Risk monitoring

Category: Risk management frameworks · Reviewed by Tim Roche, Director · PI & Commercial · Last reviewed

Risk monitoring

Risk monitoring is the continuous process of tracking risk levels, the effectiveness of treatments and the emergence of new risks. It is the step that turns a risk register from a snapshot into a management system.

Three layers

1. Risk-level monitoring — tracking the assessed likelihood and impact of identified risks, and the proximity of residual ratings to appetite limits.

2. Control monitoring — testing that controls are operating as designed (control self-assessment, second-line oversight, internal audit).

3. Environment monitoring — tracking external factors that may change the risk landscape: regulatory change, macroeconomic conditions, technological developments, geopolitical events.

Key risk indicators (KRIs)

KRIs are leading or lagging quantitative measures that signal change in a risk before it materialises. Well-designed KRIs are:

• Measurable — there is a data source and a calculation rule.
• Frequently refreshed — at least monthly for material risks.
• Bounded — with green / amber / red thresholds tied to appetite.
• Owned — a named individual is accountable for the data and the action.

Examples in insurance: combined ratio by quarter, single-risk concentration vs limit, IT incident count, compliance complaint volumes, conduct breach notifications, SCR coverage ratio.

Reporting cadence

For most insurers and intermediaries:

• Daily / weekly — operational dashboards.
• Monthly — management risk and control reports.
• Quarterly — board risk committee.
• Annually — full risk register review, ORSA submission, board-approved appetite refresh.

References

• ISO 31000:2018, Clause 6.6.
• COSO (2017) ERM Framework.
• PRA SS5/14 — Solvency II: ORSA.

Cross-references

• Risk register
• Risk appetite
• ORSA

Maintained by Matt Bartlett, Director, Apex Insurance Brokers Limited. FCA FRN 724952. Companies House 07014570.