Risk management has evolved and grown since its inception in the mid-20th century, as evidenced by the introduction of methodologies such as The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s)
Enterprise Risk Management –Integrating With Strategy and Performance, the International Organization for Standardization’s ISO 31000, and the Basel Accords. Yet, only 23% of respondents describe their risk management program as mature in the American Institute of Certified Professional Accountants’ 2019 The State of Risk Oversight, conducted jointly with North Carolina State’s ERM Initiative. Additionally, the perceived level of maturity has declined over the past two years, and most organizations struggle to integrate their enterprise risk management (ERM) program with the strategy and objective-setting process.
Understanding and managing risk has tremendous benefits, as it helps organizations better prepare for the future. So why aren’t ERM programs more mature and better accepted? Most likely it is because organizations do not know how to develop a program or because they do not embrace risk management.
The current way of thinking about this practice can be challenged to discover new ways of evolving it to more effectively manage strategic risk. My former organization developed and successfully implemented an ERM function, and I am currently using the same strategic program to build a function at Covetrus, an animal-health technology and services company. Building a systematic and strategic program at my former company was educational and rewarding, as it allowed my team and me to familiarize ourselves with many aspects of the organization.
Where to Begin
Before establishing the program, my team and I identified key points of concern that needed to be addressed during implementation:
- Risks were too generic to create measurable plans.
- Issues and controls were not systematically mapped to risks.
- It was difficult to quantify and qualify the impact to the organization.
- Progress tracking of risk remediation plans was not well-documented.
The program implementation was then divided into three phases spanning several years.
Phase 1: Pilot
During this phase, the team developed a detailed risk library and hierarchy that aligned with the organization’s life cycle, mapped issues and controls to risks providing a real-time picture of the organization’s risk profile, developed measurable remediation plans for the top risks, and implemented centralized reporting.
Participation in the risk program initially was limited to the internal audit, vendor due diligence, and compliance teams. Some of the key steps taken to complete this phase included:
- Selecting an ERM standard. We decided on COSO’s updated ERM framework.
- Defining purpose, scope, roles, and responsibilities.
- Formalizing a risk-rating methodology.
- Developing a master risk library.
- Documenting a process for identifying risks, assessing severity, implementing responses, tracking, and reporting.
- Conducting initial risk assessments with critical areas.
The development of the risk library was vital, as it defined the program foundation and provided common terminology for all of the program participants. Over time, the team updated the library based on management feedback to customize it to the type of risks inherent to the organization. The team organized risks into a three-tiered hierarchy. At the top were the key enterprise risk areas, which follow the organization’s life cycle (see “Enterprise Risk Areas," right).
Underneath each enterprise risk area, there are intermediate risks that represent the subfunctions of that risk area. Within each intermediate risk, there are individual risks that are potential events that can impact that business area. The individual risks are linked to processes, objectives, key risk indicators, financial losses, mitigating controls, incidents, and findings (see “Risks, Controls, Issues, and Remediation Mapping” below).
Mapping the more than 900 internal controls and issues to each individual risk took the most time, but it was the most important step. Mapping processes provided further insight into the ratings, which often are subjective. More specifically, the occurrence of an issue increased the likelihood, while the presence of compliant internal controls decreased the likelihood, of one or more risks occurring.
After the completion of this phase, we realized that we tried to accomplish too much in too short a time. For example, we defined the end-to-end risk process while simultaneously automating it via our risk management system. Looking back, we should have operationalized the process before introducing a tool.
Phase 2: Implement the Program
During phase 2, my team and I developed a formal risk management policy, fine-tuned the process, expanded risk assessments across all divisions, and established a governance committee. The team also incorporated other key risk management functions under the umbrella of the ERM program to include business continuity, information security, legal, and patient safety teams.
The individual teams had their own governance committees, which were consolidated into a single governance, risk, and compliance team comprising executive leadership. This team met several times a year to discuss top risks and the status of remediation plans, and to escalate critical issues, as necessary.
Issue tracking from these key functions was consolidated into one consistent process and tool. This effort took one year, and we followed the same process for each team:
- Conduct current state analysis of processes, people, and tools.
- Normalize rating methodologies.
- Migrate all open issues and implement a process for identifying and tracking issues and remediation plans in the ERM system.
To ensure accurate risk tagging for these issues, we configured the tool to route any new issues to the risk management team for approval. We used the review as a learning opportunity for both our team and the business where once a month we reviewed issues, related root causes, remediation plans, and impacted risks.
Phase 3: Integrate ERM With the Strategy
Early in our process, we learned that a successful integration is dependent on the organization having a strategic approach for identifying, managing, and reporting on the strategy and objectives. Integration with the ERM program becomes just one of the steps in that process.
The integration process started with the definition of our risk appetite statements for each of the company objectives. For example:
- Objective: Develop new products and attract new customers.
- Risk Appetite: An organization will not make decisions that compromise its reputation by using defective new products that introduce security vulnerabilities and cause customer data breach.
Next, the leadership team identified projects or initiatives that supported the organization’s objectives and strategy and included information such as opportunities, dependencies, resources, budget, and timeline. Coordination with the general and administration functions to discuss resource and budget needs, as well as any regulatory and compliance implications as a result of these projects, was necessary, as these dependencies could become risks to the objectives. This included human resources, legal, audit, and finance planning and forecasting teams.
The ERM team, partnering with leaders, identified additional risks at the project level. These risks were rated using the rating methodology and rolled up to the enterprise level. The prioritization and responses to the risks were aligned to the risk appetite statements. These statements also will guide the organization’s response to emerging risks that surface throughout the year.
Throughout this program, the team learned to work more productively with the organization in order to be met with less resistance. From the start, we learned that discussions about risk without the right approach can be perceived as an attack and critical of the business.
As a result of this project, the team embraced a teaching and learning approach where we spend more time educating the organization about risk principles, which helped us better understand business and risks from the organization’s perspective. Collectively, the organization became more aligned with its risk profile.
Internal auditors can make a difference if organizations overcome their giving-up point. By giving risk management a try and not waiting for a big event to happen that forces internal auditors to adopt risk management haphazardly, they are doing right by their organizations. Progress cannot be made through fear.