Tag Archives: ERM Implementation

Immediate Vault Immediate Access

Seven Qualities of an Impactful Risk Register

Posted on by

You might have resolved to tidy up some processes and press the “reset” button on your risk register in the new year. Whether you’ve started a new position, want to improve your company’s operations or just overhaul your existing register, the basic foundations are out there.

Demonstrating their altruistic nature, many RIMS members have been offering their insight to those seeking suggestions – even going so far as to send their Excel sheet registers. Here are some criteria for your X and Y axes, culled from the OPIS network and existing resources on Risk Knowledge. While they are by no means a finite list, they can act as building blocks for your new template or register.

buy keflex online desiredsmiles.com/wp-content/uploads/2023/10/keflex.html no prescription pharmacy

  1. Exposure. Define the imminent or possible risk event.
    buy lipitor online desiredsmiles.com/wp-content/uploads/2023/10/lipitor.html no prescription pharmacy

    Examples could be a data breach or earthquake.

  2. Risk Category. Itemize by who or what was affected by the exposure. Employees, property, locations, and systems are some examples.
    buy trazodone online desiredsmiles.com/wp-content/uploads/2023/10/trazodone.html no prescription pharmacy

    If the exposure was public-facing, be sure to include your customers and shareholders.

  3. Cause of Loss. In addition to simply entering the risk origin, also detail whether it was on the radar or completely unforeseen. You might choose to add subcategory (or row) if necessary to document the specifics.
  4. Consequences (Primary and secondary). While many exposures impact the bottom line, it might also include damages to systems, infrastructure, and absences. There are other consequences that are tougher to quantify, such as reputation and employee morale. Subcategories for secondary (and tertiary, and possibly beyond) might be necessary.
  5. Target Risk Level. Driven by each company’s risk appetite level, the target risk level should be the mitigated level. “For example, risk appetite for strategic can be 4 (out of 5), operations 3 and safety 2,” wrote one member on an OPIS thread. “Therefore, any risk should be mitigated to the acceptable risk appetite level within each risk category – hence, a safety risk of 4 needs to be mitigated to a 2 level.”
  6. Expected Losses and Gains. Establish value to the projected outcome. There is certainly a downside risk to natural disasters, particularly where injuries, casualties, and property damage are concerned. But not all risks will be negative; selecting a new cybersecurity system, for example, may have costs but also estimated savings.
  7. Assignee. Just because you are the risk manager does not mean you are responsible for solving all the problems or having all the answers to each risk. A data breach would typically be assigned to the IT leader. However, depending on the size and structure of your organization, you might be the de facto authority on certain exposures, such as emergency preparedness and natural disasters. In those cases, enter your own name and get ready to act.

As stated earlier, these qualities are just starting points as you build your register – you should customize it to your organization and personal preferences.

When reflecting upon the makings of the risk register, one member said that the most critical issue was not the format, but rather “the dialogue that surrounds the register,” adding that “the discovery and discussions were what made that part of the ERM activity useful. Of course, having a nice means of communicating it makes it easier to focus the dialogue.”

RIMS also offers suggestions for ERM programs. Visit the OPIS network to get feedback from members and Risk Knowledge for resources such as the ERM Starter Risk Log Template.

RIMS Report: Establishing and Communicating ERM

Posted on by

Recent trends indicate that management is being consulted more than ever by executives and boards who are looking for information that can aid in decision making. This has moved the value of enterprise risk management (ERM) to the forefront, to give the board an overall view of the risks the company faces.

A report just released by RIMS, Risk Communication to the C-Suite and Board of Directors: Visualizing Enterprise Risk Management Information, explores ERM and offers risk managers strategies to use to determine what they report to decision-makers.

According to the report:

“Without robust information about risk, directors cannot offer effective oversight. Therefore, management should carefully evaluate the format and purpose of board risk communication with consideration to risk governance responsibilities, risk appetite, and the intersection between risk and strategy. This process also ensures that the risk information is of value to the management team as well and not simply ‘paperwork.’”

In order to be proactive, boards have expressed the need for specific information, the authors noted, but with “understanding of risks” and “oversight of risk management” cited as the most important areas for board improvement, “risk managers need to be strategic in the way they disseminate information. What you pass along should be presented carefully so that an executive can easily understand and prepare to translate for stakeholders.”

The professional report highlights information from the National Association of Corporate Directors (NACD), the most recent COSO ERM Framework, and the Corporate Executive Board (now Gartner). Backed by that data, the authors discuss where ERM stands today and, by offering various engagement models and maps, provide suggestions and options for determining:

  • Which executives should receive the information.
  • How to craft the message.
  • Delivery methods.
  • Additional sources of key risk management information.

“In developing a system for delivering key risk information to the board, it must be stated that ERM is not a prescribed science,” the authors wrote. “No two organizations will have the same approach or process for determining what defines key risk information or how it should be delivered.”

The report is co-authored by Julie Cain, senior strategic advisor, information and technology risk management at the Educational Testing Service; Christine Novotny, ARM, RIMS-CRMP, manager risk and insurance for PeaceHealth; and David J. Young, lecturer at the Risk Management and Insurance Program, University of Colorado Denver Business School. The group also presented on this topic at RIMS 2018 Annual Conference & Exhibition in San Antonio.

Risk Communication to the C-Suite and Board of Directors: Visualizing Enterprise Risk Management Information is available to RIMS members only for the first 60 days. After the introductory period, it will become available to the broader risk management community. You can download the report via Risk Knowledge.

Enterprise Risk Management’s Wakeup Call: 10 Years After is also available on Risk Knowledge. Complementary to Risk Communication to the C-Suite, it discusses the importance of integrating ERM into companies’ frameworks as they prepare for the possibility of another financial crisis or a new threat. Read more about the report here.

10 Tips to Excel in ERM

Posted on by

05a9ef2CHICAGO—For many risk managers looking to implement enterprise risk management programs, one of the biggest challenges is figuring out how to do it properly. Unfortunately, as Steve Zawoyski, ERM leader at PwC, pointed out in a session at this year’s RIMS ERM Conference, you will never find the perfect ERM program—it’s basically as mythical as a unicorn. But there are certain key steps you can take to increase your chances for a successful ERM program. Zawoyski’s top tips are:

  1. Establish ERM program objectives. One of the common stumbling blocks to a successful program is the lack of agreement as to why you are doing this in the first place. Some may be doing it in order to make better decisions around strategy while others have governance concerns in mind or are simply doing it because the board said so. Establishing proper objectives will allow you create the program that works best for your organization.
  2. Manage stakeholders. There are likely multiple parties that have a vested interest in your ERM efforts from the board to business managers to legal and audit to regulators.
    buy fildena online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/fildena.html no prescription pharmacy

    You will need to consider all of their specific needs and concerns.

  3. Align risk functions. Risk management is part of every division’s responsibility. Getting everyone on the same page will avoid allowing fatigue to set in over yet another risk management effort.
  4. Align risk and management processes.
    buy advair rotahaler online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/advair-rotahaler.html no prescription pharmacy

    It is important to understand how the business is being managed and connect to those processes in order to be in a position share information up and down the organizational hierarchy.

  5. Define risk. The traditional definition of risk denotes a hazard or a failure of some process. Make sure you organization understands that risk is merely uncertainty that can have both a positive or negative impact on objectives. It is ok to take on risk.
  6. Give credit. Different functions already have risk management capabilities and processes. Rather than reinvent the wheel, harvest the data and expertise already out there and build off that. Don’t build unnecessary steps into the process when those areas are already being addressed.
  7. Remember that risk is a four-letter word. Risk is an overused, ambiguous word with an often negative connotation. Risks are nothing more than variables that can present opportunities for greater success.
  8. Beware of risk categories. Labels like operational, financial, strategic or technology are overemphasized and not how business units think of risk.
    buy clomid online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/clomid.html no prescription pharmacy

    It is more effective to talk about risk in terms of management of hazards, compliance obligations or other uncertainties.

  9. Do your research. It is vital to develop a thorough understanding of the business and its drivers, from its capabilities to its competitive advantages to its strategic priorities and objectives.
  10. Simplify risk appetite. Risk appetite should be considered on a risk-by-risk basis and should boil down to a simple question of once risk controls and processes are in place, are you satisfied with the results?

ERM implementation can be challenging. But according to Zawoyski, it is all about keeping it simple for the stakeholders, ensuring that value is created, aligning to the business and evolving over time. By approaching your program in this way, all stakeholders will understand their role and how ERM relates to the overall strategy of the organization.