Manage Tomorrow's Surprises Today

Steven Minsky

What to Present to Your Risk Committee

user-pic
Vote 0 Votes

The RIMS Risk Management Society (LogicManager's co-author for the RIMS Risk Maturity Model) promotes the adoption of risk committees for organizations looking to formalize their enterprise risk management processes.

With more organizations adopting risk committees or similar governance groups, the question remains: What should risk managers present to their risk committee; or conversely, what should risk committees ask that their managers present to them?

Forrester Research, in their report on measuring GRC and ERM performance, identifies over 30 metrics for organizations use to assess the health of their risk management programs. Here are the 3 examples you should adopt immediately for your enterprise risk management program.

 

Level of Engagement in the Risk Management Process

Arguably, the level of stakeholder engagement is the best indicator to capture impact your program is having on the company's risk exposure. Without engagement, both from the front line and from senior management, your program is just another silo.

Engagement can be measured a number of different ways. You can look at how often reports are provided to leadership, how many employees are trained in the ERM process, or how frequently front line managers are updating their risk and mitigation environments. While the method may vary by organization, the goal should be to reach out to approximately 15-30% of the overall employee base according to your industry.

Try tracking how many individuals are involved in the risk management process, and measure that number against the 10-20% benchmark. If you're substantially below, it might be time to increase the scope of your risk assessment process to collect more data.

ERM Risk Committee Engagement
*from LogicManager

 

 

Risk Remediation Activates Approved for Implementation

Very simply, this metric captures what you are doing to manage the most critical risks you've identified. You should know what project has been approved, who is responsible for its execution, and the approximate date the mitigation activity will go into effect.

If your risk management program isn't tracking a similar metric or doesn't have responsibility for executing these activities, keep in mind that nearly all approved governance activities are practices in mitigation. Whether it's a policy change or procurement of new security software, your risk management program should be able to provide context to which project is of the highest priority, and doing so will provide your program clout from a strategic decision making perspective.

From the LogicManager GRC Health Check Report
*from LogicManager

Upcoming Risk Management Activities

We've covered a few indicators that demonstrate what your program has done and is doing, but what about what it will do? What activities are on the radar for your risk management team? Who will you be working with? Risk management is built on 90 days wins, so knowing what's next is of the utmost important in establishing the viability and sustainability of any risk management program.

The risk management committee should be able to provide guidance and feedback on what other departments may be struggling with. There are countless examples of how risk management may be able to assist and integrate with the governance silos of your enterprise, the risk committee should help you establish which one is of the greatest priority.

 

From the LogicManager GRC Health Check Report
*from LogicManager

LogicManager's customers are provided a health check that can measure the effectiveness of their program in even the first month of implementation. Download our eBook on reporting risk management to your company's Board of Directors, for more examples or check out our ERM Healthcheck Plugin. You can learn more about our ERM software here.

2 Comments

| Leave a comment

Thanks for this information, I'm a manager of a company in Turkey,I wonder that: the corporate culture, processes and structures trying to realize the potential opportunities, how can we manage the negative effects? How can I apply this systematic process to my company? Thanks again.. http://altiniciziyorum.com/

Thanks for this information, I'm a manager of a company,I wonder that: the corporate culture, processes and structures trying to realize the potential opportunities, how can we manage the negative effects? How can I apply this systematic process to my company? Thanks again..

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT