We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

How to measure your Enterprise Risk Management effectiveness

Vote 0 Votes

We are often asked for insight on business measures or KPIs for ERM programs to track overall progress and effectiveness. 

The key question for risk managers is: how do I measure the value ERM is delivering to my organization? 

The following are examples of measures that will quantify and measure the value your ERM program is providing:

1. Number of systemic risks identified

Systemic risk identification will detect areas of upstream and downstream dependencies throughout your organization, such as when one area of the organization is unknowingly causing strain on other areas.  Additionally, this method could also identify areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated, increasing organizational efficiency.

2. Percentage of process areas involved in risk assessments
ERM is cross-functional in nature and cannot be done in silos. A business is the sum of its parts. The same is true of risk. A risk event in one functional area also affects other functional areas within the business. Process owners own the risk; risk managers own the completeness, timeliness, and accuracy of the risk information.  The more process owners involved in risk assessments, the more accurate and forward-looking the information collected will be, both of which are hugely valuable to the organization.

3. Percentage of key risks mitigated
Having a sense of your overall risk coverage is important; however, it is not nearly as valuable as knowing the coverage of your organization's key risks.  Because all risk assessments should be conducted on standardized criteria, you can determine a uniform tolerance, or cut level, throughout the organization based on the resulting assessment indexes. This will help you to prioritize resources to the risks that need stronger coverage, rather than wasting resources on risks that will have no major impact on your organization. This gap analysis with a tolerance level will also help you to identify emerging risks as they rise out of tolerance and it becomes clear that some mitigation activities in place are no longer sufficient.

4. Percentage of key risks monitored
Most organizations have no understanding of how the business measures that they rely on daily are tied to their risks.  If a risk or activity changes, organizations have no way of knowing how, and if, these changes will affect their metrics. Through risk assessments and linking risks to activities, organizations can start prioritizing what activities need to be monitored.  Regular risk assessments enable organizations to detect increased threat levels and identify new emerging risks before they materialize and bring business metrics out of tolerance.

Watch a 20 min On-Demand webinar  "Streamlining Governance through ERM" to learn how to measure risk management effectiveness.

1 Comment

| Leave a comment

Every business should know to manage their risks. This will be possible only when they are better prepared and have a knowledge on what's happening outside. Great post!

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives