Immediate Vault Immediate Access

RIMS Risk Maturity Model: Uncovering Risk

The value of enterprise risk management comes from the ability to uncover and assess risk from not only the managerial, executive level of an organization, but also from the front line employees. Without penetrating the front line, critical risk and performance information is often overlooked.

Real-life examples of this failure are constantly in the news cycle, such as the recent failure of risk management by General Motors, in which faulty ignition parts in their vehicles resulted in massive recalls and tragedy. The issue was known at the front line level but was not uncovered and brought to the attention of those who could act upon the risk. Without an avenue to assign and elevate risk from the first level (the first line of defense), the error was repeated and left unaddressed.

How to Uncover Your Risks

Many organizations implementing ERM are at the stage where their risk assessments are conducted in interviews with executive level senior management. While these interviews are beneficial in addressing an organization’s more strategic risks and opportunities, it’s rarely a strategic risk that lands a company on the front page of the Wall Street Journal.

Before you can assign risk ownership, you have to provide an obvious method for the front line to elevate key concerns. One method is through frequent risk assessment in which the process owners can describe what can go wrong, but other avenues should be leveraged and may already be in place.

Many organizations have similar programs—think whistle blower hotlines or anonymous incident reporting –but in order for these programs to be effective, the reports coming in must be tied back to a root cause risk.

The next component is risk ownership, making business areas responsible for what they control, and more importantly, measuring their effectiveness. For example, if we have a root-cause risk of staff competencies, the indicators, or actual occurrence of this risk could be identified as “errors or task misperformance.” In this manner, a methodology is built directly linking performance indicators and real life events to the root-cause risks. This framework can be applied across business units, allowing different silos to identify the same risks, but use unique performance indicators and metrics for their own department. This allows risk managers to capture front line variance while keeping a unified picture of enterprise risk.

The Effect on Risk Maturity

Ideally, the process of uncovering risks should be proactive instead of annual or semi-annual. Product launches, new projects and initiatives and reorganizations are all opportunities to identify risks and the ways in which they can be measured. The key then is providing end users with the tools they need to accurately assess risk—a standardized scale, set of criteria, and assessment dimensions such as impact, likelihood and assurance.

With the previous attribute, root-cause discipline, we structured our ERM program to be able to address common foundational issues rather than symptoms. Uncovering risk takes us one step further, tying in our root-cause risks to forward looking business performance metrics, so that we can actively identify, mitigate, and manage emerging risks to the organizations.

To learn more about uncovering your risks and taking the next step towards effective ERM, download our eBook on ‘5 Steps for Better Risk Assessments’.