A risk management process always starts in top-down mode. The enterprise risk management’s (ERM's) long journey begins between methodologies and fears of not achieving business objectives. Roughly speaking, we design a model, define metrics and establish how data are collected. As we proceed in the project, new people are involved. The size of the project tends to grow along with the amount of data.
When all the planning is finished, then the procedures are operational. Responsibilities are distributed, and the people involved begin to produce data. This is the stage where the explosion of data starts to create a data lake. The information collected is assembled with the metrics defined by following the organizational structure of the organization in a bottom-up manner. Therefore, we must freeze that lake and make it grow like an iceberg, and we will only worry about the tip of that iceberg.
Risk management is not like a mountain that does not change its shape quickly. It is like ice that takes on new forms and continues to adapt to the surrounding conditions. It is like the business that reviews its goals and its structure and redefines its procedures. The synthesis capacity must be very fluid to follow the evolution of the business structure without delay in focusing on the new priorities.
The ultimate goal is always to have a simple reporting to senior management so that they are able to understand the risk and address the circumstances that require risk mitigation. The clarity of the exposure is as important as the quality and timeliness of the information.
I have already talked about methodologies regarding risk analysis, risk assessment and links with internal audit in the Journal. The focus of my most recent Journal article is on the ability to dialogue with senior management. It also covers the difficulties of simplifying several concepts in the same presentation space, keeping them updated and simultaneously not losing the possibility of adding any additional detail if necessary.
The collaboration between the internal processes of corporate governance, such as internal control, internal audit and risk management, can be a key part of the success of risk monitoring. How to do all of this is explained in my Journal article.
Editor’s note: For further insights on this topic, read Luigi Sbriz’s recent Journal article, “Enterprise Risk Monitoring Methodology, Part 4,” ISACA Journal, volume 3, 2020.