A useful report from RIMS on the state of risk management
My congratulations go to RIMS and the authors of their State of ERM Report 2015, Carol Fox and Steve Minsky.
The report has some interesting and valuable content. It is well worth taking the time to download and consider.
Let’s start with their definition of ERM. The report says:
RIMS defines enterprise risk management (ERM) as follows: Enterprise risk management is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
Taking an enterprise risk management approach transitions beyond the traditional realms of risk management in that it:
1. Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.);
2. Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual ‘silos’;
3. Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders;
4. Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks;
5. Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature;
6. Views the effective management of risk as a competitive advantage; and
7. Seeks to embed risk management as a component in all critical decisions throughout the organization.
Later, they say:
Enterprise Risk Management (ERM) reduces uncertainty and, over time, improves the prospect of success for organizations that have risk management competency.
I like all 7 of the points in the list, especially the last one. While it is important to (as John Fraser says) take periodic stock of the more significant continuing risks, it is just as important (I would argue that is more important) to embed the consideration of risk into every decision-making process across the extended enterprise. Risk doesn’t wait for a periodic review to change; instead, it is created or modified by every decision, every day.
Carol and Steve also promote the formal evaluation of the management of risk:
In today’s complex and interconnected world, companies are in need of a formal evaluation of the effectiveness and maturity of their enterprise risk management programs in order to achieve corporate goals, effectively respond to changing regulations, protect themselves from negative events or trends, and maintain (or improve) credit ratings for efficient borrowing.
In my view, the CEO should provide an assessment to the full board and/or the audit committee. In addition, the CAE should provide a formal report every year.
The report includes some recommendations for taking a risk management program to the next level. I would have liked to have seen more emphasis on:
- Effective, informed, and intelligent decision-making
- Improving the likelihood and extent of good things happening, and
- Breaking down the risk management silo and, instead, considering the management of risk part of effective management. Period.
I welcome your views.
For more of my risk management thoughts, please tune in to our upcoming free webinars.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Informative analysis, though there is nothing new to what you have been sharing from some time.
I would like to see them drop the “& Insurance” from their name as one of the barriers in the “growing-up” process for RIMS is divorcing itself from the insurance view of the world.
Also, the Chief Risk Executive (CRE) should be the conduit to the Board. The CAE’s involvement should be limited to an assessment of the CRE’s adherence to the organizational policies and procedures (no different from the Treasury, Legal and operational groups).
Frankly speaking, the report looks like yet another consulting bunch of buzzwords. There is nothing wrong but it’s usefullness is limited.
In regards to the evaluation of the risk framework, would suggest this should only be done if it’s meaningful. You make the comment the CAE should provide a full report…..on what? The formal framework which you rightly point out is only really a small part of an organisations overall framework or all of it? Currently what aspects do CARs mainly focus on? (would suggest mainly the formal aspects). Until.such time as it is done properly do not see the value in the CAE doing a report. The reviews of risk management by external auditors in jurisdictions where they are required to validate a CEO and CFO also tend to focus on the formal risk management aspects. All these assessments and validations reinforce the very thing you say is wrong ie that formal reviews and the reporting etc are only a small aspect of an overall framework. The reality is from a practical perspective it can be difficult to validate and review an organisations overall framework covering both formal and informal aspects.
Great question, Glenn, I suggest that if risk is not managed effectively, there is even more reason to provide a formal report to the board or audit committee. How great a risk is there if you are driving without a clear view of what might happen? I cover the topic in my book, but its worth writing a blog (next week, probably) on how to assess the effectiveness of risk management.
A small detail, but ERM does not reduce uncertainty. For that we would need a crystal ball. It does, however, reduce the impact of uncertainty on the outcomes of decision making.
This information is well done. It looks a lot like the details in ISO 31000 with enterprise attached. It is valuable as an adjunct for a job description for an ERM. RIMS has one on their website but it is somewhat limited. ERM is taking a foothold in organizations but needs to be useful as a management tool not just an insurance buying process. I am assisting very large Not for Profit in a search for an ERM professional and this information is most welcome. Thank you.
“In my view, the CEO should provide an assessment to the full board and/or the audit committee. In addition, the CAE should provide a formal report every year.”
The CEO assessment is not independent, whereas the CAE assessment (overall opinion – Std 2450, not report) is.
This is a fundamental aspect of internal audit assurance services – “An objective examination of evidence for the purpose of providing an INDEPENDENT assessment on governance, risk management, and control processes for the organization.”
The results of the separate evaluations of the 2120 interpretation are vital in Planning Considerations (Std 2201).
Before providing assurance services, internal auditing should insist on a self-assessment.
Before receiving an independent assessment, management and the Board/audit committee should also insist on the self-assessment which paved the way for the independent assessment.
It is a simple principle, if one does not know how to assess oneself, how does one know that one’s performance is acceptable or not (especially when no one is looking)?