Risk management is ongoing. Risks change in a changing environment. Good risk management places emphasis on monitoring and reviewing all current organisational plans, strategies systems and controls.

Monitoring ensures that as risks change, new measures are introduced to control these risks. How often risks are monitored and reviewed will depend on the prevailing circumstances.

The Department of Natural Resources & Environment suggest that 'to support the risk management system at the business unit and organisational level, it is necessary to have a process of monitoring and review in place at the risk management and risk treatment plan levels.

This ensures that the summarised information presented to senior personnel is accurate, complete and based on the latest available data.

Ongoing review is required to ensure that management and treatment plans remain relevant. Factors impacting upon risk assessments and control practices can also change and therefore the risk management cycle should be repeated at regular intervals to ensure continued effective risk management.

There are methods for monitoring and reviewing procedures and these should be determined as part of the management plan.

• self assessment
• physical inspections
• checking and monitoring success of actions
• audit and reassessment of risk to achieving specified objectives
• key dates, timeframes and deadlines for commencement and communications, monitoring, reporting and review should also be part of the plan

As part of the monitoring process, Australia/NZS 4360:1999 suggests that 'the risk management monitoring and review process should be aligned to the objectives and values of the organisation. This will ensure the relevance of the risk management program for delivering solutions that relate to critical organisational performance. For example:

• Are the risk management program objectives aligned with organisational performance objectives and values?
• Are the risk management program outcomes measurable in these terms?
• Can you determine if the risk management program has generated value for the organisation?
• Can you report information concisely and clearly?
• Does the risk management program reflect the realities of the environment in which you operate?
• Would you make a decision to expand or contract the risk management program based on this information?

The review process should also integrate with the key performance indicators of the organisation. The risk management plan should link to personal performance and key drivers and make sure they are measurable at all levels of the organisation. The monitoring and review process should ensure that effective risk management programs are those that deliver cost effective risk outcomes and reflect the strategic and operational goals and objectives of the organisation.