How is your Risk Intelligence?
Issue #15
July 16, 2007
In the last issue of risKey, we discussed the advantages, and some of the myths, surrounding risk management, and how it has evolved over the years to go beyond just addressing hazard type risks. Today, enterprise risk management (ERM) is used to address a variety of business issues, such as financial, operational, and strategic risks. This issue will look at the various stages an organization goes through in adopting ERM, and provide an overview of the process.
The Risk Intelligent Enterprise Maturity Model
According to Deloitte, it is the rare company that intelligently manages the full spectrum of risk and adequately assesses and addresses risks from all perspectives. Those companies that do systematically anticipate and prepare an integrated response to potentially significant risks have been designated as Risk Intelligent Enterprises.
How capable is your company today? How capable does it need to be? Every industry, company and division is probably at a different stage of development. Deloitte describes the following five stages of achieving risk intelligence:
- Tribal & Heroic. Ad-hoc/chaotic; depends primarily on individual heroics, capabilities and verbal wisdom.
- Specialist Silos. Reaction to adverse events by specialists. Discrete roles established for small set of risks, typically finance, insurance, and compliance.
- Top-Down. Tone set at the top, policies procedures, risk authorities defined and communicated. Business function primarily qualitative, reactive.
- Systematic. Integrated response to adverse events. Performance linked metrics. Rapid escalation, cultural transformation underway. Bottom-up, proactive.
- Risk Intelligent. Built into decision-making. Conformance with enterprise risk management processes is incentivized. Intelligent risk taking. Sustainable. Risk management is everyone’s job.
Risk Intelligent Enterprises come in all sizes and industries, and each organization tailors its risk management practices to its particular circumstances and needs. Since organizations that are most effective and efficient in managing risk to both existing assets and to future growth will, in the long run, outperform those that are less so, it is advantageous to adopt a process that will increase your risk intelligence.
The Enterprise Risk Management Process
Risk management as a process includes three steps: assessing the risks faced by the organization; implementing programs to mitigate those risks, and monitoring the results. The process is continuous due to the nature of business and the ever-changing environment in which it operates.
Step 1: Assessing Your Risks
An ERM assessment begins with a planning session to identify objectives and consider the scope of risks to be included. Participant should be selected and time requirements should be understood by all involved. Several methods can be used to identify the risks faced by the organization, including: a risk questionnaire, confidential interviews, onsite inspections, and technical review of documentation.
Step 2: Implementing Your Programs
Once you have assessed your risks, the next step is to develop strategies that can be implemented to address those risks. This includes prioritizing the risks, agreeing on a course of action, assigning responsibilities, and establishing time frames for completion.
Step 3: Monitoring Success
How do we measure the success of our risk management program – by statistical results or performance activities? In reality, success should be measured throughout the year based on a combination of each.
Improving Your Risk Intelligence
In the next three issues we will take a closer look at each of these steps and how they can be used to improve your company’s risk intelligence.