An integrated risk function begins with setting a collaborative tone at the top. When executive leadership helps set a collaborative tone, this naturally drives more coordination and communication among the various groups involved in risk management, as well as helps to embed a risk-aware culture in the organization. If such leadership is missing, those in charge of risk management — e.g. audit, IT audit, risk management, information security, and compliance leaders — can proactively engage management by communicating the importance of an integrated, collaborative approach. The following are several ways to design such an approach within your business.
Designing a Collaborative ERM Process Checklist
1. Identify a senior executive or Board member to lead ERM strategy.
Though some Boards will be compelled to create the role of a dedicated Chief Risk Officer, this is not necessary for a successful ERM program. This individual can be the Chief Audit Executive, Chief Financial Officer, or Head of Strategic Planning. Ideally, this person will have a direct line to the CEO and be a key player in the organization’s strategic planning process so that their influence and leverage is a beacon in leading strategic risk management decisions.
2. Take a top-down approach to your enterprise risk assessment by identifying the organization’s top strategies first.
From there, identify the key risks to the organization’s top strategies. This should naturally drive a dialogue about risk and opportunity as senior leadership decides how to collectively prioritize the business’s top risks. Best practice resources for guiding a strategic enterprise risk assessment process include:
3. Encourage senior management to use the risk assessment process to drive strategy.
The conversations about risk and opportunity are among the most valuable conversations for shaping business strategy, as they unite executives across the entire organization to share their unique perspectives in assessing opportunities (upside risk) as well as downside risk. Furthermore, when risk leaders guide senior management in risk assessment dialogues, it helps to ensure that the enterprise-wide risk appetite is understood across the leadership team, who will be more inclined to rely on it when making strategic decisions.
4. Develop a formal risk management charter.
The main components of this charter should include a clear definition of the organization’s risk appetite and ERM framework. In addition, this charter should outline risk management roles and responsibilities, specifically when and how different risk groups, e.g. internal audit, IT audit, information security, compliance, etc, will be involved in the risk management process.
5. Leverage ERM in the audit plan risk assessment.
The act of linking the audit plan risk assessment and enterprise risk assessment inherently requires internal audit and risk management groups to work together, helping to eliminate redundancies in identifying key risks while providing assurance that risks are being documented in a consistent way. Over time, this contributes to a more aligned view of the organization’s risk profile and a more consistent risk taxonomy.
6. Insist on a consolidated view of the company’s key risks and overall risk profile that is continually updated.
Enforce the use of a shared data model among risk functions to aggregate, manage, and report on risks in a coordinated manner. Leveraging cloud-based risk management software can assist risk functions in carrying out this step. By the same token, gaining senior management’s buy-in is also essential for approving budgets for investing in risk management technology. Ultimately, both are as connected as they are crucial to risk management effectiveness over time.
Get the downloadable checklist below, and for a deeper dive into the state of risk management in 2021 and ways to get ahead of this decade’s top risks, read our latest report, The State of Risk Management: A Tipping Point for Digitization.