What to Present to Your Risk Committee

The RIMS Risk Management Society (LogicManager’s co-author for the RIMS Risk Maturity Model) promotes the adoption of Risk Committees for organizations looking to formalize their enterprise risk management processes.

With more organizations adopting risk committees or similar governance groups, the question remains: What should risk managers present to their risk committee; or conversely, what should risk committees ask that their managers present to them?

Forrester Research, in their report on measuring GRC and ERM performance, identifies over 30 metrics for organizations use to assess the health of their risk management programs. Here are the 3 examples you should adopt immediately for your enterprise risk management program.


Level of Engagement in the Risk Management Process

Arguably, the level of stakeholder engagement is the best indicator to capture impact your program is having on the company’s risk exposure. Without engagement, both from the front line and from senior management, your program is just another silo.

Engagement can be measured a number of different ways. You can look at how often reports are provided to leadership, how many employees are trained in the ERM process, or how frequently front line managers are updating their risk and mitigation environments. While the method may vary by organization, the goal should be to reach out to approximately 15-30% of the overall employee base according to your industry.

Try tracking how many individuals are involved in the risk management process, and measure that number against the 10-20% benchmark. If you’re substantially below, it might be time to increase the scope of your risk assessment process to collect more data.

ERM Risk Committee Engagement
*from LogicManager



Risk Remediation Activates Approved for Implementation

Very simply, this metric captures what you are doing to manage the most critical risks you’ve identified. You should know what project has been approved, who is responsible for its execution, and the approximate date the mitigation activity will go into effect.

If your risk management program isn’t tracking a similar metric or doesn’t have responsibility for executing these activities, keep in mind that nearly all approved governance activities are practices in mitigation. Whether it’s a policy change or procurement of new security software, your risk management program should be able to provide context to which project is of the highest priority, and doing so will provide your program clout from a strategic decision making perspective.

From the LogicManager GRC Health Check Report
*from LogicManager

Upcoming Risk Management Activities

We’ve covered a few indicators that demonstrate what your program has done and is doing, but what about what it will do? What activities are on the radar for your risk management team? Who will you be working with? Risk management is built on 90 days wins, so knowing what’s next is of the utmost important in establishing the viability and sustainability of any risk management program.

The risk management committee should be able to provide guidance and feedback on what other departments may be struggling with. There are countless examples of how risk management may be able to assist and integrate with the governance silos of your enterprise, the risk committee should help you establish which one is of the greatest priority.


From the LogicManager GRC Health Check Report
*from LogicManager

LogicManager’s customers are provided a health check that can measure the effectiveness of their program in even the first month of implementation. Download our reporting to the board eBook for more examples or check out our ERM Healthcheck Plugin. You can learn more about our ERM software here.

Votes: 0
E-mail me when people leave their comments –

Steven Minsky is a recognized thought leader in risk management, CEO and Founder of LogicManager. Steven is well known for his precinct abilities to guide organizations through future risk events. Steven is a frequent speaker in the Energy, Financial Services and Cyber industries. While the first wave of COVID-19 caught many organizations by surprise, Steven predicted the pandemic impacts and published action plans to help organizations prepare.

You need to be a member of Global Risk Community to add comments!

Join Global Risk Community

    About Us

    The GlobalRisk Community is a thriving community of risk managers and associated service providers. Our purpose is to foster business, networking and educational explorations among members. Our goal is to be the worlds premier Risk forum and contribute to better understanding of the complex world of risk.

    Business Partners

    For companies wanting to create a greater visibility for their products and services among their prospects in the Risk market: Send your business partnership request by filling in the form here!