Risk Management Documentation 85 control requirements and standards. Each unit, division or department should set its own standards for risk control, including health and safety, fire safety, physical security, information security and environmental protection. This may be appropriate because of the diverse nature of the different units within the organization. The risk guidelines should define the means by which embedded risk management is to be achieved in the organization. The setting of strategy, standards and pro- cedures needs to be undertaken within the framework of the risk guidelines. The format for the risk guidelines will depend on the organization and the nature of the risks that it faces. Typically, these guidelines will contain information on at least the following: financial and authorization procedures; insurance arrangements; managers' control responsibilities; project risk management; incident reporting and investigation; event and reaction planning; physical risk control objectives and responsibilities. Table 7.4 sets out the range of risk management documentation that may need to be kept by an organization. In order to successfully embed risk management, it is necessary to maintain a range of risk management records. These records will include details of various risk management activities, including: risk management administration; risk response and improvement plans; event reports and recommendations; risk performance and certification reports. Embedded risk management will be achieved when the cycle of risk management activities is fully aligned with the planning cycle of the organization. A primary purpose of risk guidelines is to help managers understand the risk management framework of the organization. This understanding will ensure that managers pay appropriate attention to risk implications when making decisions. The risk guidelines for the organization also provide practical guidance to man- agers on how to fulfil their risk management responsibilities. Keeping necessary records will allow the organization to demonstrate the successful implementation of the risk guidelines. The risk administration documentation should extend to (at least) the items listed in Table 7.4. It is not the intention that the keeping of risk management records should become overly bureaucratic or burdensome. However, adequate records need to be kept so that the information is available for decision making, necessary advice for managers is accessible and confirmation can be provided to auditors that necessary controls have been correctly implemented. The importance of record keeping is highlighted below.