Using risk prioritization to increase the value of your ERM program

August 23, 2016

Maintaining a clear picture of your organization’s risk priorities goes beyond simply having a risk assessment process. 

Many enterprise risk management (ERM) programs are inundated with competing interests. Often, they are too narrow in how risk information is collected, reviewed, and managed. The biggest driver of this lack of focus is that the organization does not understand risk in a single, holistic manner. Across the organization, there may be different definitions of risk, and therefore different priorities.

The primary responsibility of ERM programs is to review all competing interests to ensure that only the most pertinent, timely, and impactful risks are being understood, managed, and mitigated.

In order to adequately prioritize risk management efforts at your organization, ERM teams need to keep all stakeholders in mind—seeking input from across the organization, including the board. Many risk programs treat the board as an output stakeholder. However, actively engaging the board in the risk prioritization process will add much needed perspective. The more input received and perspective gained from all parties, the higher the quality of risk information that feeds the program.

Not all risks are created equal

Your risk management strategy needs to be directly tied to organizational strategy—and with a single, common definition of risk. When these strategies are integrated, the ERM team can easily decipher which risks are truly operational in nature versus those risks that could pose as an obstacle to organizational strategy.

In many cases, this approach also allows organizations to better understand risks that are identified and their cascading impact on other risks. A focus on this type of integrated strategy allows for a better understanding of your risk environment elements and its true drivers.

Creating a risk culture

For the ERM program to ultimately be successful, the entire organization needs to buy in. Here are five tips to foster a risk culture at your organization:

  1. Be visible, active, and cooperative across the organization
  2. Establish the ERM team as the subject matter experts across the organization
  3. Take a collaborative approach in administration of the program
  4. Ensure the program is transparent across the organization
  5. Take the lead in educating and helping others mature their risk management skill sets

A little effort in these areas will go a long way in the betterment and value of your ERM program. A successful risk culture, coupled with an integrated risk and organizational strategy, will put any risk program on its way to success.

Joe Boeser

About the author

Joe Boeser brings over 10 years experience in risk management, compliance, and ERM to his role as Senior Product Marketing Manager at Workiva. Joe's extensive experience includes developing and implementing risk management and ERM programs as well as directly managing risk and control operations. This includes managing the ERM program at a large banking institution and overseeing SOX and internal audit programs. Joe holds an MBA and Juris Doctor.