In our previous blog posts, we introduced Enterprise Risk Management (ERM) as a strategic discipline that affords a "portfolio" view of risk and we outlined how to establish roles and a context for ERM implementation.
In this blog post, we discuss the next two steps in implementing ERM: establishing a risk-aware culture and developing the ERM framework. An organization with a risk-aware culture is prepared to contribute to the ERM effort. The ERM Framework is the roadmap for rolling out that effort.
Establishing the Risk-Aware Culture
A risk-aware culture adopts the notion that “everyone is a risk manager.” A risk-aware culture drives risk management down to the individual level. Certain attributes will be visible in a risk-aware culture. Risk management is built into day-to-day operations rather than just considered in planning sessions. A common language for discussing risk (risk categories, likelihood and impact, etc.) is disseminated throughout the organization. There are open, repercussion-free lines of communication for reporting risk and risk response activity. The objectives and the practices at the individual level are aligned with risk strategy and risk tolerances at the organizational level. As a best practice, risk objectives at the individual level are also built into performance appraisals.
A risk-aware culture is established through a combination of communications. First, senior management must demonstrate its strong support, sponsorship and participation. That message has to be delivered to employees at every level and reinforced in key meetings, speaking forums and internal communications vehicles (i.e., newsletter, intranet, email, signage). Second, considerations of risk and risk response have to be built into objectives for every part of the organization and every individual. This alignment of risk with business objectives portrays risk management as an aspect of value-creation.
Take note that driving the ERM message down to the individual level is often a product of a range of communication devices. The range of devices can include such items as self-assessments, risk checklists for common activities and a dedicated web portal for risk-related training, resources and contacts.
Developing the ERM Framework
The ERM framework is a handbook for the participants, giving direction for the day-to-day activities of ERM. It defines roles and key terms. It establishes the categories of risk, such as strategic, operational or financial. It prescribes the common, consistent methodology for identifying and measuring risk. Some salient features of an ERM framework include the following:
The framework will describe the mechanics of the Risk Register, the central repository of risk and risk response activity. The Risk Register typically takes the form of a matrix representation of risk categories, risk owners, controls, mitigation efforts, insurance coverages and, importantly, “risk scores” which we discuss below.
The framework will prescribe the method of developing risk scores and prioritizing risk. A common tool for this is a “heat map,” a matrix of likelihood and impact that helps prioritize risk. The “Likelihood and Impact Model” pictured illustrates the concept. In this model, both likelihood and impact are scored on scales of 1 to 5. The product of the two ratings creates a total score for the risk. The total score determines the priority of the risk – the higher the score, the higher the priority.
Risk Appetite and Risk Tolerances
The framework will describe the calculation of the organization’s Risk Appetite and Risk Tolerances. Risk Appetite is the amount and type of risk the organization is willing to accept in pursuit of its business objectives. Risk Tolerance is the maximum risk the organization will accept for particular operation or initiative. Risk Appetite and Risk Tolerances help balance the risk versus reward equation.
ERM frameworks are frequently modeled on an established standard. Two of the leading standards have been the COSO ERM - Integrated Framework and ISO 31000. The COSO standard takes a governance and audit approach. It emphasizes defining responsibilities, principles of management and lines of communication for reporting on risk and control. ISO 31000 takes a process approach. It breaks the risk management process down into individual objectives. Other standards have evolved to address specific industries. For example, the American Society for Healthcare Risk Management (ASHRM) developed an ERM framework for healthcare and the U.S. federal government developed an “ERM Playbook” for its agencies. The ALS Group cultivated its own ERM framework by assembling the best elements of the leading standards, combined with our ERM best practices. Our framework is then customized for each client, based on industry and their specific needs.
The risk-aware culture and the organization’s ERM framework work hand-in-hand. Where the ERM framework is the manual that guides ERM activity, the risk-aware culture is the “frame of mind” that prepares the staff to embrace ERM and contribute to its success.
Contact us for help with drafting your ERM framework or establishing a risk-aware culture.
In our next post in this series, we’ll talk about Risk Appetite and Risk Tolerance in more detail.