Tag Archives: ERM framework

Immediate Vault Immediate Access

Seven Qualities of an Impactful Risk Register

Posted on by

You might have resolved to tidy up some processes and press the “reset” button on your risk register in the new year. Whether you’ve started a new position, want to improve your company’s operations or just overhaul your existing register, the basic foundations are out there.

Demonstrating their altruistic nature, many RIMS members have been offering their insight to those seeking suggestions – even going so far as to send their Excel sheet registers. Here are some criteria for your X and Y axes, culled from the OPIS network and existing resources on Risk Knowledge. While they are by no means a finite list, they can act as building blocks for your new template or register.

buy keflex online desiredsmiles.com/wp-content/uploads/2023/10/keflex.html no prescription pharmacy

  1. Exposure. Define the imminent or possible risk event.
    buy lipitor online desiredsmiles.com/wp-content/uploads/2023/10/lipitor.html no prescription pharmacy

    Examples could be a data breach or earthquake.

  2. Risk Category. Itemize by who or what was affected by the exposure. Employees, property, locations, and systems are some examples.
    buy trazodone online desiredsmiles.com/wp-content/uploads/2023/10/trazodone.html no prescription pharmacy

    If the exposure was public-facing, be sure to include your customers and shareholders.

  3. Cause of Loss. In addition to simply entering the risk origin, also detail whether it was on the radar or completely unforeseen. You might choose to add subcategory (or row) if necessary to document the specifics.
  4. Consequences (Primary and secondary). While many exposures impact the bottom line, it might also include damages to systems, infrastructure, and absences. There are other consequences that are tougher to quantify, such as reputation and employee morale. Subcategories for secondary (and tertiary, and possibly beyond) might be necessary.
  5. Target Risk Level. Driven by each company’s risk appetite level, the target risk level should be the mitigated level. “For example, risk appetite for strategic can be 4 (out of 5), operations 3 and safety 2,” wrote one member on an OPIS thread. “Therefore, any risk should be mitigated to the acceptable risk appetite level within each risk category – hence, a safety risk of 4 needs to be mitigated to a 2 level.”
  6. Expected Losses and Gains. Establish value to the projected outcome. There is certainly a downside risk to natural disasters, particularly where injuries, casualties, and property damage are concerned. But not all risks will be negative; selecting a new cybersecurity system, for example, may have costs but also estimated savings.
  7. Assignee. Just because you are the risk manager does not mean you are responsible for solving all the problems or having all the answers to each risk. A data breach would typically be assigned to the IT leader. However, depending on the size and structure of your organization, you might be the de facto authority on certain exposures, such as emergency preparedness and natural disasters. In those cases, enter your own name and get ready to act.

As stated earlier, these qualities are just starting points as you build your register – you should customize it to your organization and personal preferences.

When reflecting upon the makings of the risk register, one member said that the most critical issue was not the format, but rather “the dialogue that surrounds the register,” adding that “the discovery and discussions were what made that part of the ERM activity useful. Of course, having a nice means of communicating it makes it easier to focus the dialogue.”

RIMS also offers suggestions for ERM programs. Visit the OPIS network to get feedback from members and Risk Knowledge for resources such as the ERM Starter Risk Log Template.

RIMS Report: Establishing and Communicating ERM

Posted on by

Recent trends indicate that management is being consulted more than ever by executives and boards who are looking for information that can aid in decision making. This has moved the value of enterprise risk management (ERM) to the forefront, to give the board an overall view of the risks the company faces.

A report just released by RIMS, Risk Communication to the C-Suite and Board of Directors: Visualizing Enterprise Risk Management Information, explores ERM and offers risk managers strategies to use to determine what they report to decision-makers.

According to the report:

“Without robust information about risk, directors cannot offer effective oversight. Therefore, management should carefully evaluate the format and purpose of board risk communication with consideration to risk governance responsibilities, risk appetite, and the intersection between risk and strategy. This process also ensures that the risk information is of value to the management team as well and not simply ‘paperwork.’”

In order to be proactive, boards have expressed the need for specific information, the authors noted, but with “understanding of risks” and “oversight of risk management” cited as the most important areas for board improvement, “risk managers need to be strategic in the way they disseminate information. What you pass along should be presented carefully so that an executive can easily understand and prepare to translate for stakeholders.”

The professional report highlights information from the National Association of Corporate Directors (NACD), the most recent COSO ERM Framework, and the Corporate Executive Board (now Gartner). Backed by that data, the authors discuss where ERM stands today and, by offering various engagement models and maps, provide suggestions and options for determining:

  • Which executives should receive the information.
  • How to craft the message.
  • Delivery methods.
  • Additional sources of key risk management information.

“In developing a system for delivering key risk information to the board, it must be stated that ERM is not a prescribed science,” the authors wrote. “No two organizations will have the same approach or process for determining what defines key risk information or how it should be delivered.”

The report is co-authored by Julie Cain, senior strategic advisor, information and technology risk management at the Educational Testing Service; Christine Novotny, ARM, RIMS-CRMP, manager risk and insurance for PeaceHealth; and David J. Young, lecturer at the Risk Management and Insurance Program, University of Colorado Denver Business School. The group also presented on this topic at RIMS 2018 Annual Conference & Exhibition in San Antonio.

Risk Communication to the C-Suite and Board of Directors: Visualizing Enterprise Risk Management Information is available to RIMS members only for the first 60 days. After the introductory period, it will become available to the broader risk management community. You can download the report via Risk Knowledge.

Enterprise Risk Management’s Wakeup Call: 10 Years After is also available on Risk Knowledge. Complementary to Risk Communication to the C-Suite, it discusses the importance of integrating ERM into companies’ frameworks as they prepare for the possibility of another financial crisis or a new threat. Read more about the report here.

10 Steps to Effective Enterprise Risk Management

Posted on by

Enterprise risk management (ERM) has emerged as a best practice in gaining an overview of strategic, financial and operational threats, and in determining how to mitigate and manage those risks.

A comprehensive approach to risk management is important because it helps management comprehend the true potential of threats and allows organizations to address the cumulative nature of risk.

The following steps can help your company achieve the ERM objective.

  1. Just Do It!
    The process of creating an ERM program is valuable, revealing much about your organization and the interrelatedness of elements within it. Document your efforts in your board minutes and share them with any auditors. You will generally find those parties willing to provide constructive feedback because they have a vested interest in the success of your efforts.
  1. Get a Champion
    Your board of directors is accountable to shareholders and the SEC (if your company is public)—and possibly to other entities by industry—for the adequacy of risk management procedures, controls and ultimately for the competence of management. A logical champion of your ERM efforts is the chairperson of your board audit or ERM committee, followed by the chair of the board and other board members. If these individuals understand that an ERM program can help them discharge their duties and protect them from personal financial risk, you will likely see top-level buy-in and a trickle-down effect through senior management.
  1. Merge the Silos
    If existing risk committees and sub-committees are functioning as intended and get consistently high marks from outside auditors, it’s unlikely that fundamental changes are needed. Yet it is important they understand where they fit in the bigger picture. A board-level champion can help provide this perspective, and reinforce the role of the ERM committee in setting the organization-wide level of acceptable risk.
  1. Weight the Risks
    Certain areas of risk have the potential to seriously harm your organization. Others, however, are less critical. When your management team assembles an ERM framework, create a logical mechanism for assigning relative weights to each area of risk, and to selected components within those areas.
  1. Create a Dashboard
    A dashboard containing a high-level summary of major risk elements supported by “drill-down” detail enables board members and senior managers to connect all the pieces of the risk management puzzle.A dashboard need not be complex. Some managers use Microsoft Excel to create multi-layered risk workbooks, which summarize details provided by the risk sub-committees into a single page of high-level information.
  1. Understand Risk and Reward
    Some risks are worth taking, because the reward is greater than the likelihood and consequences of failure. In other cases the reward does not outweigh the potential consequences. Then there are risks not worth considering, when the risk is a “bet-the-farm” proposition, or is illegal or immoral. Each risk committee and sub-committee should understand the risk-versus-reward proposition.
  1. Set Limits
    One important function of the board ERM committee is to work with management to establish limits to risk taking. Management should make recommendations to the board, supported by reasonable data and arguments, which establish the boundaries of the organization’s risk appetite. Management’s role is to advise and inform, with the ultimate decision resting with the board.
  1. Understand the Cumulative Nature of Risk
    An organization that could sustain itself through one or two major weaknesses, or several minor ones, will succumb under too many. For this reason, the board ERM committee should set limits for both individual risks and cumulatively.
  1. Make It Easy
    In the areas of setting limits and risk weighting, management should make it as easy as possible for board members to comprehend and participate in the process. Distill complex regulations, and use accepted business terminology.

    Implementing an ERM framework should be spread over several months, if possible. Give the board ERM committee two or three recommendations per month, in advance, so they can be reviewed, summarized, presented and adopted at the regular monthly meeting.

  1. Refine, Refine, Refine
    New risks emerge every day, and your process must be flexible enough to identify, quantify and incorporate them. The chief risk officer and other senior managers should devote time to researching emerging risks, imagining worst case scenarios and creating stress tests to understand the implications of critical failures.

A Top-To-Bottom Effort
It is possible for ERM practices to become part of your organizational culture. Global awareness of the process and a rank-and-file understanding of the board’s focus on effective risk management are critical to obtaining the buy-in of the entire organization. After all, risk management is everybody’s job—today more than ever.