4 ways to analyze and improve your enterprise risk assessment process
Your enterprise risk management (ERM) program deserves its own New Year's resolutions. A new year is an ideal opportunity for risk management leaders to take a critical look at their enterprise risk assessment (ERA) process. The entire ERM program is founded upon the ERA, which is used to ensure your risk program is appropriately focused and operating effectively.
A strong ERA process will yield better results from the overall ERM program if it is adequately calibrated and fosters a collaborative, ongoing risk discussion across the organization.
An effective ERA process is not a templated, one-size-fits-all approach. Variables such as individual risk profiles, risk tolerances, and organizational culture and communication issues, need to be considered and play a significant role in devising a strong risk assessment process.
Here are four considerations for you to assess and analyze your ERA process:
Don’t get stuck in a groupthink.
Many enterprise risk assessment processes begin with senior leadership involvement in the annual risk assessment. While this is a great way to get the program off the ground and build support, many valuable risk insights may be missed because the executive team's assessment viewpoints might lack the detailed perspective that only front-line risk owners can provide. Obtaining different point of views from across the organization will ensure that your enterprise risk management program is effectively focused on the most prevalent and critical risks.
Organizations need to consider:
- How involved is the first line of defense? Are there ways to add the first line to the information collection and assessment process?
- How involved is the board of directors? Including board-level insight can positively affect the overall program.
- What is the effect of increased involvement across all levels of the organization on your overall risk culture? Effectively using the ERA process can help organizations build heightened accountability.
Consider a fresh approach.
Risk surveys and facilitated sessions are by far the most prevalent approach to conducting an risk assessment. However, imaginative approaches, such as table-top walkthroughs, scenario analysis, and role-playing exercises, may yield new findings and add a new element to the risk identification and assessment process.
By changing the approach, you'll get opportunities to identify a new or novel risk issue that hasn’t been flushed out through existing processes. It’s a win-win situation for both those involved, as well as the overall risk management program.
Don’t boil the ocean.
If there’s one thing that minimizes the benefits provided by an ERA process, it’s the overcollection and overanalysis of risks. Many organizations try to capture all potential risks to review and analyze. Not only is this time-consuming and burdensome, it, it also de-emphasizes the critical risks.
Many risks just come with the territory. Since the organization has little to no influence or control over a risk and its potential impact, there is limited value in tracking, monitoring, and assessing these risks. Instead, you need to focus attention on those risks that can be controlled and managed. Inherent and farfetched risks are not as important, but they are the type of risks that can be identified and tracked through other means.
Examine past risks as you look to the future.
The vast majority of ERA processes focus heavily on retrospective, historical risk information. While you should continually refresh and update existing, known risk data and information throughout the process, there is an opportunity to allow your stakeholders to look to the future and project potential risks that may impact the organization into the future. When doing this, consider the organization’s strategic plan and business objectives.
A "back-to-the-future" approach also positions the risk program as a key input stakeholder in the ongoing business objective and strategy-setting processes for the organization. Insights gained through the ERA process, related to forward-looking risk topics, could provide an invaluable resource to ongoing strategy discussions, both at the executive leadership and board levels.
Whether you’re well-seasoned in your risk management and ERA processes or conducting your first ever ERA, these four areas of focus will help you devise an approach that should allow your risk program to get off to a resounding start in 2017.
About the Author
Ernest Anunciacion, Director of Product Marketing, brings over 15 years of experience in internal audit, risk management, and business advisory consulting to Workiva. Ernest is a Certified Internal Auditor and Six Sigma Black Belt. He holds an undergraduate degree and an executive MBA from the Carlson School of Business at the University of Minnesota.