In 2017, COSO published “Enterprise Risk Management Framework: Integrating with Strategy and Performance,” an updated framework for audit, risk, and compliance professionals to leverage in developing their risk management plans. The framework defines enterprise risk management (ERM) as the “culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.”
Today, risks are growing in complexity and volume, rendering the need for ERM more important than ever. Evolving cybersecurity threats, political, social, and economic fluctuation, and external risk events, including the 2008 global financial crisis and the 2020 COVID-19 pandemic crisis, point to the need for mature ERM practices to help the organization manage its response to strategic risks — the risk exposures that are most consequential to the organization’s ability to execute strategy and achieve its objectives.
Building a strategic risk management plan requires thorough preparation and involvement from management and the Board. The following is a step-by-step guide for audit, risk, and compliance professionals to build an enterprise risk management plan that can evolve and mature with the organization.
1. Familiarize with risk management framework examples and guidance.
Whether your risk management effort sits with the audit, risk, or compliance team, it is important for all involved parties to familiarize with ERM guidance documents widely available to the industry. Some examples of risk management frameworks commonly employed by audit, risk, and compliance professionals include:
- COSO ERM framework
- Creating and Protecting Value
- ISO 31000
- RIMS Risk Maturity Model (RMM)
- The IIA’s International Professional Practices Framework (IPPF)
- The Open Compliance and Ethics Group’s Red Book
2. Conduct risk management planning education and discussion sessions.
ERM is not a separate activity with its own objectives, but an integral part of the organization’s strategy setting and performance processes. For this reason, risk management planning requires the involvement of the Board and management. The Board is responsible for putting pressure on the CEO to identify those risks inherent in the business’s strategy, in addition to monitoring the organization’s risk culture. Management, with input from the Board, is responsible for identifying, managing, and monitoring strategic risks.
However, the responsibility to engage management and the Board in ERM discussions lies with the audit, risk, and compliance professionals leading the organization’s risk management efforts. In order to solicit management’s and the Board’s required involvement in ERM planning, the risk function must proactively educate leadership regarding the importance of strategic risk management. During education and discussion sessions, the risk management team should aim to:
- Establish the objective of the risk management plan is to help the organization execute its strategy and achieve its objectives.
- Communicate the importance of embedding ERM into strategy.
- Provide examples of mature risk management practices.
3. Set a formal agenda item to discuss ERM strategies, objectives, and expectations.
Set a formal agenda item with senior leadership to discuss the role that risk management will play in the organization, as well as goals and expectations for the ERM program. A best practice is to identify an executive or Board member who will help drive ERM initiatives. Ideally, this risk advocate is already an embedded key player in the organization’s strategic planning process. It is also a best practice to establish an executive-level risk committee or working group to assist the appointed risk leader in driving risk management initiatives.
4. Perform a strategic risk assessment
Performing a strategic risk assessment will produce the information needed to begin developing your risk management plan. A strategic risk assessment involves identifying, understanding, and ranking the risks that are most consequential to the organization’s ability to execute its strategy and achieve its business objectives. This process, led by the risk leader and their team, is performed through surveys, interviews, and discussions conducted with management. The results of these assessments are then discussed among Board members and management in order to achieve consensus upon the top key risks facing the organization.
The appointed risk leader and their team can reference example models from risk management frameworks, such as COSO’s Return Driven Strategy Model (pictured below), as a first step in preparing to conduct the risk assessment. This encourages approaching the risk assessment with a strategy-centric attitude versus a risk-centric one. This is important because overemphasis on risk-prevention can hinder the business from taking risks that may be important for growth, and breed increasingly risk-averse cultures.
Source: Frigo, Mark L. and Richard J. Anderson, Strategic Risk Management for Directors and Management Teams (2011)
For a step-by-step approach to conducting a strategic risk assessment, view AuditBoard’s article here. What will emerge from the process is a risk profile of the organization’s top strategic risks, which should ultimately be validated and finalized with management and the Board before moving on to the next step.
5. Develop enterprise risk management action plans.
Once you have validated and finalized the top strategic risks, the next step is to develop your risk mitigation action plans. During this phase of planning, a best practice is to develop a risk management charter that outlines risk management roles and responsibilities, and delineates specifically when and how internal audit and compliance will be involved. This is important because risk, internal audit, and compliance teams often overlap in their roles, capabilities, and methodologies — and allowing duplicative roles to persist can compromise the value of risk management initiatives. The risk charter may also include a universal appendix of risk definitions and a unified taxonomy, such as how the organization defines inherent risks, residual risks, and strategic risks. This can further unite risk perspectives and eliminate differing interpretations that may affect risk response strategies.
Once risk management roles and responsibilities have been clearly defined, the responsible business group can use the five risk responses — accept, avoid, pursue, reduce, share — to determine the best response to each of the organization’s key risks and develop appropriate risk management action plans. For examples of risk response strategies appropriate for your key risks, refer to the framework that best suits your organization’s strategic risk profile. Once the risk management action plans have been completed, communicate the overall action plan and strategic risk profile with the business.
6. Leverage technology to centralize your risk management plan and streamline collaboration.
ERM is a collaborative, cross-functional effort that requires modern technology to execute effectively at each stage. How organizations choose to leverage technology can have a significant impact on the quality and impact of their risk management plan. Managing risk across a large organization can be complex and involve many moving parts. One benefit an ERM solution can provide is the template for a universal, real-time risk register. In theory, a risk register is a trusted, centralized location that houses all important information on your business’s key risks, as well as links to their correlating action plans and risk assessments. In a manual environment of spreadsheets, emails, and shared drives, managing a risk register is prone to version control issues and can easily lose credibility. An integrated ERM solution that is cloud-based and leverages a relational database — where updates made in one place cascade throughout the entire system — provides the platform for a trustworthy, real-time risk register.
Investing in an intuitive, integrated risk management software solution can help your organization maximize collaborative efforts between internal audit, risk, and compliance groups by centralizing all risk management activities in one place, from your risk assessments to your risk management action plans. In addition, it can help you automate the risk assessment process and provide visibility into risk trends and mitigation activities. To learn how AuditBoard can help you manage your risk management plan from end to end, contact us by filling out the form below.