One of the critical parts of an enterprise risk management system is a framework that identifies area of risk to the organization. At a recent NeuGroup ERM peer group meeting, one member gave an overview of his company’s program, which is stated in four broad categories. In this configuration, risk was viewed both as risk to the enterprise and risk to the business units (vs. ordinary business risks). When the presenting company thinks of risk it asks itself, ‘Do we have the appropriate risks identified and is there alignment of framework and strategy?”
To start, the presenting member explained ERM’s evaluation of the corporation at the business level. The focus is on five to eight risks in the following areas:
–Strategic-competition
–Product–technology changes
–Execution–quality of products
–Financial–management
Of these, the six most important risks to the organization are reported with commentary provided around the risk. The risks are evaluated at the business unit level and ranked (1–5) as to the likelihood of occurrence.
A comprehensive review by the ERM team included what the company was presenting to the world (regulators and the like) along with the question of how this was affecting ERM overall. To look externally, they utilized common tools such as COSO and ensured their terminology was up to date. To look internally they read through employees’ comments on an annual opinion survey that queried respondents about their views on company risks. They paid special attention to these employee observations and concerns to make sure they had not missed anything.
Another member at the meeting described how his team put procurement data put to good use in evaluating risk. He described how it looked through procurement data to see where they have embedded insurance and are thus possibly paying for unnecessary risk coverage. Not only does this show where money might be wasted but also if they drive down the needed insurance they could possibly broaden to more carriers.
One question that came up during the session regarded how evolving technology was having an impact on the company risk profile? Smart technology is being employed by members to try to be more proactive and “keep up.”
Building an enterprise risk management program is a journey. ERM members indicated they are still establishing and maturing their programs. In some cases, it’s a healthy dissatisfaction with the current state. In others, the program needs to mature to be considered an “established” process. In most circumstances, what with a changing rapidly changing world, it’s a journey without end.