Developing and embedding enterprise risk management

The work starts with embedding it.There are various publications and materials to assist you to develop an enterprise risk management framework. For example, ISO31000, COSO, HM Treasury’s Orange Book, IRM guidance, and ALARM’s risk standard and guidance documents. All provide similar best practice and a generally common sense approach.

Designing an enterprise risk framework is straightforward but embedding a thorough and meaningful risk management framework in an organisation is more difficult. The difficult part, or parts are; getting people to believe it, getting people to accept it, getting people to exploit it.

Today, strategic and operational risk, reputational and conduct risk, compliance and financial risk are commonly used terms within a variety of businesses. Many employees, and customers or clients however may not understand their significance.

Many organisations instinctively manage their risks within their business structure. An enterprise risk management framework takes advantage of this innate desire to manage risk because it offers a systematic approach that can be maintained and audited as part of business-as-usual operations. It also has the advantage of providing transparency across a business.

Enterprise risk management

1. Do senior management within your enterprise know what threats will prevent your business from achieving its goals, maintaining desired standards, meeting obligations and continuing as a viable business? Who has responsibility for the management of these business threats? Are there ongoing activities to ensure these threats are articulated and mitigated throughout the business?
2. Do people understand their role in this process? Can you prove
   these activities are taking place? Are they being achieved and reported on? Are lessons being learnt?
3. If you can confidently agree these elements are in place, how can you further embed enterprise risk management within your business?

Below are some top tips that have been offered by our knowledgeable and well-informed client base.

Management buy-in

Gaining senior management buy-in to the enterprise risk management framework and programme is crucial. If management is onboard and understands the importance of risk management and how it can affect business performance, they will help instil new processes and practices to ensure everyone has a risk focus. Talking about risk at a strategic level is essential. Having correct auditing and monitoring procedures supports good enterprise risk management and helps to build reputation – internally and externally.

Training

Creating a network of risk coordinators or champions will help filter the risk message throughout the organisation and encourage greater ownership across departments. It is important to provide training at all levels to guide people through the process of identifying, monitoring, and mitigating risks and using the information gained to make informed business decisions. Another important facet of this network is the ability for the organisation to share and retain invaluable knowledge; important when individuals leave the company. Good knowledge transfer and hand over is key.

Promote enterprise risk management as a management tool

Lead by example: establish one area, department, or project with positive outcomes from use of enterprise risk management to promote what success can look like to the rest of the organisation. For example, if a local council’s objective is to reduce the number of pothole claims it receives by 20% this year, it needs to understand what circumstances would stop this objective being met. Perhaps staff shortages, bad weather, infrequent maintenance checks, lack of equipment and lack of budget for necessary repairs, are the probable threats. By understanding these threats there is a greater chance of meeting the objective when there are appropriate controls for them.

Use an analytical approach to risk management

One of our clients has revamped its reporting and visuals to demonstrate the changes to their risk profile rather than simply displaying a detailed risk register to its managers. This allows for a deeper understanding and enables discussions on different perceptions of risk and effective controls shared across the organisation. Ensuring the reports you provide to management are valuable will ensure greater trust in and use of the information you provide. This will improve the perception and value of risk management within your organisation.

Organisation wide risk responsibility

All managers responsible for a business goal should be responsible for the enterprise risk management associated with that goal, as well as the overall attainment of the objective. This can be added as a key performance indicator. Positive risk behaviour could also be included in personnel reviews to ensure all employees maintain focus on enterprise risk management. This emphasis ensures enterprise risk management is practised company-wide, creating a risk culture throughout an organisation. The manager responsible for reducing pothole claims for example, will track those claims with interest. The manager will make informed decisions about the amount of money spent to maintain and repair highways and reduce the overall number of claims. It may lead to decisions on hiring staff or using contractors to mitigate a potential staff shortage for example.

Risk culture

Creating a risk culture takes time but developing an environment where people talk openly about any issues or problems they are experiencing will help embed a risk culture across an organisation. If everyone is aware of problems, there is a greater opportunity to rectify them. An important part of enterprise risk management is to learn from previous failings or inadequacies. Having an appropriate mechanism to discuss lessons learned in a positive and educational manner is essential to avoid repeating the same issues.

Money talks

If you can demonstrate that the omission of enterprise risk management will be financially detrimental to the business, you will obtain the ear of senior management and will help gain buy-in from the business.

Risk software

Using a centralised risk management tool that links all risks back to the company’s strategic objectives can give greater visibility to and control of risk management to all employees. The ability to run reports from software used by everyone provides valuable information quickly and easily. This is essential when making business critical decisions. For auditing, insurance, compliance, and governance, purposes a central system also demonstrates that risk management is being undertaken and kept up-to-date.