Implementing enterprise risk management

Assessment of different types of risks is often managed with disparate processes in separate parts of the organization. To be effective, the ERM function needs to understand the different levels of risk that have an impact on all areas of an organization, and the techniques being used to reduce risk. In this article, we discuss how to implement enterprise risk management using the Strategy and Projects apps.

This article builds on the examples illustrated in Identifying strategic objectives and risks.

What does it mean to implement enterprise risk management?

Implementing enterprise risk management is a continuous and evolving process that ensures an organization is aware of current and emerging risks that could alter expected outcomes, and is able to proactively respond to risks.

There are three key processes involved in implementing ERM:

  • Assessing risk involves developing a common set of assessment criteria that can be used across operating segments, entities, or business units, and determining how much risk an organization faces
  • Prioritizing risk involves comparing the level of risk against pre-determined target risk levels and tolerance thresholds
  • Responding to risk involves examining response options, performing cost-benefit analyses, formulating response strategies, and developing risk response plans

Where do I implement enterprise risk management?

At Diligent, we use the Strategy and Projects app to assess, prioritize, and respond to risk. Our ERM program enables us to align on our values, vision, and valuation, accelerate our growth agenda in our go-to-market capability and product innovation, and ensure we always deliver the best experience to our customers.

The big picture

  • Risk Workshops can be used to collaboratively assess inherent risk within an organization, and the results can be applied to your organizational risk profile.
  • Once the inherent risk assessment is complete, you can visualize risk using configurable Risk Heatmaps, and define risk Treatments by linking Objectives (contained in Frameworks and Projects) with strategic risks.

Once you have finished your inherent risk assessment and preliminary treatment evaluation, you can assess residual risk, and better understand the areas of the organization that are of most concern.

Steps

Ready for a tour?

Let's take a closer look at these features in context.

1. Assess risk

Assessing risk is a process in enterprise risk management that involves determining how much risk an organization faces. Many organizations begin by qualitatively assessing risk first and then develop quantitative capabilities over time to align with their decision-making requirements.

Develop risk assessment criteria

The first step is to develop a common set of assessment criteria that can be used across operating segments, entities, or business units. This allows you to perform diverse risk scoring, assess risk on multiple factors, and specify a risk assessment model that is used for your industry-specific risk framework.

Assess inherent risk

Inherent risk is a calculation that derives from an assessment of an untreated risk – or the raw risk an organization faces if no controls or other mitigating factors have been put in place. Assessing inherent risk involves associating risks with strategic objectives defined in the Strategy Map, and assessing risk across all operating segments on multiple risk scoring factors. Once you specify scores, Strategy automatically calculates the inherent risk.

Tip

To avoid manually scoring strategic risks, you can use Assessment Drivers to automate different risk assessments. You can link a metric created in the Results app to a risk assessment in Strategy in order to inform the assessment, and auto-populate inherent risk scores based on pre-defined metric ranges. Key stakeholders can be notified when changes to the risk assessment occur.

Conduct risk workshops

Risk workshops provide a collaborative online forum for gathering additional input and collaboratively assessing risk with executive management and business unit leaders. External consultants that come into an organization can use the risk workshop feature to conveniently manage and integrate input from various stakeholders. Each participant can score risks, and the scores are automatically averaged and aggregated into a single risk assessment that can be applied into a single risk profile view.

Tip

There are some key things you can do to successfully facilitate a risk workshop:

  • Provide clear definitions of risk scoring criteria ensure that definitions are available to all participants to provide for a consistent approach to scoring risks. The simplest way to do this is to provide meaningful descriptions in risk scoring factors and individual scores. You can do this while configuring your risk scoring settings. Risk workshop participants will then have access to these definitions while scoring risks.
  • Choose the appropriate participants choose people from different departments that know the business well and can provide insight into specific business operations
  • Limit the number of participants best practice is to involve 10 - 25 participants; if you need to involve large numbers of participants, sending out a survey from the Results app is a more efficient method

2. Prioritize risk

Risk prioritization is the process of determining risk management priorities by comparing the level of risk against predetermined target risk levels and tolerance thresholds. Risk can be viewed not just in terms of financial impact and probability, but also on the basis of subjective criteria such as health and safety impact, reputational impact, vulnerability, and speed of onset.

Organize risks by state

You can organize risks by assigning each risk to a state and defining its current status in the risk mitigation workflow. Each state is displayed in a separate column within the risk profile. You can move risks from one state to another based on the risk assessment, and your organization's risk tolerance and appetite.

Visualize risks

Visualizing risks helps to establish and communicate a holistic view of risks affecting the organization. Risk Heatmaps are often used to convey the potential likelihood and impact of risks so that strategic decisions can be made for the health of the organization. The Strategy Heatmap can also be used to visualize the aggregation of risk in the organization, and can help to inform decision-making as to where to provide resources to mitigate priority risks.

3. Respond to risk

After prioritizing risks, it's time to define risk response plans and assess residual risk. The ERM function must be extended by the people in frontline operational positions who are closest to the risks – and this can happen by connecting operational risk and control data from Projects to strategic risks in Strategy. This hybrid top-down and bottom-up approach provides the opportunity to achieve comprehensive coverage of all risks identified in annual assessments, and embeds accountability by leveraging the expertise of the appropriate people in the organization.

Define risk treatments

Risk treatment are the measures an organization takes to mitigate risk. Measures may include initiatives, programs, policies, or control objectives, which you can create in Projects and link to strategic risks in Strategy. The linkage helps you ensure complete coverage of all operational risks identified during annual risk assessments, and allows you to determine how well your organization is doing in mitigating risk.

Tip

Sometimes, the preliminary treatment evaluation may show that you are investing in too many resources to mitigate a risk (Treatment% >= 100%). In this case, the risk assessment shows potential opportunities for reducing the amount of treatment to a particular risk, and scaling back resources associated with the risk treatment.

Assess residual risk

After assessing inherent risk and defining how the risk is being treated, you can perform a preliminary treatment evaluation that assesses how much the treatment reduces the risk. This allows you to identify areas where the business is exposed to risk beyond the organizational risk appetite. Assessing residual risk involves specifying a treatment percentage to define how much of the treatment reduces the inherent risk. The treatment percentage is based on the expected effectiveness of treatment efforts in place, before controls have been tested to provide assurance.

Tip

You can specify a percentage between 0-100%. The total Treatment % can add up to more than 100%. However, an aggregate treatment greater than 100% may indicate that your organization can consider revising the treatment of the risk and reduce costs associated with treating the risk.

Scope and assess process-level risks and controls

Based on the results of the strategic risk assessment, assurance teams can begin planning and scoping micro-level or process-level risks and controls, and centralizing their workpapers and communications in the Projects app. Each engagement can be planned with background, objectives, and scope that frame the final report, and planning files can be attached, as required. The assurance team can quantify risks using a numeric scale based on the risk framework your organization chooses to follow, assess the effectiveness of controls and note any issues, present quantified data to show how effectively the organization's key controls are mitigating expected operational risks, and assign resources to the areas of highest risk.

Tip

You can integrate evidence from control testing in Projects to aggregate transaction data back to the strategic risk in Strategy, and use the data to backup your recommendations to executive management and board members.

What's next? 

Learn how to report and monitor risks

Using a combination of the Strategy, Projects, and Results apps, you can track assurance and testing results associated with strategic risks, integrate data to help monitor risks, and generate a variety of reports to share with the relevant stakeholders.

To find out more, see Reporting and monitoring risk.

Enroll in an Academy course

Continue to build your knowledge on the concepts introduced in this article by taking the STRAT 100 learning path.

Academy is Diligent's online training resource center. Academy courses are included at no extra cost for any user with a Diligent One subscription. For more information, see Academy.