Creating An Enterprise Risk Management Framework

Risk is commonly defined as the probability and magnitude of a loss, disaster, or other undesirable event. Put in simpler terms, the probability that something bad could happen.

Risk management encompasses the identification, assessment, and prioritization of risks followed by a coordinated and economical application of resources to minimize, monitor and control the probability and/or impact of unfortunate events.

Simply put, being smart about taking chances.

Why Does Risk Management Matter?

The cost to fix a problem is almost always a fraction of a percent of the size of what is being risked.

For example, a more realistic evaluation of risks in a large IT portfolio worth over a hundred million dollars would not have to cost more than half a million – probably a lot less.

Think about recent events such as Hurricane Katrina in the US, The Societe General Bank Rogue Trader Situation, BP Amoco Gulf Oil Spill, News Of the World Hacking incident, etc.

The financial impact of these events are so phenomenal that the cost to have prevented them or minimized their impact seem insignificant with hind site.

Risk Management Methods

Expert Intuition: Purely a gut feel method unencumbered by structured rating or eveluation systems of any kind.

Expert Audit: Outside consultant(s) try to develop a comprehensive checklist and may or may not use formal scoring or stratification methods.

Simple Stratification: Uses green -yellow-red or high-medium-low rating scales on a variety of risky endeavors, Results in a heat map, risk map or risk matrix being generated. Sometimes a point scale of (e.g 1 to 5 where 5 is the highest) is used to assess likelihood and consequence so that the two values can be multiplied together to obtain a risk score.

Weighted Risk Score: Dozens of risk indicators on a scale are multiplied by some weight to determine a weighted risk score.

Once a risk measurement method has been determined, the next step in the process is to organize a risk session.

Risk Assessment Session

Participants are collaborators, comprising a team that works together to articulate the risks that may be known by some in the group.

Risks that are known unknowns may emerge, and perhaps even some risks that were previously unknown unknowns may become known.

Facilitating a risk assessment session takes special leadership skills, and, in some organizations, members of the internal audit and ERM staff have been trained and certified to conduct risk brainstorming sessions.

Using a cross-functional team of employees greatly increases the value of the process because it sheds light on how risks and objectives are correlated and how they can impact business units differently.

The end result of the process should be a risk language specific to the company or the unit, function, activity, or process (whatever is the focal point).

The process will probably generate a lengthy list of risks, and the key is to focus on the “vital few” rather than the “trivial many.”

Leave a Reply

Your email address will not be published.