We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

RMORSA Part 5: Risk Reporting & Communication

Vote 0 Votes

Having standardized risk assessments and well documented mitigation and monitoring activities will equip your organization with a lot of risk intelligence. The question becomes, how do you report all of this information to your board and communicate it to your commissioner in a way that demonstrates the value of your ERM program? First, risk managers must be able to demonstrate how risks across the organization roll-up to impact the Board's strategic objectives; and second, ERM functions must track key metrics to validate the effectiveness of a formalized risk management approach.

Reporting on Critical Risks

Due to the limitations of spreadsheets, risk managers often have to choose between presenting actionable data that is too granular for the board, or presenting a high level summary, such as a top 10 risk report, which lacks the context of how risk within business process activities relate to the objectives that senior leadership and the board require.  However, a common risk taxonomy allows organizations to gather risk intelligence at the business process level, and aggregate it to a high level for senior leadership.

For the top risks across the organization, often risk managers must provide the more detailed underlying data, such as which business areas are involved, what their individual risk profile of the risk is, what the mitigation strategy is, and how the risk is being monitored.

The most commonly used method to determine top key risks is to rank risks based on the score from their assessment, this aggregate will depict which risks pose the most immediate danger to the enterprise, and should be reported on regularly. The second method uses your common language, root cause library to identify systemic risks. These are risks that have been identified by multiple departments, and may be more easily addressed with corporate wide policies or procedures rather than point solutions. And now that you have a complete and transparent mitigation library, you can publish out effective controls from one department to another, reducing overlapping activities in your organization and leveraging the practices in departments that are the most effective in managing risk.

The State of ERM

When demonstrating the value of your ERM program, take a step back to evaluate just how many risks have been identified, and how well risks are being evaluated and mitigated. The common standards established by an ERM program will significantly enhance your risk identification process by allowing you to prioritize efforts to the most important risks that have the least assurance of control effectiveness. You might find that over the past several quarters, the gap between the number of risks identified and those that have been addressed has grown. This isn't a concern, but rather a sign that your organization has a clear path forward and is beginning to understand its entire risk universe.

You can also track your progress with the ERM guidelines outlined in the RIMS Risk Maturity ModelProviding your executives, board or commissioner with a bi-annual report on the maturity of your ERM program will show which areas you've improved upon and what areas need focus going forward. The Model provides a repeatable process that enables internal audit to validate its quality and effectiveness. This same Model also has the benefit of enabling you to benchmark your program against others in your industry, providing a transparent, third party evaluation of where your organization stands.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives