Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
PRESENTING ERM
TO THE BOARD Increased Need for ERM Reporting ....2
2 Goals of Risk Management Reporting 5
4 Useful Presentations of Risk Information ...7
How Do You Get Here? ..17
The Future of ERM Board Reporting ...23
Chapter 1
Increased Need
for ERM
Reporting
There is a time and maturity element to this spectrum of success, and the more ERM
best-practices that are implemented throughout the organization, the better the results.
These regulations, along with court cases like Stone vs. Ridder that uphold
them, now hold Board members personally responsible for risk management,
even through their supply chains, so private companies are not exempt. Boards
are now given a choice between having effective risk management, or disclosing
their ineffectiveness to the public. If they do neither, it is now considered fraud
or negligence, as not knowing about a risk is no longer a defense.
Chapter 2
2 Goals of Risk
Management
Reporting
Chapter 3
4 Useful
Presentations of
Risk Information
Actual
Tolerance
In this example, the risk manager can clearly see that although several risks are identified for Cash Flow Predictability, the current failure to analyze risk
and performance metrics associated with strategy, should be her top priority. It has a higher inherent risk, as displayed by its plot position being in the
red background in the upper right corner and as well a higher overall residual index score, as shown in the table. With a full picture of all the issues, we
can determine a key mitigation activity in order to resolve the underlying issues at hand.
By being able to make the connection between root cause indicators to the events or goals, you can present the information in a way the Board recognizes and can
easily understand. Your Board will be able to easily identify which business areas contribute to that concern or objective, and what the root cause issues are. This
makes your reports ACTIONABLE!
ERM is cross-functional in nature, and cannot be done in silos. Process owners own the risk and risk managers own the completeness, timeliness, and accuracy of the risk
information. The more process owners are involved in risk assessments, the more accurate and forward-looking the information collected will be, both of which are
hugely valuable to the organization.
Risk management does not stop at just risk identification and assessment. It is critical to show the board the state of ERM in terms of how many of those
risks identified and evaluated are covered by mitigation activities. Notice the gap between the red bar measuring number of risks identified and assessed,
and the green bar measuring the number covered by mitigation activities. Notice how the gap is getting reducing quarter by quarter? This is how you show
the state of ERM, and how it has evolved over the past several quarters.
Gap
You can do this same focus by filtering out low risks. This will only show the above average risks, and the corresponding mitigation activities that directly
impact each of the organizations corporate objectives and corporate business performance.
How Do You
Get Here?
Organizations need to build a robust risk taxonomy, which provides a holistic view of all information and relationships across
the organization. Risk taxonomy is the practice and science of naming, classifying, and defining relationships between
resources, risks, goals and business processes in the enterprise.
Once information is structured and the relationships within your organization are explicit, and assessments of this information
are carried out on the same standards and assumptions. This makes them comparable, and able to be utilized cross-functionally
for more accurate and actionable risk management.
Risk managers should provide a common root cause risk indicator library to process owners so that when multiple areas chose the
same risk, systemic risks as well as upstream and downstream dependencies can easily be identified and mitigated. This method also
identifies areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is
eliminated.
In order to prevent a headache, we need to know why we have one. Armed with the knowledge of the source of a risk, we can proactively manage
risk and avoid future risk events. Mitigation activities should be aimed at root cause, and will differ depending on the source of risk.
In this simple example, it is easy to see why creating mitigation or control activities with the risk event or outcome, rather than the root cause, in
mind, can lead to very ineffective mitigation activities.
What the BOD and senior management know is that they want to avoid headaches. Your responsibility as risk manager is to determine what are the
potential root-causes of these headaches, and find out who is involved.
To do this, we need to connect root-cause risks to corporate goals. You can get these strategic goals from the strategic plans, and other places
within your organization. The next step is to identify a number of root cause risks that could threaten to derail this corporate goal. Next, work
with business areas to connect their activities to the strategic goals they will roll up to. You can then choose which of the risks you identified are
applicable to their business area.
The Future of Instead of 10K and 10Q risk disclosers being isolated as legal and
compliance processes that are merely defensible risks lacking
context, these disclosures actually will need to make the
Reporting
All-in-One
ERM Software
IT Governance Financial Business
Provides all the content you need & all connected. and Security Reporting Continuity
Request a Demo