1. Risk Management Newsletter
What Is Your Risk Management IQ?
Risk Management Overview
As the global economic crisis and the subsequent recovery
lingers on, many organizations have been forced to ponder the
many risks lurking in their corridors, or in their data center, or
with third party service providers. Perhaps it was an adverse
event by one of their competitors that made the news and ended
up becoming a public relations nightmare. Or maybe it was an
emerging industry trend that got the Board of Directors’
attention? Maybe it is a new technological innovation that has
the potential to be a disruptive competitive force? Perhaps it was
a minor operational issue that escalated to catastrophic levels.
Whatever the motivating factor, it appears that the discipline of
risk management has come of age or at least, it has become part
of the conversation in today’s organizations.
But then, why are so many organizations hesitant to fully
embrace enterprise risk management or ERM as it is frequently
called. Believe me! There is a significant difference between
risk management and enterprise risk management (ERM). Risk
management denotes a single risk mitigation activity.
What is Enterprise Risk Management (ERM)?
In contrast, ERM is a comprehensive and holistic enterprise-
wide risk management activity. ERM is not an ad-hoc decision
to conduct a risk assessment of the operational risks within your
financial services enterprise after hearing about the recent
incident with a leading capital markets firm whose trading
platform went down unexpectedly. ERM is not conducting a
one-off risk assessment of your data security after hearing about
the multiple cyberattacks endured by some large Fortune 500
companies.
ERM is rather, a centralized framework of procedures, tools,
and methodologies that are used to identify, prioritize, remediate
and monitor organizational risks and challenges. The primary
objective of ERM is to provide timely and relevant risk data and
the related control mechanisms in order to facilitate
management decisions. These decisions are made by the Board
of directors, executive management and other stakeholders
regarding the outcome of the risk mitigation strategies that were
used in accordance with the risk appetite of the organization.
Risk Frameworks
The first step in designing and implementing a formal ERM
program is to identify a risk management framework that will
serve as a foundation for identifying and evaluating information.
The next step is to develop an implementation plan.
D. K. Hamilton
Table 1.2—COSO-ERM Framework
Table 1.1—Risk Management Overview
18 February 2015 Volume 2015-01-001
2. While there are many risk management frameworks available in
the market, the most prevalent ones are ISO 31000 and COSO-
ERM. COSO-ERM is a framework that assists the user with
classifying the risk management activities into four domains: (1)
Strategic; (2) Compliance & Legal; (3) Operational; and (4)
Reporting. ISO 31000 is a framework that is used to facilitate
the development and implementation of an ERM program.
ERM Approach & Methodology
ISO 31000 categorizes the core risk management activities into
the following four phases:
1. Risk Identification
2. Risk Prioritization
3. Risk Mitigation
4. Risk Reporting
Risk Identification
Risk Identification is the first phase of the risk management
process and it involves identifying the risks and opportunities
within a business organization, or a governmental institution, a
non-governmental entity, or a project. This process may be
initiated by a management surveys or by live, interactive
workshops. In my opinion, the latter are more effective since
they usually involves having members of management in a
single setting with a facilitator.
The objective is to obtain direct input from various levels of
management as to the population of risks and opportunities
within the organization. The key to success of this process is to
either have the implementation of the program supported by the
highest levels of management or a very influential person or
group within the organization.
Risk Prioritization
Next, the risk population will have to be systematically
evaluated in order to prioritize the risks in terms of magnitude.
The magnitude of the risk is determined by what we call the
threat risk profile. The threat risk profile of each risk is a
quantitative measure that is determined by the likelihood of a
specific threat occurring and the business impact (should the
threat indeed occur). For illustrative purposes, we have chosen
a four-tiered threat risk profile, which include the following risk
classes, in order of severity:
• Class IV (Red)—Severe
• Class III (Orange)—Moderate
• Class II (Yellow)—Low
• Class I (Green)—Very Low
Risk Mitigation
The third step is to develop and implement a risk mitigation
strategy in accordance with the organization’s risk appetite.
The graphic above illustrates that there are four generally-
accepted risk mitigation strategies that organizations may use:
1. Avoiding Risk—changing or re-designing the business
process in order to change the risk pattern.
2. Sharing and Transferring Risk—mitigating the risk by
entering into 3rd
parties contractual relationships who
accept and share part of the risk (e.g. insurance,
outsourcing, etc.)
3. Diversifying Risk—risk mitigation by allocating the
risk over a number of separate operations (e.g. using
multiple vendors for critical supply chain products and
materials).
4. Accepting & Controlling Risk—the organization decides
to allow and manage certain risks and designs and
implements control activities aimed at reducing the
risk to an acceptable and tolerable level.
For the population of risks that the organization chooses to
accept and control, the next step is to design and implement the
control mechanisms. But first, the organization must conduct an
assessment of the current environment to identify the controls
that already exist to mitigate the risks.
The COSO Integrated Framework of 2013 (COSO 2013) is a
good internal control framework that is ideal for facilitating the
design, evaluation, and monitoring of internal controls. It is
categorized into five categories and seventeen control
principles. The control categories are: (1) Control Environment;
(2) Risk Assessment; (3) Control Activities; (4) Information &
Communication; and (5) Monitoring. See Table 1.4 below for a
summary of the key elements of the COSO 2013 framework.
RISK
IDENTIFICATION
RISK
PRIORITISATION
RISK
MITIGATION
RISK
REPORTING
Table 1.3—Summary of Risk Mitigation Strategies
3. Risk Reporting & Monitoring
The last phase is to report on the status of the ERM activities,
and monitor the risk profiles for any significant changes that
may require remediation. Now, there are many tools available
to facilitate reporting (e.g. Excel, DOMO, GRC System, etc.),
however it is often best if all ERM activity is tracked and
monitored via a centralized business application having robust
reporting capabilities. Alternatively, you could use a GRC
application and import the data into a separate reporting
application.
You and your organization must decide on the frequency of the
periodic ERM reporting activities (e.g. monthly, quarterly,
annually, etc.). Regardless of the frequency of reporting, the
ERM reports must be consistent and tailored to the specific
audience. As an illustrative example and best practice, there
should be an executive dashboard that is available and
distributed to the executive management; quarterly and annual
updates from the business to the board; and monthly risk
roundtables by the various functional areas.
Risk Updates
Finally, on an annual basis, the existing risk profile must be
reviewed and evaluated to determine any changes therein. The
review should also encompass an evaluation of the lower rated
risks to ensure that their profiles have not changed. Last but not
least, an action plan should be developed and implemented to
remediate the highest level risks (e.g. Top 10 Risks, Top 5 Risks
& Top 5 Opportunities, etc.).
Benefits of a Risk Management Program
There are many benefits to developing and implementing a
formal ERM program, one of which is an overall improvement
in the risk awareness culture of the organization. The mere
process of going through the ERM implementation exercise
improves the overall risk awareness from the Board of
Directors, to executive management, down through the tactical
level, and finally to the business operations. The most
significant benefit, however would be if members of the
organization would view ERM as something more than a
compliance-oriented, “check-the-box” exercise.
Other noteworthy benefits to ERM include:
Strategic Decision-management Tool—useful to
assist members of an organization with executing the
overall strategy of the organization, project, etc. while
minimizing risks and maximizing opportunities.
Improvement in Risk Culture—develops or
enhances the risk culture within an organization.
Integrated Risk Management Approach—a key
benefit of an ERM program is that when implemented
managed, and monitored correctly, the organizational
benefits from having a standardized methodology and
approach for remediation of:
1. Risk Catalog—the existence of an enterprise-wide Risk
Catalog whereby all organizational risks and the
corresponding opportunities are identified, prioritized,
tested, remediated, and tracked and monitored in a clear
and consistent manner ensures that everyone throughout
the organization “speaks the same risk language”.
2. GRC Application—a central repository system to
record, track, monitor and report all risks and
opportunities; record and track the current control
activities and management actions (future controls) will
enhance the overall operational efficiency and cost
effectiveness of the program.
3. Internal Control Framework—the adoption of a uniform
internal control framework (e.g. COSO 2013, Basel,
etc.) ensures that all control activities are standardized
and designed in a cohesive manner.
Governance Risks, and Compliance Cost Savings--
an ERM program that is centrally managed using a
GRC system may results in significant cost savings due
to the elimination of redundant risk and compliance
efforts from multiple risk and compliance activities;
and separate evaluations (External audits, internal
audits, regulatory reviews, etc.).
0 3
17 17
0
2
4
6
8
10
12
14
16
18
Class I Class II Class III Class IV
No.ofRisks
Risk Management Class
Threat Risk Profile
Table 1.5—Threat Risk Profile
Table 1.4—Summary of COSO Integrated Framework (2013)