Based upon my experience in Enterprise Risk Management, I was not surprised to see respondents to new State of Enterprise Risk Management research from ISACA, CMMI Institute and Infosecurity identify risk identification and risk assessment to be the most employed risk management steps in their organizations. Nor was I surprised to see that only 38 percent of respondents indicate that their enterprises have processes at either the managed or optimized level for risk identification. In my experience, this happens often due to the suboptimal execution of the risk identification process.
As the report states in the Executive Summary, “Risk management is about optimizing risk rather than removing it entirely.” It has always been my belief that risk management serves two purposes. The first is to keep the enterprise from stepping unwittingly into a big pothole. The second is to provide the executive team with the last best piece of information required to optimize the use of risk capital across the enterprise.
In order to successfully deploy an enterprise risk framework across an organization, it is always best to be practical and expedient to the extent allowed by your regulatory environment. Where I have seen this go wrong most often is in the deployment of an enterprise-wide risk assessment. I’ve seen instances where an enterprise assessment completely missed accounting for the biggest risks, usually produced by enterprises that do not have the right participation from top management. Further, I’ve seen enterprise assessments get so detailed as to tie the organization into knots. A friend in the consulting business told me of a project in which an unnamed regional bank was in the process of unwinding a risk assessment that had paralyzed the institution with 52,000 items of identified requiring remediation. A risk assessment run amok ties up valuable resources in an endless loop leading to the suboptimal allocation of resources within the business as well as risk management.
Below are several (what I hope are) practical recommendations to try to avoid this phenomenon.
1. Big risks can be ignored when the right people aren’t in the room for the conversation. Start at the highest level within the organization and get the people in the room that own the risk from the top down. This keeps the right themes in play and avoids the well-meaning though less informed from dragging the exercise down to a mind-numbing level of tedium. A risk assessment needs to be the business or operating function’s view, guided and respectfully challenged by risk management. Including the right people in the process from the outset creates buy-in to and ownership of the results.
2. When constructing your risk assessment, keep to a five-box chart. Anything greater invites a significant amount of conversation parsing the shades of gray while providing immaterial benefit.
3. A risk assessment is NOT a SOX process. This is not about curing control deficiencies; this is about managing risk to an acceptable level after controls have been put into place. After you have determined the Residual Risk Rating in a risk assessment, there should be an evaluation as to whether or not a risk is “worth” fixing from a financial, reputational or strategic perspective.
4. In your enterprise risk framework, include a formal Risk Acceptance process. Here is where you may declare that as an organization any residual risks that end up in the lower-left quadrant may be risk accepted and no steps need be taken to cure. If this risk acceptance process is well documented, reasonable and supportable, it should pass muster with any regulator. A risk assessment should be reevaluated annually to keep an eye on risk migration.
5. Make sure that the Impact and Likelihood scales reflect the size and maturity of the organization and are clearly discussed and agreed upon by all participants through the risk governance process. This will help keep the minutia and disagreements from creeping into the process. Consult your finance team or head of investor relations (if publicly traded) to obtain a sense of what external constituents may feel is material when constructing a table for discussion. Another suggestion is to listen to your company’s earnings call, if publicly traded, and pay attention as to how earnings are discussed and the questions asked by the analyst community. It will tell you what rises to the level of materiality to your shareholders.
6. Agree that the risks in the upper right-hand quadrant of the Residual Risk chart have the highest priority with regard to mitigation strategies and deal with those first. Provide a reasonable expectation and timeframe for the moderate risks.
7. Be sure that executive management and the board agree and sign off on the results of the final risk assessment, including the scales used in your charts and the risk acceptance process.
An appropriate risk assessment process is a valuable tool in managing enterprise risk. Improperly deployed, it can result in poor allocation of resources. I am confident enterprises would prefer resources spent on mitigating material risk issues rather than doing risk assessments that add little marginal value. Enterprise Risk Management should be a partner with the business in ensuring an appropriate risk-adjusted return is made for the entity’s constituency. It is inevitable that a natural tension exists in that relationship, but reasonability, transparency and participation create buy-in into the process and ownership in the results.