Risk mitigation strategies to increase the value of ERM
The risk mitigation process
Active risk mitigation is a process that begins where most enterprise risk management (ERM) programs currently end—with reporting and analysis of the risk universe. Done correctly, risk mitigation opportunities are proactively identified during reporting and review phases of the ERM process.
In addition to formally documenting the potential areas of focus with risk assessments, a critical component to an effective mitigation is the development and definition of a directed roadmap to execution. This roadmap acts as a project plan to ensure the mitigation efforts have adequate resource allocation, deliverable timelines, and a definition of success.
During the risk mitigation effort, regular status updates should be provided on progress, barriers, dependencies, and adjustments of scope. Upon completion of mitigation, the ERM program should provide an analysis of the residual risks after the implementation.
Risk mitigation strategies
During the active process, there are several risk mitigation strategies that can be used to assess risks, as demonstrated in the above image.
- Accept: Make a deliberate decision to accept the risk and not develop any further plans to control it.
- Monitor: Review the risk universe for any changes that may influence the impact of the risk.
- Avoid: Change the risk processes and requirements to eliminate or reduce the risk.
- Control: Develop further risk mitigation plans to minimize the impact and/or likelihood of the risk.
- Transfer: Reassign responsibility of the risk to another department or stakeholder in the organization for acceptance.
Many organizations view risk management simply as a risk identification function—responsible for ongoing monitoring and regular reporting of the organization's identified and prioritized risks. However, organizations that take this narrow viewpoint to risk management are ignoring the value enterprise risk management brings to the table.
The perception of ERM and risk management teams
As a risk practitioner, you may wonder, How can I take active risk mitigation activities on as an additional component of the ERM program? In these cases, the ERM function is probably not viewed as a true expert in the area of risk management. Likely, the organization has undergone little to no activities directly related to the ongoing mitigation of known enterprise risks.
Defining risk priorities for the organization doesn’t preclude that anything can and/or will be done to overcome those risks. By simply calling out the existing and future risk considerations for the organization, the ERM function provides no additional palpable value beyond a framework to measure and assess risk on an ongoing basis.
This is why ERM functions that focus on both identification and prioritization, as well as ongoing efforts to mitigate and overcome obstacles, are viewed as experts and greater contributors to the organization's ongoing strategy.
Practical considerations for increasing ERM's value
To change the perception of the ERM function and be viewed as organizational risk experts, consider taking the following steps:
Collaborate with affected risk owners.
Risk owners live the risk in their day-to-day operations. To the extent that anything can be done to mitigate or even eliminate risk, they are likely highly interested in working with you on that effort.
Define the plan, resources, timing, and deliverables.
Sometimes, it’s as simple as defining where you are expecting to go with risk mitigation efforts. Define the plan, resources, timing, and deliverables that will exhibit value to the organization and aid in the understanding of the level of residual risk.
Understand your risk mitigation approach.
You don’t have to eliminate 100 percent of all risks. Focus on the efforts that will take minimal time and resources, but will impact a demonstrative remediation of risk. In some instances, it might be prudent to accept risk in its current state. Don’t be afraid to accept risk where it makes strategic sense.
All of your efforts that focus on risk mitigation have a profound impact on the ongoing assessment and measurement of your risk environment and priorities. Be sure to directly connect and link efforts and output in risk mitigation to the ongoing risk assessment, review, and prioritization process. Not only are you adding significant input, but you are also closing the feedback loop and allowing stakeholders to experience the beneficial impacts that remediation efforts have on the organization’s risk profile and priorities.
The impact of new technology
Most risk mitigation efforts include multiple moving parts and impacted parties. The more clear and effective the collaboration effort is, the more efficient and concise the mitigation effort is managed. To increase collaboration and efficiency, risk practitioners need to leverage new technology to assist with ongoing mitigation efforts.
In addition to collaborative capabilities, ERM programs should look to utilizing a solution that integrates with their overall programs and try to avoid a spot solution geared only toward risk mitigation project management needs. For a more detailed viewpoint on selecting a comprehensive tool for your ERM program, read Harnessing the Power of Technology in ERM.
By taking that initial step to focus on risk mitigation and keeping in mind the four considerations above, you’ll soon begin to transform how your risk function operates and will immediately enhance the value of ERM to your organization.
About the Author
Mike Rost is a key contributor to product strategy at Workiva and works with business leaders in the areas of financial reporting and compliance. With more than 25 years of experience assisting organizations using technology to optimize business processes, Mike has an extensive background in finance and accounting, corporate performance management, and GRC technology. Mike was a founding member of XBRL International with involvement in the XBRL initiative dating back to 1999. He has also been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). Mike has a bachelor's degree in economics and an MBA in marketing and finance from the University of Minnesota.