As federal agencies begin to implement enterprise risk management (ERM) in their organizations, risk managers need to consider the “big picture” as they implement and mature their ERM efforts. Without proper planning and a maturity model goal, ERM efforts will be ineffective. Agency leadership must also be committed to spearheading and acquiring competent resources that are dedicated to ERM efforts.
ERM is not a one-size-fits-all approach. Each organization has a different mission, vision, size, and culture, and risk managers should keep this in mind as they implement strategies to sustain their unique ERM programs.
Solutions for implementing sustainable ERM programs
Risk managers can use an array of strategies to build tailored, enduring, and effective ERM programs:
Figure 1: Example ERM Strategy Development Approach
Developing and standardizing criteria for assessing risks: Agencies should develop quantitative and qualitative criteria to assess risks. Without defined standardized criteria, it’s impossible to assess the impact of risks across an organization. Most organizations define the probability of risk occurrence in terms of impact and likelihood. A basic “1 to 5” scale is sufficient for most organizations, with “1” being the lowest rating and “5” being the highest. Agencies may even include additional assessment criteria, such as reputational impact, vulnerability to risk, and speed of onset. This criteria ensures that risk managers use consistent standards to assess risks across their organizations.
Figure 2. Example of a risk heat map
Root cause analyses: It is ineffective to mitigate a risk if the underlying causes continue to occur. A root cause analysis helps process owners determine the true reason for the risk and take the appropriate actions to mitigate at the basic level. Additionally, a root cause analysis helps risk managers understand which risks are systemic across the organization and whether those risks should be mitigated at the current level or escalated to leadership.
Risk interactions: Assessing how risks interact across an organization can give risk managers an enterprise-wide view of their risk environment. Risk managers can use the following techniques to assess risk interactions:
- Risk interaction maps generate a visual representation of identified risk interactions in real time
- Bow tie diagrams create a clear differentiation between proactive and reactive risk management
- Correlation matrices associate coefficients between different sets of variables
Figure 3. Example of a simple bow tie diagram
Understanding how risks interact allows risk managers to employ the appropriate approaches to managing risks and facilitates reporting up to leadership. Performing a bow tie analysis requires stakeholders to identify potential risk events, threats, and consequences should the risk event occur. Consider the simplified, real-world example of driving a car. Driving a car can be a hazardous event, as threats to driving safety can include intoxicated or distracted drivers, inclement weather, and hazardous road conditions, while the consequences or negative outcomes may include accidents or fatalities.
Continuous monitoring and reporting: An organization’s risk appetite, tolerance, and threshold may change over time, and as a result, agencies should continuously monitor and report existing risks to leadership. Reporting can be top-down, bottom-up, parallel, or external. Risk managers can leverage different reporting tools to report on analysis, assessment, and trending of risks, such as:
- Enterprise view dashboards, which provide an overall view of the aggregated risk to the agency, with drill-down at the department/unit, objective, risk category, and risk statement levels.
- ERM progress dashboards, which allow for examination of maturity, trending of risk, quantification, and qualification of agency risks over time.
- Metrics dashboards, which allow for monitoring and tracking of the agency’s risk targets and risk performance using key risk indicators (KRIs) and key performance indicators (KPIs).
- Root cause dashboards, which allow for the examination of the drivers of high risk and tie them to specific causes or departmental areas.
Risk reporting enables increased visibility into the risk environment and adds value to the risk assessment and management process, allowing leadership to make strategic, data-driven decisions.
Automated risk assessment process: With emerging technology, risk managers should have a long-term goal to automate some processes to enable more efficient analysis and reporting. Automation helps agencies manage complex operations across multiple geographical locations and reduce workloads in resource-scarce environments. When agencies automate their ERM programs, they save on compliance costs and decrease inefficiencies associated with manually managing processes.
Taking an incremental approach, organizations can successfully build long-term, effective risk management programs by adopting the practices and tools discussed above. For more information on how MorganFranklin’s ERM experts can support your organization in developing an ERM strategy, please contact us.