Risk and risk management
ARM has a robust risk management process that follows a sequence of risk identification, assessment of probability and impact, and assigns an owner to manage mitigation activities.
ARM’s risks are managed within a systematic process of risk identification and assessment. As appropriate, risks are assigned owners. An action plan is then developed to counter remaining residual elements of the risk and to further reduce the impact and probability of the risk. A register is kept of all corporate risks and is monitored by the risk review committee, chaired by Mike Muller, Chief Technology Officer. The executive committee, the audit committee and the board ensure that the risk management process is operating effectively.
Corporate Risk Register
Corporate risks are identified and assessed within the Corporate Risk Register. The Corporate Risk Register includes a description of the risk, identifies the owner, the inherent Probability and Impact of that risk occurring, ARM’s current processes and control activities, remaining residual risk and the planned activities to further mitigate it.
Risk review process
Common business risks and company-specific risks have been examined for relevance to ARM. Relevant risks are entered onto a risk review register and given an owner. Risks are classified against impact assessment criteria and probability assessment criteria.
ARM’s ongoing operations may mitigate either the impact or probability of the risk. However, there can be some level of residual risk, and the risk owner determines the extent to which the residual risk is at an acceptable level, or whether further action is required. Residual risks, that are not at an acceptable level, are required to have an action plan that mitigate or further reduce the impact and/or likelihood of the risk occurring. Risk management action plans are managed within the relevant operational plans of the divisions and functions.
The risk review committee typically meets on a quarterly basis to review the Corporate Risk Register and identify other risks that need to be incorporated. The risk owner is required to demonstrate that residual risks are being appropriately mitigated via the operational plans.
ARM’s internal audit function regularly audits the Group’s compliance to its policies, processes and procedures, including international standards and regulations. The programmes of audits provide assurance that risk management activities and policies are operating effectively.