3 December 2022

Enterprise Risk Management : Enterprise Risk management common language

Enterprise Risk Management purpose

  • Enterprise Risk Management is now developing in a way that will enable risk management to make a contribution to the improved management of control risks and opportunity risks.
  • Enterprise Risk Management  is either for Threats (negative impact) and Opportunities (positive impact).

Risk management approach

  • History
    • The maturity of the risk management discipline is now such that the links with insurance are much less strong.
    • Insurance is now seen as one of the risk control techniques, but it is only applicable to a portion of hazard risks.
    • Risks related to finance, commercial, marketplace and reputational issues are recognized as being hugely important, but outside the historical scope of insurance.
    • Now we consider the nature of risk management and the established stages that build into the risk management process.
    • Historically, the term risk management has been used to describe an approach that was applied only to hazard risks.
  • Now
    • The discipline is now developing in a way that will enable risk management to make a contribution to the improved management of control risks and opportunity risks.
    • Risk management has well-established stages that make up the risk management process.
      • These stages build into valuable risk management activities, each of which makes an important contribution.
    • There are many ways of representing the risk management process, and each of the standards provides a slightly different description.

Principles of Enterprise Risk Management

  • Risk management operates on a set of principles, and there have been several attempts to define these principles.
    • British Standard BS 31100 sets out 11 risk management principles and the international standard ISO 31000 also includes a detailed list of the suggested principles of risk management.
    • The following list is a consolidated version of these documents.
    • It is suggested that a successful risk management initiative will be:
      • Proportionate to the level of risk within the organization;
      • Aligned with other business activities;
      • Comprehensive, systematic and structured;
      • Embedded within business processes;
      • Dynamic, iterative and responsive to change.
    • This provides the acronym PACED and provides a very good set of principles that are the foundations of a successful approach to risk management within any organization.
  • The recurrent projects have more well-understood risks.

Enterprise Risk Management outcomes

  • When working together, risk management and internal audit should always concentrate on the outputs from the risk management process and the impact that is sought.
  • The contribution of risk management is to ensure a greater chance of the achievement of the objectives of the organization and this is also a stated intention of internal audit activities.
  • Overall, risk management/internal audit outputs are intended to achieve enhanced performance of the organization in three important areas:
    • efficacious strategy;
    • effective processes;
    • efficient operations.
  • These outputs will be achieved by ensuring minimum disruption to routine operations from hazard risks, together with selection of effective processes that are appropriate for the organization.
  • Selection of effective processes requires informed decision making and the successful implementation of projects.
  • Risk management and internal audit should work together to achieve these outputs.
    • The most important decisions taken by an organization relate to strategy.
    • Risk management and internal audit both have roles to play in helping the organization reach strategic decisions that result in the development of efficacious strategy.
    • Risk management should ensure that risk assessment workshops address strategic decisions and internal audit should evaluate the quality of the strategic decision-making processes.
    • The required outputs from risk management/internal audit can be summarized as compliance, assurance, decision making and efficiency/effectiveness/efficacy (CADE3).
  • Risk management and internal audit should work together to achieve these outputs.
  • Due regard should always be paid to the desire of internal audit to remain independent in their activities.
  • The need to retain this independence is another reason why internal audit should not become too closely involved in the executive role and responsibilities related to the management of a risk.

Risk management and Audit

  • When working together, risk management and internal audit should always concentrate on the outputs from the risk management process and the impact that is sought.
    • The contribution of risk management is to ensure a greater chance of the achievement of the objectives of the organization and this is also a stated intention of internal audit activities.
    • Overall, risk management/internal audit outputs are intended to achieve enhanced performance of the organization in three important areas.
      • Efficacious strategy
      • Effective processes
        • Ensuring minimum disruption to routine operations from hazard risks, together with selection of effective processes that are appropriate for the organization.
        • Effective processes requires informed decision making and the successful implementation of projects.
        • Risk management and internal audit should work together to achieve these outputs.
      • Efficient operations
        • The required outputs from risk management/internal audit can be summarized as compliance, assurance, decision making and efficiency/effectiveness/efficacy.

Benefice of risk management approach

  • They are no longer huge fires to put out every day, they are eliminated by risk response plans
  • Risks are reviewed in every meeting, triggers are monitored and risks are adressed before they happen
  • Normally if a risk event does occur, there is a plan in place to deal with it
  • Hectic (mouvementé) meetings to develop responses are a rarity and are only needed when an unknown risk event occurs and requires the development of a workaround

Risk management improvement

  • Risk management can improve the management of the core processes of an organization by ensuring that key dependencies are analysed, monitored and reviewed.
  • Risk management tools and techniques will assist with the management of the hazard risks, control risks and opportunity risks that could impact these key dependencies.

Risk management sophistication

  • At first, an organization may be aware of a new risk and the need to take appropriate action.
    • In that case, there will be a need for the organization to reform in response to the hazard risk.
    • As the organization responds to the risk, it will seek to conform with the appropriate risk
      control standards.
  • After this stage, the organization may realize that there are benefits to be obtained from the risk.
    • The organization will then have the ability to perform and view the risk as an opportunity risk.
    • The company will identify the actions necessary in order to reform its procedures, so that it complies with legal requirements.
  • The stages of reform to conform to perform represent levels of risk management sophistication.
  • However, it is not necessary for a risk or the practice of risk management to progress from hazard to control to opportunity.
  • In fact, risks can regress in certain circumstances.
  • At any one time, a particular risk will be of a specific type in an organization.
  • Benefits can be obtained from the successful management of that risk at whatever level of sophistication is appropriate at the time.
  • In summary, risk management need only be as sophisticated as the organization requires in order to bring benefits.
  • There is a danger that organizations will become obsessed with risk management to the point that important decisions are not taken.
  • At this point, it may be said that too much attention and concern about risk and risk management will cause the organization to deform its operations.
  • Sophistication in summary:
    • awareness of non-compliance – REFORM;
    • actions to ensure compliance – CONFORM;
    • achieve business opportunities – PERFORM;
    • inactivity caused by obsession – DEFORM.
  • As the level of sophistication increases and risk management professionals become aware of the alternative approaches to risk management, they should value the contribution that can be made by other approaches.
  • The development in risk management approach can be summarized as follows:
    • Hazard management specialists may find that there has been a trend towards a desire to retain more insurable risks (and buy less insurance) as a result of a more holistic approach to risk management.
    • Control management specialists must not squeeze entrepreneurial spirit and effort out of the organization.
    • Strategic planners must recognize that risk management tools and techniques can contribute to better strategic decisions and the successful exploitation of business opportunities.

Risk maturity models

  • Risk maturity models can be used to measure the current level of risk culture within the organization.
  • The greater the level of risk maturity, the more embedded risk management activities will become within the routine operations undertaken by the organization.

Risk Governance

  • The governance looks at the complex web of actors, rules, conventions, processes, and mechanisms concerned with how relevant risk information is collected, analyzed and communicated, and how management decisions are taken.
    Oversight of the entire risk management process

OPA (Organizational Process Assets)

  • Standards, Policies, Procedures, and Practices
  • Organizational risk tolerances and thresholds
  • Methods to use to identify risks
  • Definitions of impact ratings.to be used in the Perform quantitative risk Analysis process
  • Standard probability and impact matrix
  • Lessons Learned
  • Enterprise Risk Management Metrics

Lessons Learned Management

  • What went right?
  • What went wrong?
  • What would be done differently if the project could be done again?
    Ensuring that lessons learned are captured on all projects and made available for use on other projects

Enterprise Risk Management Metrics

  • Creation of Metrics
    Standards of performance that, once evaluated, tell how work is performing against the plan
    Monitoring and controlling risks
    Helping to Monitor Risk Response Plans
    The Value of Risk Governance
    The Future of Risk Governance
    Risk governance practices bring to the table a more comprehensive picture of what other projects have faced and what risk response plans have worked the best on other projects.

PMI-RMP certification : 2022 exam

Risk management serie

Risk management : introduction and definitions

Enterprise Risk Management series

Enterprise Risk Management : introduction and definitions

Created : 04/01/2022

Updated : 19/05/2022

Leave a Reply

Your email address will not be published.