In our previous post, we introduced the concept of modern Enterprise Risk Management (ERM) and its importance in today’s rapidly changing business landscape. Now, let’s dive deeper into the language of risk management. Understanding key ERM terminology is crucial for effectively communicating and implementing risk strategies across your organization.
The ‘E’ in ERM: Enterprise-Wide Approach
Enterprise Risk Management emphasizes a holistic view of risk across all levels and areas of a business. The ERM team’s role is to bring together risk insights from every corner of the organization, providing a transparent and comprehensive view of how risk impacts strategic initiatives.
Contrary to the common misconception that risk management hinders business activities, effective ERM actually clears the path for the efficient achievement of objectives. By proactively understanding and managing risks, organizations can make informed decisions and seize opportunities with confidence.
Risks vs. Issues: A Critical Distinction and Opportunity for Alignment
One of the first challenges in implementing effective ERM is aligning various perspectives on what constitutes a risk. People come to the table with different backgrounds and experiences, which can lead to misunderstandings and potential conflicts. Let’s break down this crucial distinction:
- Risks are potential future events that could impact the organization.
- Issues are current problems that need immediate attention, often resulting from risks that weren’t adequately mitigated.
While the ERM team oversees enterprise risk management, issues are typically handled by the specific risk owners within the business units. This distinction helps in allocating resources and responsibilities more efficiently.
Risk and opportunity are two sides of the same coin, as both involve uncertainty and the potential for impactful outcomes, with risk focusing on potential losses and opportunity on potential gains. This perspective shift is crucial for fostering a proactive risk management culture.
Bridging Different Perspectives
ERM teams and consultants must be agile in their approach to bring people together and create a shared understanding of risks. This often involves:
- Reinforcing definitions consistently across the organization.
- Carefully choosing terminology during interviews and assessments to avoid triggering preconceptions that might distract from the goal.
- Emphasizing that the ERM process is intended to work with business units, not against them. It’s not about finding fault or critiquing performance (as might be the case with audit findings), but about collaboratively identifying and managing potential impacts on strategic objectives.
By focusing on risks as both challenges and opportunities, and positioning ERM as a collaborative effort, organizations can overcome the baggage of past experiences and create a more effective, forward-looking risk management approach.
Defining Risk: Enterprise vs. Functional
With a clear understanding of what constitutes a risk, we can now explore the different levels of risks within an organization. Let’s break it down:
- Enterprise Risks: These are potential events or conditions that could negatively impact not just individual business units, but the entire organization’s ability to achieve its strategic objectives as well. They require attention at the highest levels of the organization.
- Functional Risks: These affect specific business units or processes but don’t have the same enterprise-wide impact. They are sometimes referred to as the risk register (operational, financial, compliance, etc.). The relevant business unit or process owner typically owns and manages them, updating the ERM team as they roll-up to a broader enterprise risk. We recommend using the terminology functional risk instead of risk register to promote a better understanding across the business.
It’s crucial to distinguish between these two types of risks to ensure focused and effective risk management efforts, allowing organizations to allocate resources appropriately and manage risks at the right level.
Critical Concepts in Risk Assessment
Mitigation vs. Remediation
These terms are often confused but represent different stages of risk management:
- Mitigation involves preventive strategies to reduce the likelihood, impact, or velocity of potential risks.
- Remediation refers to corrective actions taken after an issue has been identified, addressing the root cause and any potential resulting impacts.
Both processes are crucial and should be implemented by individual risk owners with guidance from the ERM team.
Inherent vs. Residual Risk
When assessing risks, two key measurements come into play:
- Inherent Risk: The level of risk an organization faces without any mitigation in place.
- Residual Risk: The risk that remains after mitigating measures have been implemented.
The residual risk score is particularly important as it informs strategic decisions on risk management priorities.
Risk Appetite and Tolerance
- Risk Appetite refers to the amount of risk an organization is willing to accept in pursuit of its strategic objectives. We recommend an approach to establish an overall appetite with specific defined appetite statement definitions for risk themes and/or strategic objectives that should align with the organization’s overall strategy.
- Risk Tolerance is the acceptable level of variation relative to the achievement of a specific objective. At Cential, we suggest shaping the tolerance by the appetite of the broader risk theme and can vary for individual Enterprise Risks.
- Note, Cential’s use of Risk Themes is driven by shaping appetite and tolerance, adapting closely to the organization’s changing business needs and potentially differing from the conventional COSO framework.
Understanding these concepts helps in setting appropriate risk management priorities and allocating resources effectively.
Impact, Likelihood, and Velocity
These three factors are crucial in evaluating and prioritizing risks:
- Impact: The potential consequences if a risk event occurs, including financial, operational, reputational, and strategic effects.
- Likelihood: The probability of a risk event occurring, based on historical data, trends, and informed predictions.
- Velocity: The speed at which the impact of a risk event can be felt once it occurs, influencing the urgency and type of response required.
The combination of these factors determines the overall risk score, guiding decision-making and resource allocation in risk management efforts.
Knowing The Terms: The Foundation Of A Robust ERM Program
By mastering this essential terminology and understanding the nuances in perspectives, organizations can foster clearer communication about risk across all levels. This shared understanding is the foundation of a robust ERM program, enabling more effective risk identification, assessment, and management.
Remember, the goal of ERM isn’t just to avoid negative outcomes, but to empower your organization to make informed decisions, seize opportunities, and achieve strategic objectives with confidence. By integrating these concepts into your risk management processes, you’re taking a significant step towards building a more resilient and agile organization.
In our next post, we’ll explore how to tailor your ERM program to your specific organizational needs and maturity level, ensuring that your risk management efforts are both effective and efficient.
If you have any questions about implementing these concepts in your organization or would like to discuss your specific ERM challenges, we’re here to help. Reach out to our team of experts for a consultation on how we can tailor our ERM consulting services to your organizational needs.