Enterprise Risk Management (ERM) within organizations continues to be work in progress. More and more organizations are embedding tools and risk management techniques each year. However progress is slow and at times adhoc.
The value of implementing a more comprehensive approach to ERM – at least in managing Operational Risks – is quite clear. Organizations derive benefits in losses avoided, improved business practices, improved project governance (resulting in time and cost savings) and regulatory compliance. ERM assists in developing an informed assessment of both individual Operational Risk categories, aggregated groups of common risks and the overall risk profile of a business unit or organization.
Operational Risks that organizations face are numerous. In larger organizations, organizational complexity brings with it a multitude of risks. The task of identifying and assessing risks alone is challenging, let alone thinking about how to mitigate a myriad of risks that are identified. For those organizations that have a dedicated risk management function, it is important is to leverage off the skills to strengthen the risk management practices.
For organizations commencing implementation of a more holistic or enterprise wide approach to risk management the following key steps should be undertaken:
Develop a Risk Framework – A risk framework consists of a set of policies, processes, and systems to effectively develop fit-for-purpose ERM frameworks. There are numerous frameworks, templates and ‘how to guides’ available. This is the first step and possibly the easiest. As risk management matures in an organization, the risk framework will also evolve.
For managing regulatory & compliance risks look at establishing an obligations register as part of the framework. This is a detailed list of all regulatory and compliance obligations an organization has across its entire business.
Establish Ownership of Risks – Understand where the ownership of both individual risks and risk categories lie. Wherever possible, have the ownership as close as possible to the business activity or function. Ensure that the risk owners have a full understanding of the risks and are skilled and resourced to manage these risks.
A formal risk register should be established. This is a register of key business risks in each risk category (use the 52 Risks® framework as a starting point). This will assist both the identification of key business risks and, as each is assessed, ensure action is taken as appropriate.
Establish a Risk Rhythm – Develop an organizational-wide risk culture and rhythm. Strive to have risk identification, assessment, mitigation and reporting embedded as a core capability. Encourage the discussion of risk in all management forums, project decision making, and business reviews.
Address Key Risks – Once the risk assessment exercise has been completed and specific risks identified, the final step is to develop and implement plans to address the key risks. For regulatory and compliance risks, move quickly to address the issues. Again, ensure that risk owners have a full understanding of the risks and are resourced to manage these. It is important to bring to life risk mitigation initiatives, rather than have the risks remain in a report not addressed or mitigated.
The above steps will start an organization on the ERM journey and lead to improved outcomes in the day to day operation and management of the business.