Question: Summarize

Template 6: Risk Communication At this stage, the organization will have completed the riskiness index, identified the risk agenda, undertaken assessment of significant risks and established the need for additional and/or modified controls. Template 6 is designed to enable the organization to communicate all this information to relevant stakeholders. The extent of risk communication that is required will depend on the size, nature, and complexity of the organization, as well as the risk agenda for the organization. Roles and responsibilities The roles and responsibilities are set out by the risk management team, in a manner that fits each role and responsibility to a designated section, that is created to deal with those specific roles and responsibilities. It is up to the section/department head to allocate delegate the roles amongst their employees and split it in a way that is the most productive and most efficient for Itrustu. The highlighted roles and responsibilities will be as follows: 1. Legal Roles - Legal team of Itrustu. Ensure that the company is compliant with all laws and regulations. Perform regular audits to ensure that legality is enforced and there are no shortcomings. Provide legal assistance to consumers, as well as deal with any legalities regarding consumers, e.g., contracts, indemnity forms, etc. 2. Financial roles - Financial management team of Itrustu. Handle finances of the company, including cash inflow and outflow. Monitor budgets, spending, limits, statements, etc. Perform regular audits to ensure that there is no fraudulence taking place within the company or with external stakeholders. Provide budget plans to consumers, that describe how the insurance schemes will work at Itrustu. 3. IT Infrastructure - IT team. Ensure that all software and hardware used by the company is working efficiently, and there are no defects, and glitches. Provide regular updates to the company's servers and platforms. Ensure that all staff are trained in using the interfaces and aiding and maintenance when required. Performing regular audits on the IT systems and hardware of Itrustu, to ensure that everything is running as it should be. 4. Security - Security department of Itrustu. Need to provide continuous security updates to the servers and databases of the company. Ensure that there are no breaches and that threats to the system are eradicated as soon as possible. Provide training to staff on how to avoid security issues, e.g., teaching them to identify and avoid clicking links that possess ransomware or viruses that corrupt the database. 5. Advertising and Marketing - Marketing team. Ensure that the reputation of the company is managed effectively. Engage with consumers and other stakeholders to discuss new initiatives and ideas from Itrustu. Inform employees from sales, and customer service departments of the new products and services as well as improvements to current services from Itrustu, that should be relayed to the customers when communicating with them. Do continuous audits and market runs to ensure that the customer satisfaction rate is maintained and improved regularly, and that their techniques provide Itrustu an advantage over competitors.

Risk architecture 1. Details of all the relationships between individuals and/or committees or groups with risk management responsibilities, including reporting and monitoring structures. The relationships between individuals will be broken down according to the several sections of the company, and responsibilities will be divided amongst the employees of the sections. Itrustu will be broken down into several different departments that will focus on highlighting, and eradicating certain risks. These departments include: Risk management department. Financial department. IT infrastructure department. Security department. Marketing and customer relations department. All of these department's employees will be carry out tasks that include audits, system checks, updates, tests, etc. The results from these will be submitted to the department manager, who will oversee each operation in their designated department. The risk management team will designate each department to one employee or group of employees depending on the size of the risk appetite of Itrustu. These employees will be in direct contact with managers of each departments, and will analyse the reports that have been provided by the managers. They will then provide risk management strategies and assist the managers and employees in deploying these strategies. The manager of the risk management section will report straight to the executives. This report will include a detailed analysis of the risks that are facing the company, the risk management strategies that have been implemented, and the efficiency of the risk management plans.

Record keeping Record keeping is an essential component of an organization's risk management plan. It involves maintaining detailed records of risk assessments, risk management strategies, incidents, and performance reports to ensure accountability and provide a basis for future decisionmaking. In the case of Itrustu Insurance Company, record keeping requirements must include both static and dynamic records. Static records refer to documented policies, procedures, and protocols that outline the company's risk management framework. These records provide a foundation for decision-making and ensure consistency in risk management practices. On the other hand, dynamic records refer to incident reports, performance reports, and the results of risk assessment activities. These records are more fluid and require continuous updates and maintenance. Incident reports document any incidents or near misses that occur within the organization, providing valuable insights into potential risks and areas for improvement. Performance reports track the effectiveness of risk management strategies and highlight any areas that require attention. In addition to these records, Itrustu Insurance Company must also maintain records of internal communications and external reporting. Internal communications include all communications within the organization related to risk management, including meetings, emails, and memos. External reporting involves the communication of risk management information to stakeholders outside the organization, such as regulators, customers, and investors. Records of external reporting provide evidence of the company's compliance with regulations and demonstrate transparency in risk management practices. Overall, effective record keeping is critical for Itrustu Insurance Company to ensure accountability, support decision-making, and demonstrate compliance with regulations.

Internal communications 2. Information on the internal communication within the organization on risk management matters, including procedures for sharing risk management documents and risk escalation procedures, as well as risk management training, information, and instructions. Procedures for sharing risk management documents internally: Detailed documents including the risk management strategies of the entire company will be provide to executives by the risk management team. Less detailed documents, that will only provide information on the risk management strategies of each department will be shared with department heads/managers. Managers will then split these documents amongst their sections employees and only provide what is required to avoid any confusion. For example, an employee in the marketing team will not need extreme details on the risks facing the customer relation team, and by providing extra information, it may result in confusion and insufficient planning. Risk escalation procedures will include a direct channel between employees, managers, executives, and any other stakeholders to the risk management team. This is essential as matters can be escalated to the risk management team in a timely and efficient manner. Thus, they can begin developing better risk management strategies and plans that can be implemented into the operations of the company. The risk management team can organize training sessions for employees, that will be detailed and explain the following: The steps they can take to avoid risks. The steps they can take to mitigate smaller risks. The procedure to escalate and report larger risks as soon as they are discovered. The procedure involved in successfully implementing new risk management strategies into their work. Lastly, the channels that are provided for reporting and auditing risks of the company, and how to access them All of this information should be made available during these risk training sessions and the risk management team should ensure that each employee is capable of identifying, mitigating and managing risks that the company faces efficiently.

External reporting 3. Details of the external risk management reporting requirements, especially those that relate to reporting incidents to regulators and the requirements to provide regulators and other stakeholders with routine updates or status reports, including whistleblowing arrangements. In general, organizations are required to report incidents or breaches to regulators as soon as possible. Regulators may have specific requirements regarding the type of incidents that must be reported, the timeline for reporting, and the format of the report. These reports may include information on the types of risks the organization is exposed to, the controls in place to manage those risks, and any incidents or near misses that have occurred. In addition to incident reporting, organizations may also be required to provide routine updates or status reports to regulators and other stakeholders. These reports may include information on the organization's risk profile, risk management processes, and any changes to the organization's risk environment. Whistleblowing arrangements are another important aspect of external risk management reporting. Organizations may be required to have a whistleblowing policy that outlines how employees can report concerns about potential risks or incidents. The policy should include details on how the organization will investigate and respond to reports, as well as how whistle-blowers will be protected from retaliation. In addition to these requirements, organizations may also be required to disclose certain risk-related information to the public through their annual reports, sustainability reports, or other communications. The specific requirements will depend on the industry and regulatory framework in which the organization operates. Overall, external risk management reporting requirements are designed to help organizations manage risk effectively and ensure that stakeholders are informed about the organization's risk profile and any incidents that may impact them.