How an Effective Approach to Enterprise Risk Management can Improve Risk and Business Outcomes
By Peter Deans, Chief Risk Officer, Bank of Queensland
ERM offers a framework for effectively managing and assessing risks and uncertainty, both today and in the future. ERM is - at its core - a process of gaining a deep understanding of the risk DNA of an organisation. It does this by conducting an informed assessment of both individual risk categories, aggregated groups of common risks and the overall risk profile of a business unit or organisation.
ERM has in many ways been the convergence of a number of risk streams from disparate industries: insurance risk management from the insurance sector, financial risk management from the banking and finance sector, project risk management from construction and civil engineering and information technology risk management from the IT sector. In parallel, the risk management profession itself has developed – with many organisations having a dedicated risk management department and often a Chief Risk Officer.
ERM offers a framework for effectively managing and assessing risks and uncertainty, both today and in the future
The risks that organisations face are numerous. In larger organisations, organisational complexity brings with it a multitude of risks. The task of identifying and assessing risks alone is challenging, let alone thinking about how to mitigate a myriad of risks that are identified. For those organisations that have a dedicated risk management function, it is important is to leverage off the skills to strengthen the risk management practices.
For organisations commencing implementation of a holistic approach to ERM, the following key steps should be undertaken:
Develop a Risk Framework – A risk framework consists of a set of policies, processes, and systems to effectively develop fit-for-purpose ERM frameworks. There are numerous frameworks, templates and ‘how to guides’ available. This is the first step and possibly the easiest. As risk management matures in an organisation, the risk framework will also evolve.
Establish Ownership of Risks – Understand where the ownership of both individual risks and risk categories lie. Wherever possible, have the ownership as close as possible to the business activity or function. Ensure that the risk owners have a full understanding of the risks and are skilled and resourced to manage these risks.
Establish a Risk Rhythm - Develop an organisational-wide risk culture and rhythm. Strive to have risk identification, assessment, mitigation and reporting embedded as a core capability. Encourage the discussion of risk in all management forums, investment and project decision making, and business reviews.
Address Key Risks – Once the risk assessment exercise has been completed and specific risks identified, the final step is to develop and implement plans to address the key risks. Again, ensure that risk owners have a full understanding of the risks and are resourced to manage these. It is important to bring to life risk mitigation initiatives, rather than have the risks remain in a report not mitigated.
The above steps will start an organisation on the ERM journey and lead to improved business outcomes.