There Isn’t a One Size Fits All Approach When it Comes to Managing Enterprise Risk

Enterprise Risk Management (ERM) is an enabler of risk intelligence which is designed to help organizations to make risk-informed decisions. ERM is a framework that enables organizations to better plan for internal and external uncertainties, proactively mitigate challenges and capitalize on opportunities.

Mollie Casey, Senior Principal Consultant of Enterprise Risk Management at ABSG Consulting Inc., discusses the essential ingredients of how organizations can better manage their risks.

Methods for Assessing Risk

In today’s dynamic ERM environment, forward-thinking risk managers are continuously monitoring the internal and external landscape to identify challenges and opportunities that could impact the ability of their organization to achieve its strategic objectives. Plentiful tools and techniques are available to support this ongoing risk identification process, including:

• Periodic surveys and focused discussions with stakeholders across multiple levels in the organization on a pre-defined cadence. These surveys and discussions are an opportunity for a risk manager to engage with stakeholders to better understand, from the stakeholder’s perspective, the enterprise risk(s) and potential challenges and opportunities that could arise from those risk(s).
• Key Risk Indicator (KRI) monitoring. KRI monitoring can function as an early warning sign that an enterprise risk could become more likely to materialize. If a KRI goes outside of acceptable limits, actions should be taken to get the KRI back to the acceptable levels.
• Leveraging Artificial Intelligence (AI) tools. AI can be leveraged to perform continuous, automated scans of the external environment for factors that could contribute to an enterprise risk materializing or diminishing.
• Benchmarking. Technology-enabled benchmarking provides an organization with a frame of reference of the challenges and opportunities of similar organizations, e.g., by industry, competitor organizations, geography, organization size. Organizations can analyze, using primarily publicly available data, where their prioritized enterprise risks align and where they might differ from their peers. This analysis can provide a plethora of useful information, including, for example, where additional investment should be made and where some investments should be scaled back.

There isn’t a one size fits all approach to identifying enterprise risks, and factors including the competitive landscape in which it operates, its size, industry, availability of timely and accurate risk information, and the organization’s appetite and willingness to allocate resources to proactively manage risks should guide ERM program and enterprise risk identification investments.

Once a sustainable and repeatable process for identifying enterprise risks has been established, the risk manager should then look to the next step in the ERM cycle – assessment and prioritization.

Significance of risk analysis in decision-making

The remainder of this piece will focus on assessing and prioritizing enterprise risks by introducing two concepts – risk preparedness and the use of the risk action matrix to create risk action plans.

The definition of risk is uncertainty, so in the assessment stage, the goal of a risk manager should be to create an accurate assessment of each enterprise risk. The goal of assessing enterprise risks is to develop a prioritized list of risks that pose the highest to lowest levels of concern to the organization. In turn, the prioritized list should guide resource allocation decisions – where resources can include people, processes, and technology – so that each enterprise risk can be effectively managed.

The assessment method most commonly known is to quantitatively determine the Impact and Likelihood of the risk occurring. In other words,

• if the risk were to materialize, what would the Impact be to the organization, and
• how likely is it that the risk could occur

Impact scales can be developed by estimating the consequences if a risk materializes. Impacts could include:

• Dollar values, such as hits to revenue or earnings, or in the case of federal agencies, loss of funding, loss of assets, or increased costs
• For federal agencies, the extent of harm to the agency’s mission that the potential risk could cause
• The extent of interventions that would need to occur to restore normal operations
• The number of days it would take to restore normal operations
• Regulatory fines
• Potential lawsuits from impacted stakeholders
• Reputational damage

Impact is often measured across strategic, financial, regulatory / compliance, and operational categories.

Likelihood measures can be developed, for example, by analyzing past occurrences of the enterprise risk, and applying statistical models to estimate the likelihood of the enterprise risk occurring again in the future. Alternatively, subject matter expertise can be sought to assist with determining likelihood measures.

Values from 1-5 are determined for both Impact and Likelihood, where, for Impact, 1 is Some Impact and 5 is Significant Impact, and for Likelihood, 1 is Unlikely and 5 is Very Likely.

Reputational impacts should also be factored into the impact determination, with the understanding that reputation risk cuts across categories. In other words, regardless of whether the risk is strategic, financial and so on, if the risk occurs, there will also likely be a reputational impact.

Inherent Risk = Risk Exposure

Once the Impact and Likelihood for each risk is determined, adding the Impact and Likelihood values and dividing by 2 will give the Inherent Risk for each risk.

Inherent Risk is the likelihood and impact of the risk inherently occurring, without any interventions or mitigations applied to manage a risk. For example, if a cyber breach at a financial institution were to occur, the Impact, inherently, would be 5 or Significant Impact, as the damage from such a breach could be significant, especially if Personally Identifiable Information (PII) is compromised. The Likelihood, inherently, would be a 4 or 5, as cyber attackers continuously become more sophisticated, and financial institutions are often targets of attacks.

Inherent Risk is more commonly described as Risk Exposure, which is defined as the quantification of uncertainty that an organization is facing.

Putting the pieces of Impact and Likelihood together for five example risks, a table can be created that looks like this:

Subsequently these example risks can be plotted on a heat map showing where each risk lands, whether in the red (High), yellow (Medium) or green (Low) area. The cells have been color-coded for this example; however each organization should define which values they consider to be high, medium, and low.

The table and heatmap can be useful as initial tools. Indeed, the question we often hear from executives is, “I have 1 red risks, 2 yellow risks, and 2 green risks. Now what?”

Introducing Risk Preparedness to determine Residual Risk

The next important factor to understand is the Residual Risk. Residual risk is determined by factoring in two pieces:

• the existing risk mitigations in place, and
• management’s preparedness (i.e., the organization’s capabilities) to manage the risk, commonly referred to as risk preparedness.

Existing risk mitigations could include:

• a working group that has been formed to understand the root causes of a risk and has piloted potential risk mitigations
• an initiative that has been put in place to reduce the likelihood of the risk occurring
• new technology that is being rolled out to reduce the number of errors that are occurring
• a cyber risk insurance policy (or other type of policy) that has been purchased to cover losses if the risk materializes
• Key Risk Indicators (KRI’s) that have been developed as early warning indicators that additional risk management interventions may be needed

Risk Preparedness is an important, and often overlooked, measure. Risk Preparedness is measuring and prioritizing the capabilities that are most relevant to managing the risk, and subsequently identifying capabilities gaps and/or overlaps, or capabilities that would provide the greatest return on investment. Risk Preparedness can also be defined quantitatively to determine how prepared the organization is to manage the risk. Scales range from 1 to 5, yet unlike Impact and Likelihood, a Risk Preparedness Level 1 means Very Prepared with strong mitigations currently in place, and level 5 is primarily unprepared, with few to no mitigations currently in place.

Using the table created in the example above, we can expand our risk information table by adding two columns – one each for risk preparedness and residual risk.

Risk 1 Example

In this example, Risk 1 has a high-risk exposure. To get to residual risk, it will be important to analyze and understand the capabilities, and the existing and planned mitigations in place to manage that risk, and whether the capabilities and mitigations are sufficient to address the risk. In this example, let’s assume that the organization has some basic mitigations in place, and the organization has invested limited resources to actively manage the risk. With this in mind, the risk preparedness for Risk 1 would be a 4 or a 5. For this example, we’ll say risk preparedness is a 5 (underprepared).

Risk 3 Example

In a second example, Risk 3 has a Risk Exposure of 3, however the organization has allocated extensive resources to manage the risk. Additional people have been added to the team that owns this risk, and after the team looked at root causes of the risk, they devised risk mitigation strategies to manage this risk, and have created a new process that will reduce the likelihood of this risk occurring. With this in mind, the risk preparedness for Risk 3 would be a 1 or 2. For this example, we’ll say risk preparedness is a 2 (Very Prepared to Prepared).

For the rest of the risks, we’ve filled in random risk preparedness levels. The table now looks like this:

Introducing the Risk Action Plan Matrix

A risk action plan matrix depicts an enterprise risk (or all enterprise risks, depending on the need) plotted on a two-by-two matrix based on the Risk Exposure and Risk Preparedness. By considering both the Exposure and Preparedness, risk owners can gain alignment on how to respond to an enterprise risk.

The four quadrants depicted below – Improve, Test, Optimize and Monitor – should align with an organization’s methodology for the assessment, prioritization, monitoring and reporting of its enterprise risks. For example, risks plotted in the Improve quadrant could be reviewed, monitored and prioritized monthly or quarterly via a facilitated discussion between the risk owner, the Chief Risk Officer (or equivalent) and members of the ERM office.

Improve: risks with moderate to high risk exposure and low levels of risk preparedness form the priorities for improvement.

Test: risks with moderate to high risk exposure with strong risk preparedness form the focus for internal audit/internal controls (or equivalent) to provide assurance that the mitigations are adequately designed and operating effectively.

Optimize: risks with low risk exposure and moderate risk preparedness may be consciously accepted or may be a focus to optimize the processes and risk mitigations for greater efficiency.

Monitor: risks with low risk exposure and low risk preparedness are often considered emerging and must remain a focus of ongoing monitoring efforts.

Populating a Risk Action Plan Matrix

Risk 1 Example

When Risk 1’s Risk Exposure and Risk Preparedness are plotted on a Risk Action Matrix there is a visual confirmation (via the blue dot) that Improvement is needed to manage this risk. In the table the Status indicates that there is a high-risk exposure of 4.5 yet a low risk preparedness of 5, meaning that the level of Risk Preparedness is less than the Risk Exposure. Additionally, this risk is well into the Improve quadrant and far to the right. The matrix makes it easy to spot which risks need more resources to mitigate the risk to acceptable levels.

Risk 3 example

When Risk 3’s Risk Exposure and Risk Preparedness are plotted on a Risk Action Matrix there is a visual confirmation that it straddles the Test and Optimize quadrants (via the blue dot). In the table the Status indicates that there is a medium risk exposure of 3 yet a high-risk preparedness of 2. In this example, the level of Risk Preparedness is about equal to the Risk Exposure (recall that a Risk Preparedness of 2 is Prepared). In the case of this risk, risk owners should review the risk drivers, and current and planned mitigations to determine if testing or optimizing is the better course of action. Since the Risk Preparedness is slightly higher than the Risk Exposure, this risk could be a candidate for internal control testing to provide assurance that the mitigations in place are adequately designed and operating effectively. Alternatively, if the risk owner determines that the risk is a candidate for optimization, the focus should be to optimize processes (related to the risk) and risk mitigations for better efficiency.

Using the Risk Action Plan Matrix to create a Risk Profile

A Risk Profile is a prioritized list of the most significant risks (i.e., enterprise-level) facing the organization. Organizations can expect to have 10-15 enterprise risks, and those risks should be aligned to achieving the organization’s strategic goals and objectives. By focusing on a small set of truly enterprise-level risks and actively managing those risks, organizations can realize the greatest impact, and the highest return on investment for their enterprise risk management efforts.

In the previous sections we’ve illustrated how to plot individual risks on the Risk Action Matrix, and subsequently determine the suggested risk action based on which quadrant the risk falls into. Understanding this concept enables enterprise risk managers to create the organization’s Risk Profile. The risk profile takes each of the organization’s enterprise risks and plots them on one Risk Action Matrix. Referring to the table detailing the five example risks, when we plot those risks on the Risk Action Matrix, it looks like this:

Referring the Risk Action Matrix, the risks can then be prioritized in the following order: Improve, Monitor, Optimize and Test. In table form, our example risks would be prioritized in this way. The reader will notice that the new prioritization is Risk 1, 2, 4, 5, 3.

In conclusion, based on the Risk Action Matrix and subsequent prioritization, the organization should focus first on Risks 1 and 2, which are both in the Improve quadrant.

Staying ahead of the ever-evolving risk landscape.

Today’s risk landscape is ever evolving, whether that’s risks related to geo-political turbulence, supply chain disruptions, the continual sophistication of nation-state cyber actors, or the rise of artificial intelligence. A robust ERM framework that enables organizations to proactively manage existing risks and to foresee and mitigate the potential impacts of emerging risks could be the difference between thriving and faltering.

Each step towards building and maturing an organization’s ERM framework does involve planning and effort. That said, an ERM framework, done well, can leverage and build upon existing risk management capabilities. By integrating and enhancing those capabilities and using tools such as the risk action matrix to create a risk profile (as described above), an organization can gain an integrated, portfolio view of their risks. This portfolio view can provide an organization with the ability to quickly understand their risk position and subsequently target the enterprise risks that need the most attention. The end result is a more risk-informed organization that better mitigates challenges and capitalizes on opportunities.