Key Steps to a Robust Risk Management Program

Our business environment is constantly changing—technologies improve, regulations are modified, competition increases, and demand evolves. Effective risk management grants an ability to adapt to these changes.

Recent headline events, including the Volkswagen emissions deception, the Wells Fargo scandal, and the penalty paid by Dwolla to the Consumer Financial Protection Bureau (CFPB), illuminate powerful motivators for strong risk management programs. Key to a robust program is preventing stressful, and possibly catastrophic, surprises.

When Plains All American Pipeline failed to detect corrosion in its pipeline, for example, the result was a 3,000-barrel oil spill and millions of dollars in fines. The corrosion had run under the radar because the company did not delegate sufficient inspection resources and did not maintain proper procedures and systems for preventing problems from escalating into emergencies. Risk management best practices, however, could have standardized these procedures throughout the organization and prevented the disaster from occurring.

Complying with regulators like the SEC and CFPB
Dwolla, a small, private e-commerce and online payment company, was found by the CFPB to be guilty of risk management negligence for inadequate data security practices. The catch is that Dwolla did not suffer a data breach and none of its customers were compromised. The CFPB fined Dwolla $100,000 as part of its increased focus on companies’ existing prevention strategies. Regulators are no longer simply pursuing organizations that have suffered risk management incidents; organizations need to take proactive approaches rather than simply hope to get by.

Improving productivity and encouraging innovation
An independent, peer-reviewed report, “The Valuation Implications of Enterprise Risk Management Maturity,” published in The Journal of Risk and Insurance, proved that organizations with mature ERM programs (as defined by the RIMS Risk Maturity Model) can achieve a 25% firm valuation premium over those without. Risk management does not have to be a burdensome addition to daily responsibilities—and if it is executed properly, it won’t. It simplifies daily operations by increasing transparency and allowing more resources to be devoted to value-add activities, like product development and customer services.

Checklist for evaluating your risk management efforts

A better question than “does my organization perform risk management?” is “how effectively does my organization identify and mitigate risks?” The following checklist outlines characteristics common to effective risk management programs. Your organization should prioritize development in these areas.

  1. Effective risk management governance

Boards, through their risk oversight role, are accountable for a risk’s material impact, whether the cause is at the executive level or on the front lines. The SEC considers “not knowing about a material risk” negligence, which carries the same penalties as fraud.

  • The board must monitor the effectiveness of the organization’s risk management process, ensuring it reaches all levels and business areas.
  • Internal auditors must independently confirm the board is informed on all material risks.
  • All material risks must be disclosed to shareholders, along with evidence that they are effectively mitigated.
  1. Performance management and goal management
  • Divide corporate objectives into business-unit contributions.
  • Identify business processes contributing to a goal within each business unit.
  • Cascade goals to all front-line managers within contributing processes.
  • Aggregate goal assessments and determine links between contributing business processes.
  1. Consistent risk identification and prioritization

Risk assessments must address more than high-level concerns. Effective assessments drill into risk events, uncovering the root cause, or problem “driving” the risk. Repeatable risk assessments are based on common numerical scales and scoring criteria across departments.

  1. Actionable risk tolerances

Risk appetite is a high-level statement that serves as a guide for strategic decisions. In order to be actionable, it should be accompanied by its quantitative cousin, risk tolerance. Risk tolerance is an effective monitoring technique for key performance goals and risk metrics.

  1. Centralized risk monitoring and control activities

Risk managers need to do more than design processes to identify risks and appropriate responses. A critical third component—monitoring—is the verification of a control’s effectiveness over the risk. A few key things to keep in mind to make monitoring effective:

  • Adjust risk assessments over time (spend less time on risks with decreasing indexes).
  • Reduce testing by identifying areas that can share controls (increase organizational efficiency).
  • Link risks and activities to determine which processes need to be monitored (prioritize activities/initiatives).
  • Monitor business metrics (discover concerning trends before they affect the organization).
  1. Forward-looking risk and goal reporting and communication

In order to continue funding their organizations’ risk management programs, boards need evidence that those programs are working. Risk managers should ask two basic questions before reporting to the board:

  • How might identified risks affect the board’s strategic objectives and key concerns?
  • Which metrics or trends most validate the program’s effectiveness?

These items are just a starting point for an analysis of your organization’s program. For a more in-depth blueprint and “state of ERM” report, take the RIMS Risk Maturity Model (RMM), a free best-practice assessment tool that scores risk management programs and generates an immediate report of your organization’s risk maturity.

How Risk Oversight Fails


For the past few years, Congress, the SEC, rating agencies and even the venerable Risk Management magazine have all been harping on the need for organizations to improve their risk oversight. But as any risk professional worth his or her salt should know, all risk oversight is not good risk oversight.

It’s a very simple, logical fact — but one that is all too often overlooked.

No organization would think that just having management means it has good management. Few would think having an IT department means they inherently have optimal technology. For some reason, however, that is the way many think about risk oversight. We have it — it must be working.


Luckily, has put together a good list of “Ten Ways Risk Oversight Can Fail” to help illustrate the difference.

Not understanding strategic risk management — the next “wave of the future” and something I wrote about in September — is one key way companies fail.

(2) Lack of understanding of, or a failure to monitor, the significant assumptions underlying the strategy – Boards should understand the critical factors that make or break the successful execution of the strategy and ensure a process is in place to monitor business or regulatory changes that could impact those factors.

Charting emerging risks, not surprisingly, were another obvious inclusion.

(4) Failure to identify and manage emerging risks – The board must satisfy itself that management brings to bear the appropriate expertise, processes and information to identify new and complex risks to the execution of the enterprise’s strategy and business model and to manage those risks effectively.

The list also featured a nice summation of what too many organizations consider an actual enterprise risk management program.

(6) The company practices “enterprise list management” – Generating lists of risks over time with no follow-up to understand and close gaps in risk management capabilities is not good practice. Risk management should impact the core management activities that matter – strategy-setting, business planning and performance management.

And, of course, the board — often a laggard on understanding the true risks of the company — can provide a critical point of risk oversight failure.

(10) The board isn’t organized effectively for risk oversight – The board may not be allocating sufficient time and resources to risk oversight. Or the board isn’t availing itself of the appropriate company officers to focus on identifying areas in which management needs to improve the organization’s capabilities and information for managing risk. Or there is insufficient coverage by the board of the enterprise’s risks.

Click through to the full article for the other six ways risks oversight can fail.