The first step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation, Risk Culture and Governance
, lays the groundwork and defines roles for your risk management function. The second step, Risk Identification and Prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk based decision making.
The engine behind this process - the enterprise risk assessment - isn't a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can't answer the inevitable question; what are you going to do about it?
Take a Root-Cause Approach
The key to this root cause approach is a common risk library, or Taxonomy
By categorizing risks, it becomes evident when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.
Use a Single Set of Criteria
When engaging a variety of business areas for risk assessments, ensure you're using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they'll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.
To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments
. Create qualitative criteria that will apply to multiple functions. For example, a major risk--such as fraud or embezzlement--might result in a work stoppage, or result in a serious variation from an organization's business values.
Tell a Story to Your Board and Executive Leadership
The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company's strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked "why is this risk a priority?" your top 10 list won't exist in isolation, but will be mapped back to the priorities already set by the board.
Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.