Regardless of industry or size of organization understanding the enterprise risk profile of your organization serves as a critical tool in the strategic and managerial decision-making process.
Enterprise risk really is about setting risk thresholds that allow teams to measure existing risk levels against desired risk appetite.
The overall measurement of risk and comparing that risk to organizational comfort levels allows managers to see if they are taking excessive risk in one area while failing to not take enough risk in another area.
Then ultimately, the product/service/departmental risks all funnel up to an organizational level risk rating. The organizational risk rating allows managers and board of directors to use the ratings as a guide to future decision making.
Within the area of enterprise risk management (ERM) one often is asked the question, “Where do I start an effective ERM program?” There is no one-size-fits-all approach to ERM, but there are a variety of templates and electronic ERM programs one can use to reduce the time needed to assemble a functioning risk program.
The tenets of a good risk program include:
- Identification of risks by department/product or service.
- Rating the inherent risks by likelihood of occurring against severity if the risk were to occur.
- Controls. What controls do you have to mitigate the inherent risk? How effective is that mitigation in reducing the overall risk?
- From the inherent risk (calculated with likelihood and severity) less the mitigating controls results in a residual risk rating for that particular department/product or service.
All of the risks from a particular area are aggregated into a dashboard which demonstrates trend lines up or down over time and compares the residual risk that exists to the organizational risk appetite.
For example, a company might wish to have a “low” risk rating as it pertains to product production (emphasis on high level quality product with few defects or production issues). The team could choose to not have an aggregate risk rating that exceeds 100 (adding all the risks in that category together).
If the reporting shows a 25 for multiple quarters it could reflect consideration for taking more risk on a go forward basis. Or, if another area of the organization is exceeding their risk threshold the lower production risks might help keep the enterprise risks in check.
Aside from questions regarding the ERM process, there often are questions regarding who “owns” the ERM process. Typically in most organizations that reach a certain size the ERM function is a position in and of itself. However, organizational risk should largely be measured, monitored and tracked by individual managers in the key business units (with obvious support from the ERM area).
When managers take on a mindset of bringing risk into their managerial decision-making process the organization develops a risk based culture. This culture is necessarily not to avoid or take excessive risk, but rather understand the levels of risk being taken today, how well risks are being mitigated and what future decisions have on the overall enterprise risk appetite.
There are dozens of flashier “flavor of the day” leadership tools at a manager’s disposal. However, I would be hard pressed to find a tool as reliable and as effective to an organization’s long-term success as a solid ERM program.