Risks are identified during the course of business change programmes, business-as-usual activity and by considering emerging threats.
These risks are then measured regularly, using forward or backward-looking indicators.
They’re managed using mitigating actions which include controls, as well as activities to transfer or avoid risk.
We use several tools for risk monitoring and reporting, including risk registers and event logs. Assurance maps are used to combine data from all three lines of defence in order to assess the state of the control environment.