- The system is based on a clear understanding of the organization's objectives.
- Key strategic, operational and financial risks associated with the organization's objectives are identified and assessed, appropriate responses (e.g., implementing internal controls) are determined, and assurance is provided that the chosen responses are effective.
- Risks are monitored and the responses are evaluated.
- The effectiveness of the risk management system is reported publicly, referring explicitly to the governing body that holds responsibility for the system.
- The risk management system considers the full range of the organization's activities and responsibilities, and continuously checks that various good management disciplines are in place.