manages risk nor should they be confused with Endaoment’s specific risk management policies.
The writing of this policy documentation relied partially on preexisting documentation on guidelines concerning risk framework creation. These resources included a guide to policy framework creation under the Committee of Sponsoring Organizations of the Treadway Commission Enterprise Risk Management (COSO ERM Framework). A number of helpful resources from that guide can be found below and should be reviewed alongside Endaoment’s policy framework.
20 Principles of Risk Management
To develop a comprehensive risk policy framework and guide operations concerning risk, refer to the following principles:
Risk Impact and Likelihood Evaluation
A structured approach to determining risk impact and evaluating likelihood of occurrence ensures that critical responses are paired with high-severity issues:
Risk Framework Process Flow
Risk Assessment
Impact and Likelihood
Endaoment utilizes a standardized matrix to evaluate the impact and likelihood of identified risks. This involves:
- Impact Assessment: Determining the potential consequences of a risk event on operations, finances, reputation, and compliance.
- Likelihood Assessment: Estimating the probability of a risk event occurring based on historical data and current controls.
Risk Matrix
Prioritization
Risks are prioritized based on their combined impact and likelihood scores, allowing the organization to focus resources on the most critical areas first.
Risk Mitigation
Strategies
Endaoment employs the following strategies to mitigate identified risks:
- Avoidance: Eliminating activities that introduce high levels of risk.
- Reduction: Implementing controls to minimize the impact or likelihood of risks.
- Transfer: Shifting the risk to third parties through insurance or outsourcing.
- Acceptance: Acknowledging and preparing for the potential impact of certain risks when mitigation is not feasible.
Controls
Each risk type has specific operational controls and procedures designed to mitigate associated risks. These include regular audits, compliance checks, access controls, transaction monitoring, and more, as detailed in their respective policy documents.
Monitoring and Reporting
Continuous Monitoring
Endaoment employs continuous monitoring systems to oversee key risk indicators and detect any deviations from established norms. This includes:
- Automated Tools: Utilizing software for real-time monitoring of transactions and activities.
- Manual Reviews: Conducting periodic audits and assessments to identify and address risks.
Reporting Mechanisms
- Incident Reporting: Providing secure and anonymous channels for employees and stakeholders to report potential risks or incidents.
- Regular Reporting: Generating periodic risk reports for the Risk Management Committee and executive team to review and act upon.
Training and Awareness
Program Structure
Endaoment’s training program ensures that all employees are knowledgeable about the Risk Management Framework and their role in maintaining it. The program includes:
- Onboarding Training: Comprehensive training for new hires.
- Ongoing Training: Mandatory bi-annual training sessions for all current employees.
- Specialized Training: Targeted training for forward-facing staff and those in high-risk roles to identify and escalate potential risks.
Documentation and Retention
All training sessions are documented and retained for a minimum of five years to ensure compliance and facilitate audits.
Governance
All policies contained within are subject to a semi-annual review by the executive team to ensure each remains current and reflects best practices. Any amendments or exceptions must receive unanimous approval from the executive team. All questions or concerns related to this policy must be directed to the executive team for resolution.
Internal Assurance
Endaoment conducts comprehensive internal assessments to evaluate the effectiveness of our fraud risk controls across both operational and technical domains. These assessments ensure ongoing compliance and the continuous improvement of our risk management strategies.
Continuous Improvement
Endaoment is committed to the continuous improvement of its Risk Management Framework. This involves:
- Regular Reviews: Semi-annual reviews of the framework and policies to incorporate feedback and adapt to changing environments.
- Feedback Mechanisms: Encouraging input from employees and stakeholders to identify areas for enhancement.
- Benchmarking: Comparing our risk management practices against industry standards and best practices to ensure effectiveness and efficiency.