1. Understand the business.
2. A detailed understanding of the goals of organisation. Such goals will start from overall organisational goals and are to be drilled down to goals for each function within a business cycle.
3. Conduct detailed Q&A sessions with the various stakeholders in the top management to identify the tone at the top on aspects surrounding risk appetite, governance, ethics etc. and draw up a charter which clearly establishes the overall organisation's policy towards risk management.
4. Once the overall risk management is defined then a detailed analysis is carried out of the existing processes and controls in place to mitigate business related risks.
5. A risk and control mapping is carried out and documented in the each business cycles' risk and control matrix. Risks are categorised into business, operational, financial, compliance and other required buckets.
6. Gaps, if any, identified are discussed and controls are designed in consensus with the management to mitigate risks.
7. Ensure the designed controls is adequate to cover the risks in line with the risk management policy of the organisation.
8. In concurrence with the top management affix roles and responsibility of each stake holder in the respective business cycle/area and ensure the controls are clearly communicated to such stakeholders.
