Implementing an enterprise risk management framework

After selecting an ERM framework, an organization will tailor a set of processes to fit that enterprise’s circumstances. ERM processes generally follow those described in ISO 31000.

1. Communication and consultation. The outcome of risk management is awareness and reporting, so the key first step is to develop the communication processes for risk management. That includes determination of stakeholders — anyone interested in how the entity accentuates positive risks and minimizes negative ones. This step sets the stage for risk oversight and decision-making at every level.

2. Establishing the context. Every organization operates in a unique environment and must maintain an acceptable level of each type of strategic risk. Strategy supports mission, so internal context considers business objectives, resources and culture and external context includes factors relating to business, social, regulatory, legislative, competitive, financial and political environments.

Senior leaders need to establish risk criteria — the amount and types of risk the organization is willing to accept relative to objectives. This task represents leadership’s risk appetite and risk tolerance, which details how much risk managers may vary from that appetite. These criteria set the bar for all subsequent risk decisions. A COSO guide provides a detailed explanation of risk appetite.

3. Risk identification. Identify actual uncertainties after determining what matters to the enterprise and receiving guidance on what risk conditions are acceptable in pursuit of the mission. Risk scenarios are identified that could have a beneficial or harmful effect on the enterprise’s ability to conduct business.

One method helpful in identifying possible risk scenarios is taking a top-down bottom-up approach and looking at risk from all directions. Assess the most important elements that enable enterprise operations. Work with internal and external stakeholders to review the risks that might impede those elements. Determine what types of conditions might occur, such as storms, market fluctuations and cyber attacks, and the impact they may have on critical assets.

The resulting list of potential risks should be maintained in a risk register composed of recorded and updated activity. A helpful resource for this portion of risk assessment is the Carnegie Mellon University OCTAVE Allegro process.

4. Risk analysis. After compiling a list of possible risks, analyze the likelihood that each risk will occur and the resultant consequences. Historically, many entities have used a qualitative approach — highly likely or low impact — but many stakeholders have found it helpful to use quantitative risk analysis that yields a more specific likelihood, impact and even frequency of occurrence. Examples of this latter approach are available from the FAIR Institute.

5. Risk evaluation. Determine how to respond to a positive or negative risk.

If a negative risk scenario is within risk appetite and tolerance, then no further action is required. Otherwise, chief risk officers will have to apply controls to reduce the likelihood or impact of a risk event and mitigate the risk to an acceptable level. They may transfer or share some of that risk with another party, such as an insurance policy, that will reduce the impact of a loss. If no options are available, they can look for ways to avoid the risk event.

Options for responding to positive risks are similar — exploit an opportunity, share ownership to better increase the risk likelihood or benefit, enhance the probability and positive impact, or simply accept the positive event’s occurrence.

Risk managers may sometimes ignore risks in the hopes they’ll go away or plan to address them later. This implicit acceptance of risk is dangerous. ERM demands transparency and honest reporting.

6. Risk treatment. Apply the agreed upon controls and confirm that they work as planned. Implementation should also ensure that risk controls are effective and don’t add any unnecessary burden to stakeholders.

7. Monitoring and review. Ongoing monitoring helps ensure the controls are working as intended and identify opportunities for further improvement. Monitoring activities measure key performance indicators and look for key risk indicators that might trigger the actions defined in the overall risk strategy. As the risk landscape changes and enterprise drivers evolve, risk management can be adjusted through a continuous feedback process to increase opportunities and minimize harmful events.

Enterprises might also establish subsidiary frameworks for certain types of business risks. Carnegie Mellon, for example, describes a set of categories into which various risks are assigned and subsequently aggregated, evaluated and monitored. Categories include mission, reputation, life and health safety, compliance and legal, operational and financial.

To address dozens of different risk types, processes can be implemented simultaneously Risks recorded and reported through risk registers are aggregated and integrated to identify the risks most likely to significantly impact the enterprise’s business objectives. Even though the risks are quite disparate, the ERM framework and consistent processes enable common taxonomies and scales that support integration of information into a composite risk picture.

The ERM process looks at the “really big risks, rather than being distracted by little risks,” said Thomas Stanton, noted author and adjunct faculty member at Johns Hopkins University, during his 2017 TED Talk on enterprise risk management. ERM, he added, allows risk managers to make sure those at the top of the organization “know what they need to know to make good decisions.” To demonstrate that ERM can create new opportunities, Stanton paraphrased a comment by former Citigroup CEO John Reed that cars have brakes not only to stop, but also so they can go fast.