The six major elements for efficient Enterprise Risk Management
In today’s transforming business landscape, businesses face new challenges and become more complicated. You can build good strategies for addressing risk if you have access to the most advanced Enterprise Risk Management (ERM) expertise.
As defined by COSO ERM Integrating with strategy and performance, Enterprise Risk Management (ERM) is about the culture, capabilities, and practices that organizations incorporate with strategic planning and utilize when they implement that tactic with the purpose of managing risk in creating, preserving, and realizing value.
The six elements of ERM are explained as below:
- Establishing a Governance Framework: For ERM to be successful, it is required to first establish a well-defined governance framework. There should be a senior executive to head the ERM function. A risk committee should be established to monitor ERM activities. The committee should have a charter listing the objectives, frequency of meetings, reports to be presented, etc. In addition, there should be policy and procedure documents that serve as guiding practices.
- Conduct ERA: After establishing a governance framework, the next step is to conduct an Enterprise-wide Risk Assessment (ERA). ERA is the process whereby risks are identified, assessed, prioritized, and categorized. Adequate care must be taken to limit the number of risks to only the key ones. Key risks are the ones that pose a threat to the efficient and effective achievement of organizational strategies.
- Identify Risk Owners/Key Stakeholders: Once all key risks in relation to the strategy are identified, each key risk should be assigned a risk owner. A risk owner can be a department head or a process owner and is responsible for addressing their risks and reporting their progress.
- Create Risk Mitigation Plans: Risk owners should create risk mitigation plans to help bring residual risk within the organization’s risk appetite. These plans should have an agreed target date for implementation.
- Risk Committee Meetings: The Risk Committee should meet at periodic intervals to monitor ERM functions as defined in the charter. Risk owners can provide the status of risk mitigation plans, which will help the committee members gauge the pace at which risks are being mitigated.
- Communication/Reporting: The Risk Committee should provide status to the board on a quarterly basis. Based on this, the BOD can ensure the risk appetite set by management is not too aggressive. In addition, employees should be made aware of their role in contributing to ERM.
Implementing ERM might look like a very daunting task at first. Initially, organizations might need the help of internal auditors to do the first ERA. There might not be an owner or framework in place. Keeping it simple is always recommended for the first year of ERM implementation. As the ERM passes to the developing stage, organizations see recurring updates to ERA based on emerging risks identified. Risk owners are regularly providing updates on risk mitigation plans and the BOD is actively involved in understanding the status.
Finally, as the ERM moves to an optimized stage, organizations see that the ERM is aligned with strategy and risks are measured using Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). It takes time to bring an ERM up to an optimized stage. The more complicated or mature the organization, the more robust the ERM process should also become.
How can businesses be equipped for ‘black swan’ events?
In risk management, we often come across the term “black swan”. A black swan is an unforeseen occurrence that goes beyond what is often anticipated in a situation and might have very negative impacts.
Internal Audit Services UAE
A good internal auditing system ensures better management of an enterprise by improving its governance, risk management, and management controls.