The vast majority of businesses operate successfully day in and day out “inside the lines,” with reasonably defined business processes and appropriately trained staff satisfying customers and investors. But, despite that apparent stability, every one of these companies is exposed to risks – and opportunities – that may not be readily visible and have the potential to materially disrupt business operations.
Management has a responsibility and obligation to understand the potential risks, their size, probability and controllability. Most importantly, they need to ensure appropriate prevention, mitigation and response plans are in place.
Risks are often described and discussed in broad ways that are relevant to virtually every firm, such as fraud, IT system failure, supply chain disruption, tampering, fire, employee relations, etc. While helpful for scoping purposes, such high level approaches are not adequate for management to be confident the most important risks have been appropriately identified and mitigated, or for management to attest they have an appropriate enterprise risk management plan in place.
In our view, for a complete financial and operational Enterprise Risk Management (ERM) program, every firm needs to execute three key activities:
A Baselining Program
This is where risks are identified and assessed based on the experience and insights of a broad team of operational subject matter experts. These risks need to be described not only as what the risk is, but concrete, real world examples of how that risk might actually occur, with associated risk indicators. In partnership with the company financial experts, these risks need to be quantified, and discussed by leadership to consensus about the potential size, impact, likelihood and controlability. With that list, the high priority risks need to have appropriate high level impact mitigation plans described. Such plans might range from disaster drills to dual supply agreements; from stronger audits to purchase of insurance. But, whatever they are, those high level plans need to be outlined.
It is important to note that not every risk should have a mitigation plan, nor will it be reasonable to fully mitigate all key risks. Management will need to find the right balance among probability, impact and affordability. By executing this kind of structured process, Management will be able to attest that those trade-offs have been made and risks managed in a structured and data-driven way.
Build A Set Of Operational Plans
These should be focused on the key risks. Such plans generally involve three steps:
- A set of controls to minimize the likelihood of the risk occurring.
- A set of risk responses to minimize the impact of the risk should it actually occur.
- A link audit program; testing to assure operational plans are in place and effective.
Note it is sometimes helpful to assess the value of the plan by looking at the inherent risk (e.g., what would the impact be if this risk occurred) and then the residual risk (e.g., the risk remaining assuming the controls and response plans are in place and operational). From that, make a judgment of the value of those particular controls and risk responses.
The management team needs to review – typically annually – the list of targeted key risks, the list of non-targeted risks, the risk mitigation compliance program and risk response program status to assure both the intent of the program and their fiduciary responsibilities are being met.
Note that this basic approach is also appropriate for risk management initiatives that are focused more narrowly, such as for a department or process. The concepts – baselining, building operational mitigation and response plans, institutionalizing those plans as part of ongoing operational compliance processes, performing periodic reviews – are appropriate when applied to the enterprise overall or specific targeted areas.
Note, too, this is not the only approach to ERM. As an example, if the focus were mostly financial risk management, an effective approach would be to assess the risks to every financial account and develop a set of controls and tests by account that minimized the likelihood of a major variance.
The DoubleCheck™ Suite of GRC tools are designed with these needs in mind. The risk management software tools offer a rich set of highly adaptable capabilities, including:
- Systematic means to identify and maintain risks (such as the Risk Register).
- Tools for subject matter experts to provide their assessments of the risks.
- Tools to consolidate those inputs into management information (including Heat Maps).
- Tools to track and manage Key Risk Indicators.
- Linking and sharing of data across Audit or other compliance initiatives.
Questions About Our Risk Management Solutions?
Don’t wait, give us a call and we’ll be happy to discuss how we might help you with a practical and cost effective Enterprise or departmental risk management program. Contact us today at 1-888-299-3980.