Achieving Enterprise Risk Management
If your company is like many others, your risk environment changes rapidly, creating both opportunities and challenges. The types of risks vary: Operational, Regulatory, Financial, Market, Technology, etc., etc. Your organization likely can't address all of the risks, so which risks do you address? Its a complex question, and the answers are not easy to come by. There are no black boxes that provide all of the answers, so it helps to develop a clear and simplistic approach to understanding risk. And to be sure, every organization will have to chart its own path to achieve ERM, there are no "one size fits all" methods. But there are some principles that we encourage you to consider.
Organize a Risk CouncilEnterprise risk management starts with enterprise involvement. If you have responsibilities for the program, start by getting others involved.
|
Identify Your Over-riding Business Goals, and Risk Events That Can Prevent You From Achieving Them
ERM is not about finding the "low hanging fruit" to go after. Nor is it about asking department leaders to list their top 5 risks. Its about determining what drives the organization...identifying the most important things to protect based on what the organization is trying to accomplish. These goals are often related to service delivery, production, asset protection, reputation protection, market growth, revenue targets, etc.
Once the over-riding business goals are defined, identify the risk events that can prevent those goals from being achieved. By "risk event", we are talking about conditions that impede goal achievement. Types of conditions might include events such as: Regulatory Non-Compliance, IT Disruptions, Production Disruptions, Reputation Damage, and others. Note that a Risk Event is not an Earthquake, Tornado, or Fire. Those are threats that may pose no risk if they are fully mitigated.
Once the over-riding business goals are defined, identify the risk events that can prevent those goals from being achieved. By "risk event", we are talking about conditions that impede goal achievement. Types of conditions might include events such as: Regulatory Non-Compliance, IT Disruptions, Production Disruptions, Reputation Damage, and others. Note that a Risk Event is not an Earthquake, Tornado, or Fire. Those are threats that may pose no risk if they are fully mitigated.
Threats Lead to Risk Events
Simply put, threat are the specific occurrences that the organization is exposed to, and therefore lead to risk events. Example: an organization might be exposed to the threat of flooding (because a key site is located in a flood-plain, for instance), which could lead to the Risk Event of a production disruption. Threats come in all forms, and can be related to natural phenomenon (tornadoes, earthquakes, etc.), technology (equipment failure, computer viruses, etc.), or human caused issues (crime, sabotage, chemical spill, etc.) The difference between Threats and Risks is often confused, but unless you make that distinction, your organization will have difficulty in trying to take specific actions to control and mitigate risk.
Threats Lead to Focused Risk Controls and Mitigation
Once an organization understands the threats that can lead to risk events that impact business goals, the task of implementing controls becomes much more clear. It is at this point that good decisions about management of risk can be made (avoid, accept, transfer, mitigate).
Once an organization understands the threats that can lead to risk events that impact business goals, the task of implementing controls becomes much more clear. It is at this point that good decisions about management of risk can be made (avoid, accept, transfer, mitigate).
Keeping the Program Vibrant
Once the ERM program is implemented, performance monitoring and reporting is essential to maintaining support, demonstrating benefit, and making course corrections. A variety of techniques can be used to accomplish this, and certainly each organization should define its own needs. But whatever method is used, our recommendation is to ensure that monitoring and tracking is simple, clear, and is not so maintenance-intensive that it take attention away from the overall goal of optimizing risk management for the organization.