A useful report from RIMS on the state of risk management
My congratulations go to RIMS and the authors of their State of ERM Report 2015, Carol Fox and Steve Minsky.
The report has some interesting and valuable content. It is well worth taking the time to download and consider.
Let’s start with their definition of ERM. The report says:
RIMS defines enterprise risk management (ERM) as follows: Enterprise risk management is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.
Taking an enterprise risk management approach transitions beyond the traditional realms of risk management in that it:
1. Encompasses all areas of organizational exposure to risk (financial, operational, reporting, compliance, governance, strategic, reputational, etc.);
2. Prioritizes and manages those exposures as an interrelated risk portfolio rather than as individual ‘silos’;
3. Evaluates the risk portfolio in the context of all significant internal and external environments, systems, circumstances, and stakeholders;
4. Recognizes that individual risks across the organization are interrelated and can create a combined exposure that differs from the sum of the individual risks;
5. Provides a structured process for the management of all risks, whether those risks are primarily quantitative or qualitative in nature;
6. Views the effective management of risk as a competitive advantage; and
7. Seeks to embed risk management as a component in all critical decisions throughout the organization.
Later, they say:
Enterprise Risk Management (ERM) reduces uncertainty and, over time, improves the prospect of success for organizations that have risk management competency.
I like all 7 of the points in the list, especially the last one. While it is important to (as John Fraser says) take periodic stock of the more significant continuing risks, it is just as important (I would argue that is more important) to embed the consideration of risk into every decision-making process across the extended enterprise. Risk doesn’t wait for a periodic review to change; instead, it is created or modified by every decision, every day.
Carol and Steve also promote the formal evaluation of the management of risk:
In today’s complex and interconnected world, companies are in need of a formal evaluation of the effectiveness and maturity of their enterprise risk management programs in order to achieve corporate goals, effectively respond to changing regulations, protect themselves from negative events or trends, and maintain (or improve) credit ratings for efficient borrowing.
In my view, the CEO should provide an assessment to the full board and/or the audit committee. In addition, the CAE should provide a formal report every year.
The report includes some recommendations for taking a risk management program to the next level. I would have liked to have seen more emphasis on:
- Effective, informed, and intelligent decision-making
- Improving the likelihood and extent of good things happening, and
- Breaking down the risk management silo and, instead, considering the management of risk part of effective management. Period.
I welcome your views.
For more of my risk management thoughts, please tune in to our upcoming free webinars.