A new look at how enterprise risk management can get you home for dinner
We see our email boxes filling up, our calendars overrun with meetings, and we struggle to manage all of the demands on our time. It’s difficult to focus on the vital few when there is a constant barrage of urgent issues competing for your time. Even on days when you answer dozens of emails and make countless decisions, you still feel like you haven’t moved the needle.
You begin to realize that you need an organizing principle to align yourself with your company on what is critically important. A well-run Enterprise Risk Management (ERM) program provides this clarity and ensures that you have the focus necessary to move your company, business unit, department or simply yourself forward in the most effective way.
When evaluating your ERM, it should be understood that this is not a legal or compliance exercise. This is a strategic process that should align your budgets, staffing matrices, and, at its core, how you and everyone else in the company allots their time.
You’ve heard the adage, “if everything is important, then nothing is important”; therefore, we need data and math to help determine how we are going to organize ourselves.
The essence of mathematics is not to make simple things complicated, but to make complicated things simple.” – S. Gudder
When we have completed the data exercise, our risks and opportunities will be divided into four categories:
This division creates the alignment of budget, time and overall resources. We achieve this alignment by identifying at what level team members will be tasked with understanding what is occurring and to what level of detail.
You want the board/audit committee to be briefed on the most critical issues you are working on, but they do not need to crowd their agenda with a review of nascent risks, ie, the “Operate” category. More importantly, this drives the time and focus at each level of the organization. Your goal is to obviate the “loudest” person or group dominating your executives’ and your team’s agenda with an issue that the data says should be in the “Tolerate” category.
The organization’s focus should be on items under the “Improve” category, which should receive resources, budget and the attention of the most senior leaders. In turn, the management team should track and be aware of what falls into the “Improve” and “Monitor” categories. That does not mean that they are weighted equally. Instead, the management team should keep a watchful eye on issues in the “Monitor” category, as those are the likely risks that could derail them in the future.
The individual subject matter practitioners and departments should maintain awareness of all four types of risks, but again not equally. Similarly, they should be devoting resources toward the top risks. They should be mindful of items under the “Operate” and “Tolerate” categories, but their calendars, hiring decisions, budgets and overall attention should be scaled based on the seriousness of the risk.
If the organization is planning a new product launch, significant M&A or push into a new geography, potential risks and opportunities should be brought forward and weighted to make sure they receive the necessary attention as part of the larger business plan. It is a significant mistake to confine your possible cybersecurity risks and legal exposure to your ERM. It would be a missed opportunity to create alignment on where the organization is headed overall.
Once we have organized our data, we can apply the math. The equation for ERM continues to evolve, but the best formula seems to be [Probability * (Severity + Velocity) = Risk].
Although a math equation, there is a subjective element in that each organization must decide how to distribute points and weighting to each. Below is one such example showing how points could be distributed, but each organization must decide how best to capture and reflect the risk.
| Severity Rating Scale | ||||||
|
| 1 | 2 | 3 | 4 | 5 | |
| Estimated total impact of risk on business – include out of pocket costs (fines, penalties), soft costs (brand damage, reputational effects, distraction of employees, etc.) and lost sales | No cost to business and no operational impact | Total cost = | Total cost = | Total cost = | Total cost >10% of annual sales and/or catastrophic impact on business performance | |
| Probability Rating Scale | ||||||
|
| 1 | 2 | 3 | 4 | 5 | |
| Estimated chance risk will occur in calendar year 2017 | < 5% | 5-15% | 15-50% | 50-90% | >90% | |
| Velocity Rating Scale | ||||||
|
| 1 | 2 | 3 | 4 | 5 | |
| How fast the risk's "Severity" will be experienced in the organization after occurrence | Severity will be experienced slowly over 3 years after occurrence | Severity will be experienced within the next 1-3 years after occurrence | Severity will be experienced within the next year after occurrence | Severity will be experienced within the next 6 months after occurrence | Severity will be experienced very rapid after occurrence, with little or no warning; instantaneous | |
It is very important that your organization continues to analyze its ERM. If done appropriately, those risks in the “Improve” category should not dramatically change from quarter to quarter. Change that happens too frequently would whipsaw an organization and make focus and planning impossible. That said, the organization should always be challenging its assumptions.
In order to maintain a good registry of risks, we recommend that the group that administers the risk process look internally and externally to develop a tight Quarterly Risk Profile.[1] Specifically, we recommend they do the following three things:
- Quarterly interviews of the functional leads, eg, HR, IT, legal, internal audit, etc., to determine what they are seeing as the top risks
- Scout externally at conferences and white papers for risks that other organizations are noting
- Evaluate whether new risks affecting a single group warrant testing across the broader team
The Quarterly Risk Profile should be a tight document, likely not greater than five pages in length, that is distributed to the management team or business unit, depending on the size of your organization. Your organization should consider the risks quarterly at its management team meeting and then assign points to determine if one of the new risks should fall within the matrix. This should be considered very carefully, as any additions or subtractions should lead to discussions of budget dollars, human resources and the organization’s time.
Through determined focus on a rigorous ERM, a company can benefit from the ability to respond thoughtfully to risks as they present themselves, but it also should be able to alleviate the burden on emails, calendars and agendas – items in the “Tolerate” or “Operate” categories do not require the same focus and attention. By decluttering the organizational landscape, you are naturally creating discipline that will ultimately lead to a responsive and dynamic company – and more importantly get you home in time for dinner.
This publication is not, and should not be used as, a substitute for legal advice. No reader should act, or refrain from acting, with respect to any particular legal matter on the basis of this publication and should seek legal advice from counsel in the relevant jurisdiction.
For more information on this topic, please contact the author.
[1] The group that should administer the ERM process is out of scope for the purposes of this paper, but an organization should carefully consider who is responsible as that will send a significant signal as to the importance of the overall process.
