Risk managers are charged with ensuring transparency, alignment, and forward looking views throughout the organization. The way this is achieved is through risk assessments.
Successful enterprise risk assessments can be a powerful tool for board and management level strategic decision making by connecting business activities to goals and identifying the risks that threaten to derail these strategic objectives. An unsuccessful risk assessment is little more than a form over substance activity that lacks context and actionable results.
So, how do you implement a successful enterprise risk assessment?
The key is being able to compare information across functions and levels while keeping one comprehensive risk picture.
- Standardize your Risk Assessments Templates - Activities like vendor management, business continuity, compliance, IT, financial reporting, operations, internal audit, and others are all informal risk assessments. When these assessments are carried out on the same standards and assumptions, defined in a taxonomy, they can be compared and utilized cross-functionally.
- Common Root Cause Risk Identification Approach - Risk managers should provide a common root cause risk library to process owners so that when multiple areas chose the same risk, systemic risks as well as upstream and downstream dependencies can easily be identified and mitigated. This method also identifies areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated.
- Performance Management: Alignment of Activities, Goals and Risks - Risk managers need to tie root cause risks to strategic goals and trace these same risks through the process areas that they affect in order to determine which activities will roll-up to impact organizational objectives. Once these connections are made clear, risk managers are able to prioritize the effectiveness of controls, so that resources and focus are allocated to the issues that will yield the greatest benefit to the organization.
- ERM Reporting: Group Information for Multiple Stakeholders - Because assessments are conducted on the same standards and assumptions and risks are identified at a root cause level from a common library, process owners can do one risk assessment, and the information can be sliced, diced, and aggregated to serve multiple purposes. It will provide a functional insight for the process owner, tie into governance areas like vendor management, and serve a strategic purpose by rolling-up into board level objectives.
- Risk Appetite: Timing and Trends - Risk assessments must be conducted on a regular basis and when approaching business changes, new initiatives, or high risk issues. Being able to view the trends over time gives the organization's static risk profile context and a reference point so that necessary actions can be taken when you start seeing small changes in your risk profile before things get out of tolerance.
To see these best practices in action to uncover changes in risk to prioritize controls, tests and business metrics, watch this 5 minute video.