The environment within which state bodies work is constantly changing. Their aims and objectives must constantly be refined and sometimes redefined; this adds to the uncertainty and therefore to the risk to which organisations are already subject.
An organisation's management must identify the risks associated with not achieving their objectives. Management then has the responsibility for matching controls to these risks in order to minimise or avoid these risks altogether. Management is also charged with the responsibility of implementing risk controls, and monitoring their effectiveness and continued relevance. The board should receive regular updates on the effectiveness of risk management controls.
A sound system of internal control provides assurance that an organisation will not be hindered in achieving its objectives by circumstances which might reasonably be forseen. In effect the risks should be acknowledged and addressed if they are likely to impair the ability to achieve objectives. A discussion of this topic is in the paper "Risk Management as part of Good Governance"
The risk management process involves the identification of sources of risk and what steps are being taken to manage these risks. The chairperson is required to sign a statement acknowledging his responsibility, confirming that there has been a review of the effectiveness of internal controls and proving a description of the the key procedures which have been put in place by the board to provide effective internal controls.