What does an effective ERM program look like?
In part 1 of our exploration of the top 10 risk management fundamentals, we reviewed ERM basics such as program setup and documentation, ERM roles and responsibilities, and more. Next, we’ll take a look at five more program elements that help establish a comprehensive approach to assessing and managing risk.
“When an organization has effective ERM, their ability to make better business decisions is greatly enhanced,” says Quantivate Vice President of ERM Services William Hord. “Because they are implementing those decisions with risk in mind, that saves time and capital resources.”
Let’s take a tour of some techniques for measuring, monitoring, and maintaining your ERM program that will help your organization make informed, risk-based decisions.
Risk Management Fundamentals
*click to jump to section
-
- Risk Management Policies & Procedures *
- Risk Management Leader *
- Committee(s) and Charter(s) *
- Risk Management Framework *
- Risk Assessments *
- Risk Appetite Statement With Thresholds
- Key Indicators
- Reporting
- Risk Management Training
- Ongoing ERM Program Growth & Maturity
* See Building an ERM Program: Top 10 Risk Management Fundamentals, Part 1
Risk Appetite Statement With Thresholds
Risk Appetite Statement Process:
- Define your organizational goals → These are your strategic objectives
- Determine how you’re going to meet those goals → These are your strategic initiatives
- Identify anything that may impact those objectives and initiatives → These are your potential risks, opportunities, and/or downstream impacts
- Decide how you will monitor potential risks → These are your key risk indicators (KRIs)
- Establish metrics for monitoring overall performance → These are your key performance indicators (KPIs) and risk appetite thresholds for each risk category
Risk appetite thresholds set a lower bound (minimum amount of risk) and an upper bound (maximum amount of risk) that your organization is willing to accept.
Key Indicators
Key Performance Indicators (KPIs)
- A measurement with a defined set of goals and tolerances that gauges the performance of an important business activity
- Demonstrates how effectively an organization is achieving key business / strategic objectives
Key Risk Indicators (KRIs)
- A proactive measurement for future and emerging risks that indicates the possibility of an event that adversely affects business activities
- Provides an early signal of increasing risk exposure in various areas of the enterprise and their potential impact on strategic initiatives and/or objectives
Learn more → Developing Key Indicators
Reporting
Establish reporting lines for:
- The board of directors
- Risk committee(s)
- Audit/supervisory committee
- Departments
Risk Management Training
Develop training processes for:
- Board members
- Managers
- Customize for existing teams vs. new board/management members
Opportunities for training:
- Committee meetings
- Department meetings
- All-staff meetings
- Risk assessments
Ongoing ERM Program Growth & Maturity
Look for potential areas where you can improve and mature your ERM program.
Typical next steps include:
- Expanding risk assessments
- Involving more departments and employees in the assessment process
- Introducing departmental KPIs and KRIs
- Creating an annual review process for your ERM policy, charter, and risk appetite
- Requesting evaluation from internal audit for your ERM program, risks, and controls
Wrapping Up
In this two-part series, we’ve explored some of the risk management elements than can help any organization create, maintain, or mature their ERM program. Hopefully this outline has helped you get a broad overview of what a well-developed program looks like and start thinking about which elements might be missing within your organization. If you’re interested in accelerating your ERM capabilities, let us know, and we’ll connect you with information about Quantivate’s ERM Software and consulting services.