Goals Setting And Ensuring Alignment Of ERM With Business Strategy
At the heart of the COSO ERM structure is the idea of leveraging corporate risk management to achieve success in meeting business goals.
By itself, identifying risks will not fulfill business goals. Instead, the fruits of a comprehensive ERM program are vital to developing a strategy to achieve business goals. Using an ERM framework helps ensure that the business can align goals with mission, vision, and core values.
Identifying And Documenting Risks
Risks should be viewed as anything that can potentially affect the achievement of business goals. All risks must be identified and well documented. We are talking about all risks, ranging from large, more significant risks, up to small risks, at the level of individual projects or processes. Successful risk identification requires a well-defined process for systematic assessment of each area of activity.
Assessment Of Documented Risks
Simply identifying risks is not enough. Should understand the likelihood of the risk and the degree of its consequences. Once significant risks have been adequately documented, the next task is to assess them in terms of likelihood and perceived significance.
It is sometimes difficult or impossible to accurately predict the likelihood or time frame of certain risks, such as natural disasters. However, they should perform the exercise to the best of their ability and at all levels.
This task is essential to ensure that all documented risks are of significant certainty. Out-of-the-box assumptions recorded during group brainstorming sessions may sound reasonable but warrant further study and refinement. Qualitative and predictive analysis will help to sort the risks according to their importance.
There are various methods for assessing documented risks, from simple qualitative approaches such as a priority matrix to deeper mathematical models. The essence of this task is to help management determine which risks deserve their closest attention.
Another option is to create a heat map of the significance of the risk. The purpose of the heatmap is to support the risk assessment results with an illustration that complements an active dialogue about how these results compare to the organization’s current risk appetite and identify urgent solutions that may need to be implemented.
Below is a simplified example of a risk priority overview heatmap:
The Answer To Risk
The Risk Response is designed to figure out how to respond to high-priority risks. Management is responsible for carefully considering each risk’s probabilities and anticipated consequences and considering all associated costs and benefits when developing an appropriate risk response strategy. The risk response falls into four distinct categories:
As the name implies, this type of risk response involves “avoiding” the risk.
For example, a company may decide to relocate based on the risks associated with inevitable geopolitical tensions or completely abandon a product or service that is particularly risky. Sometimes, it may be too late to dodge risks because the damage has already been done and incurred costs. It is why preventive measures and adequate analysis of potential risks are essential to keep the avoidance response under control.
It can often mitigate risks in a variety of ways.
Diversifying the product line can reduce the risk associated with changing trends or seasonal purchases. Using multiple temporary resiliency solutions such as offline backup and multiple operations centers, reducing the risk of natural disasters, automating specific tasks will reduce the risk of human error, etc.
Simple changes to standard operating procedures, even seemingly mundane changes, such as ensuring that employees are adequately communicated about company policy, can sometimes lead to significant risk reduction.
Risk sharing is the principle of acquiring insurance to hedge or offset your risks.
In a financial example, the concept of short options and extended options allows investors to hedge their bets on price movements. Joint venture agreements can also mean that companies share potential risks and rewards. Risk sharing is the idea of shifting some of the risks to the other side to understand that you are replacing the perceived “value” of that risk with more tangible monetary costs.
Taking a risk means not taking any action. Instead of buying an insurance policy, a business may decide to “self-insure”. It can take the form of allocating resources to deal with specific risks should they arise.
Risk identification is not something that is done once. Like business process improvement, it is an ongoing process. The context in which certain risks are identified is constantly changing, and therefore such risks need to be monitored to determine their significance continually.
Sometimes a change in circumstances can lead to even greater risk. A striking example of this is geopolitical unrest. Organizations need adequate systems to monitor and respond to changing circumstances and adequately determine whether identified risks are still a threat.