Using risk prioritization to increase the value of your ERM program
Maintaining a clear picture of your organization’s risk priorities goes beyond simply having a risk assessment process.
Many enterprise risk management (ERM) programs are inundated with competing interests. Often, they are too narrow in how risk information is collected, reviewed, and managed. The biggest driver of this lack of focus is that the organization does not understand risk in a single, holistic manner. Across the organization, there may be different definitions of risk, and therefore different priorities.
The primary responsibility of ERM programs is to review all competing interests to ensure that only the most pertinent, timely, and impactful risks are being understood, managed, and mitigated.
In order to adequately prioritize risk management efforts at your organization, ERM teams need to keep all stakeholders in mind—seeking input from across the organization, including the board. Many risk programs treat the board as an output stakeholder. However, actively engaging the board in the risk prioritization process will add much needed perspective. The more input received and perspective gained from all parties, the higher the quality of risk information that feeds the program.
Not all risks are created equal
Your risk management strategy needs to be directly tied to organizational strategy—and with a single, common definition of risk. When these strategies are integrated, the ERM team can easily decipher which risks are truly operational in nature versus those risks that could pose as an obstacle to organizational strategy.
In many cases, this approach also allows organizations to better understand risks that are identified and their cascading impact on other risks. A focus on this type of integrated strategy allows for a better understanding of your risk environment elements and its true drivers.
Creating a risk culture
For the ERM program to ultimately be successful, the entire organization needs to buy in. Here are five tips to foster a risk culture at your organization:
- Be visible, active, and cooperative across the organization
- Establish the ERM team as the subject matter experts across the organization
- Take a collaborative approach in administration of the program
- Ensure the program is transparent across the organization
- Take the lead in educating and helping others mature their risk management skill sets
A little effort in these areas will go a long way in the betterment and value of your ERM program. A successful risk culture, coupled with an integrated risk and organizational strategy, will put any risk program on its way to success.
About the Author
Mike Rost is a key contributor to product strategy at Workiva and works with business leaders in the areas of financial reporting and compliance. With more than 25 years of experience assisting organizations using technology to optimize business processes, Mike has an extensive background in finance and accounting, corporate performance management, and GRC technology. Mike was a founding member of XBRL International with involvement in the XBRL initiative dating back to 1999. He has also been active in industry associations, including the Open Compliance and Ethics Group (OCEG) and the Institute of Internal Auditors (IIA). Mike has a bachelor's degree in economics and an MBA in marketing and finance from the University of Minnesota.