This is Part Two of a four-part blog series on ERM that is from guest blogger Michael Rasmussen of GRC 20/20 Research.
To maintain the integrity of the organization and execute on strategy, the organization has to be able to see their individual risk (the tree) as well as the interconnectedness of risk (the forest). Risk management in business is non-linear. It is not a simple equation of 1 + 1 = 2. It is a mesh of exponential relationship and impact in which 1 + 1 = 3, 30, or 300. What seems like a small disruption or exposure may have a massive effect or no effect at all. In a linear system, effect is proportional with cause, in the non-linear world of business, risk is exponential. Business is chaos theory realized. The small flutter of risk exposure can bring down the organization. If we fail to see the interconnections of risk on the non-linear world of business, the result is often exponential to unpredictable.
Risk management processes are used to manage and monitor the ever-changing risk environments as a part of overall business processes, transactions, and systems. This requires that organizations have a risk management function that brings together risk management and business processes with an integrated risk management information architecture with embedded business intelligence and analytics.
An enterprise risk management program needs a structural design of risk management processes, including their components of inputs, processing, and outputs. This inventories and describes risk management processes, each process’s components and interactions, and how risk management processes work together in context of other enterprise processes.
Effective risk management processes deliver:
- Holistic awareness of risk. There is defined risk taxonomy across the enterprise that structures and catalogs risk in the context of business and assigns accountability. A consistent process identifies risk and keeps the taxonomy current. Various risk frameworks are harmonized into an enterprise risk framework. An embedded business intelligence and analytics architecture aggregates risk data and effectively communicates, monitors, and manages risk.
- Establishment of risk culture and policy. Risk policy must be communicated across the business to establish a risk management culture. Risk policies are kept current, reviewed, and audited on a regular basis. Risk appetite and tolerance are established and reviewed in the context of the business, and are continuously mapped to business performance and objectives. Technology monitors key risk indicators (KRIs) to ensure management of risk policy, and the management of risk against risk appetite, tolerance, and capacity.
- Risk-intelligent decision-making. The business has what it needs to make risk-intelligent business decisions. Risk strategy is integrated with business strategy — it is an integral part of business responsibilities. Risk assessment is done in the context of business change and strategic planning, and structured to complement the business lifecycle to help executives make effective decisions.
- Accountability of risk. Accountability and risk ownership are established features of risk management. Every risk, at the enterprise and business-process level, has clearly established owners. Risk is communicated to stakeholders and the organization’s track record should illustrate successful management of risk against established risk tolerances and appetite.
- Multidimensional risk analysis and planning. The organization needs a range of risk analytics, correlation, and scenario analysis. Various qualitative and quantitative risk analysis techniques must be in place and the organization needs an understanding of historical loss to feed into analysis. Risk treatment plans — whether acceptance, avoidance, mitigation, or transfer — must be effective and monitored for progress.
- Visibility of risk as it relates to performance and strategy. The enterprise views and categorizes risk in the context of corporate optimization, performance, and strategy. KRIs are implemented and mapped to key performance indicators (KPIs). Risk indicators are assigned established thresholds and trigger reporting that is relevant to the business and effectively communicated. Risk information adheres to information quality, integrity, relevance, and timeliness.
Mature risk management enables the organization to understand performance in the context of risk. It can weigh multiple inputs from both internal and external contexts, and use a variety of methods to analyze risk and provide qualitative and quantitative modeling. Successful risk management requires the organization to provide an integrated process, information, and technology architecture to identify, analyze, manage, and monitor risk and capture changes in the organization’s risk profile from internal and external events as they occur. Mature risk-management is a seamless part of governance and operations. It requires the organization to take a top-down view of risk, led by the executives and the board, and made part of the fabric of business, not an unattached layer of oversight. It also involves a bottom-up participation where business functions at all levels identify and monitor uncertainty and the impact of risk. Organizations striving to increase risk management maturity in their organization become more:
- Aware. They want to have a finger on the pulse of the business and watch for change in the internal and external environments that introduce risk. Key to this is the ability to turn data into information that can be, and is, analyzed and be able to share information in every relevant direction.
- Aligned. They need to align performance and risk management in the context to support and inform business objectives. This requires the ability to continuously align objectives and operations of the integrated risk capability to the objectives and operations of the entity and give strategic consideration to information from the risk management capability, enabling appropriate change.
- Responsive. Organizations cannot react to something they do not sense. Mature risk management is focused to gain greater awareness and understanding of information that drives decisions and actions, improves transparency, but also quickly cuts through the morass of data to what an organization needs to know to make the right decisions.
- Agile. Stakeholders desire the organization to be more than fast; they require it to be nimble. Being fast isn’t helpful if the organization is headed in the wrong direction. Principled Performance enables decisions and actions that are quick, coordinated, and well thought out. Agility allows an entity to use risk to its advantage, grasp strategic opportunities, and be confident in its ability to stay on course.
- Resilient. The best laid plans of mice and men fail. Organizations need to be able to bounce back quickly from changes in context and risks with limited business impact. They desire to have sufficient tolerances to allow for some missteps and have confidence necessary to rapidly adapt and respond to opportunities.
- Lean. They want to build business muscle and trim fat to rid expense from unnecessary duplication, redundancy, and misallocation of resources; to lean the organization overall with enhanced capability and related decisions about application of resources.