Enterprise risk management (ERM) enables business to effectively deal with uncertainty, associated risk and opportunity to enhance capacity and build value, and is crucial to an organisation’s continued growth and success. This can only be achieved if all three elements of risks – threat, uncertainty and opportunity – are recognised and managed accordingly.
An organisation should adopt a strategic, consistent and structured approach to ERM to achieve an appropriate balance between realising opportunities for gains and minimising losses.
1. Communication and consultation
For the ERM process to be effectively integrated into business operations, a business must establish internal communication and reporting mechanisms to encourage risk accountability and ownership. Management must also embed a culture of risk awareness at all levels.
2. Risk identification
This starts with understanding your business’s goals, objectives and strategy. During the risk identification process, external factors like social, technological, economic, environmental and political should be considered.
3. Risk assessment
A business must develop an understanding of the potential impact risks may have should they occur. Risk assessments assess the potential impact and likelihood of occurrence, and then combined to produce an inherent risk rating.
Impact refers to the extent a risk event might affect the organisation, and impact assessment criteria may include financial, regulatory, reputational, stakeholder, customer, environmental, health, safety and operational fields.
Likelihood represents the possibility that a given event will occur. This can be expressed using qualitative terms (almost certain, likely, probable, possible, unlikely) as a percentage of the probability or as a frequency.
4. Control identification and assessment
Controls mitigate gross risks to a level that is acceptable. They may either be a single control activity capable of mitigating the risk, or a number of control activities in combination that mitigate risk to an acceptable level.
To facilitate risk assessment the following can be used to assess current control effectiveness:
- Design adequacy (adequate or inadequate control): This step assesses if the control addresses the underlying condition or cause and whether the cost of implementing is reasonable for the resulting risk reduction.
- Implementation effectiveness (effective or ineffective control): This step determines if the control functions like it should via implementation and execution. For example, an inherent risk assessed as ‘4-Likely’ or ‘3-Moderate’ impact rating will have its controls re-assessed. If a control reduces likelihood of the event to a ‘2-Possible’ rating, the risk exposure is reduced from an inherent ‘High’ to ‘Moderate’ risk rating.
5. Key risk indicators
KRIs can be a key tool in identifying risk before it materialises, and an effective detection tool for monitoring performance against risk appetite.
KRIs for each of an organisation’s top risks must be mapped, measured at specific pre-defined frequency intervals, measured against defined thresholds analysis, able to generate values that are measurable at a point in time, indicate a potential change to likelihood and/or impact of a specific risk, and able to generate meaningful management information; specifically trending of the risk exposure.
6. Monitoring and reporting
This process tracks the current status of the risk profile, detects changes in risk context and ensures controls are adequate in both design and operation. Risk reporting ensures that relevant board and management structures are informed of key risks, and that appropriate actions are being taken.