Best practice risk management solutions, helping you to reduce risks and exploit opportunities in your business, programmes and projects.
Risk Decisions CEO Val Jonas explains the 5 steps to Enterprise Risk Management in a column published in the December issue of Risk Management Profesisonal Magazine
Five steps to Enterprise Risk Management
By Val Jonas, CEO Risk Decisions
In today’s business environment, it no longer makes business sense to focus only on operational and tactical risk management. Enterprise Risk Management (ERM), a framework for a business to assess its overall exposure to risk, and its ability to make timely and well informed strategic decisions, is required to help make the business resilient through the current turbulent times.
This article describes the five key steps to implementing a simple and effective ERM solution.
Step 1 – Establish an enterprise risk structure
ERM requires the whole organisation to identify, communicate and proactively manage risk (both threats and opportunities). Everyone needs to follow a common approach. This includes a consistent risk policy and process, a single repository for risks and a common reporting format. It is also important to build risk management into existing working practices.
The enterprise risk structure should mirror the organisation’s structure: representing vertical (executive) as well as horizontal (functional and business) aspects of the organisation. This is so that risks can be aggregated using a combination of vertical structure and horizontal intelligence. This is a key factor in establishing ERM.
Step 2 – Assign responsibility
Once an enterprise risk structure is established, assigning risk responsibility and ownership should be straightforward. The organisation is broken down into areas called clusters. Each cluster has specified objectives, an associated manager, escalation thresholds and sign-off authority, and contains a set of risks with their associated risk response actions.
Responsibility takes two forms: ownership at the higher level and leadership at the sub- levels. For example, a programme manager will manage his programme risks, but also have responsibility for overseeing risk within each of the programme’s projects.
Step 3 – Create an enterprise risk map
Risk budgeting and common sense dictate that risks should reside where they impact in the organisation, because this is where attention is naturally focused. However, the risk cause, mitigation or exploitation strategy may come from elsewhere in the organisation and often common causes and actions can be identified. These risks are best managed by creating an enterprise risk map, which allows common themes to be identified, thus directing appropriate management attention to risks in different parts of the ERM structure. For example, the procurement function may focus on supply chain risk, based on which suppliers are causing the most risk across the organisation.
Step 4 – Decision-making through enterprise risk reporting
The most important aspect of risk management is carrying out appropriate actions to manage the risks. However, you cannot manage every identified risk, so you need to prioritise and make decisions on where to focus management attention and resources.
Enterprise-wide reporting allows senior managers to review risk exposure and trends across the organisation. This is best achieved through risk dashboards which include metrics reports, such as risk histograms, which allow you to drill down to identify the source of key risk areas. For example, you might want to review the risk to key business objectives by cluster.
Step 5 – Changing culture from local to enterprise
At all levels of an organisation, changing the emphasis from ‘risk management’ to ‘managing risk’ is a challenge; doing this across the enterprise as a whole it is particularly difficult. This requires the organisation to encourage and reward this change in emphasis!
A risk steering group made up of functional heads and business managers is a good place to start this process. This group can trigger increasingly co-operative cross-discipline discussions that lead to rapid progress on understanding and managing risk.
The benefits
ERM delivers confidence, stability, improved performance and profitability. It provides:
• Access to risk information across the organisation in real time
• Faster decision-making and less ‘fire fighting’
• Fewer surprises (managed threats and successful opportunities)
• Improved confidence and trust across the stakeholder community
• Reduced cost, better use of resources and improved morale
• Stronger organisations resilient to change, ready to exploit new opportunities
Over time this will:
• Increase customer satisfaction, enhance reputation and generate new business
• Safeguard life, company assets and the environment
• Achieve best value and maximise profits
• Maintain credit ratings and lower finance costs
Summary
All the risk management skills and techniques required to implement Enterprise Risk Management can easily be learned and applied. Remember, Enterprise Risk Management should be simple to understand and simple to implement.
Keep it simple! Make it effective!
This article is based on Val Jonas’ whitepaper titled: “Five Steps to Enterprise Risk Management”. The whitepaper can be downloaded here.
This column was orisinally published in the December 2011 issue of Risk Management Professional Magazine.
