Cont:

Risk Identification and Accountability

Responsibilities for identifying, communicating and addressing risk must be clearly defined and communicated so that each
individual knows whether they can address the risk themselves (or make decisions on addressing the risk), or whether they
need to escalate the risk to another individual (and, if so, to whom).

A clear framework for accountability provides the board with assurance that management is on top of things and that
important risks are being managed effectively and, where necessary escalated.
Such a framework strengthens ownership for delivery, but will only be effective if responsibilities have been clearly defined
so that it is possible to challenge and hold individuals to account. Similarly, a clear framework for accountability will provide
the leadership with assurance that the performance of the operational teams is in accordance with expectations and that
risks are being managed effectively and will be escalated where necessary – see Table 3.6.

1
A focused, systematic and integrated approach recognizes that all decisions involve management of risk, whether in routine
operations or for major initiatives involving significant resources. It is important that the risk management process be
applied at all levels, from the organizational level to programs and major projects to local systems and operations.

To kick off implementing an Integrated Enterprise Risk Management approach the organization should assemble a project
team, steering committee, and adopt a charter. A project charter clearly establishes the objectives: what the project team
plans to deliver and in what time frame. Although Enterprise Risk Management (ERM) is a process, the charter recognizes
that this is a project with a defined time span and deliverables that will recommend best ways to move forward.

Since ERM is ultimately strategic in nature, it will never succeed without support from the CEO and other C-suite officers;
this is where a steering committee is useful. Before embarking on implementation, it is necessary to determine which
risk framework and model is most appropriate. The COSO ERM model is comprehensive and useful, particularly for large
organizations with significant resources. Many organizations, however, need a simplified approach. Start with the one
detailed in Table 3.5.

2
 A common understanding of key terms is also necessary so that stakeholders are on the same page when it comes to
comprehending risk, risk management, and enterprise risk management point will not happen in most organizations, unless
they have significant resources and project management skills in abundance and sophisticated tools to support the
process.

Risk Identification and Accountability

Responsibilities for identifying, communicating and addressing risk must be clearly defined and communicated so that each
individual knows whether they can address the risk themselves (or make decisions on addressing the risk), or whether they
need to escalate the risk to another individual (and, if so, to whom). A clear framework for accountability provides the board
with assurance that management is on top of things and that important risks are being managed effectively and, where
necessary, escalated.

Risk Assessment and Analysis

The risk assessment and analysis activity assist the effective and efficient operation of the organization by identifying those
risks that require attention by management. This facilitates the ability to prioritizes risk control actions in terms of their
potential to benefit the organization.

There are a number of tools that could be used to undertake risk analysis. Most organizations however rely heavily on
spreadsheets and other documents that are stored on personal computers throughout the organization and frequently use
email to informally communicate priorities, issues and results. The problem with this approach is that it inherently carries its
own risks: information may get lost if a person leaves; information may not get communicated to the right people;
information may be hoarded; and the holistic picture needed of risks may not be possible with a disparate and dispersed
3
repository of risk information. By using an automated system to manage risk assessment and control compliance it helps
streamline the process and align the disparate activities and people involved across the organization.

There are a number of techniques for risk assessment and analysis that can be used, some of the more common ones
include:
• Risk maps: summary charts and diagrams that help organizations identify, discuss, understand and address risks by
portraying sources and types of risks and disciplines involved/needed.
• Modelling tools: such as scenario analysis and forecasting models to show the range of possibilities and to build scenarios
into contingency plans.
• Qualitative techniques: such as checklists, questionnaires, and self- assessment to identify and assess risks.
• Workshops and brainstorming: collecting and sharing of ideas, with discussions around events that could impact the
objectives, stakeholder expectations or key dependencies.
• Inspections and audits: physical inspections of premises and activities and audits of compliance with established systems
and procedures.
• Flowcharts and dependency: analysis of processes and operations to identify critical components that represent potential
risks.

The risk assessment needs to be quite broad and capable of addressing a range of risks, as highlighted in Fig. 3.7

4
Risk Treatment
Risk treatment is presented in ISO 31000 as ‘the activity of selecting and implementing appropriate control measures to
modify the risk’. Risk treatment includes as its major element, risk control (or mitigation), but extends further to, for
example, risk avoidance, risk transfer and risk financing. Any system of risk treatment should provide efficient and effective
internal controls. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the
proposed control measures.
Effective risk management is not about showering money or imposing draconian controls, but about achieving the most
effective and efficient use of risk treatment activities.

The range of available risk response treatments include:

• Tolerate: where the analysis suggests the risk is within the tolerance limits set by the board or leadership
• Treat: where the analysis suggests that some mitigation action is required to bring the level of risk down to within the
limits set
• Transfer: where the analysis may suggest it is not feasible to try to instigate action to bring the risk down, in which case
the risk may be transferred to another entity: usually an insurance provider
• Terminate: where the analysis suggests the risk are too high and cannot be mitigated to an acceptable level effectively and
therefore the activity that generates the risk itself may be terminated; that may of course carry its own risks which will need
to be evaluated

Organizations should consider comparing their inventory of current risk responses to their top ten priorities. Once you know
the top ten risks that can impede achievement of your organization’s objectives, along with the risk response activities
currently being conducted, you can compare the two lists. Which risks are being adequately managed? Which are missing
from the radar screen? Where is an initiative already in place to better understand and manage risks? Once the gaps in risk
response have been identified, the next step is to develop an approach to closing the gaps. This begins with prioritizing
which gaps have the greatest potential to derail achievement of the organizational objectives.
Which would require the greatest deployment of human or financial capital?
Which ones would demand outside resources?
Which ones could be accomplished in the shortest time?

What most organizations will find is that many elements of an organization’s existing structure may well be sufficient and
should be retained, but significant gaps are likely to be found. These may be in risk management leadership, risk assessment
methodology, specific technical skills, common processes, or technology capabilities. Having identified these gaps, it is
important to close them. Weighing the urgency with resource requirement, organizations can then develop specific
strategies to close the most critical gaps.

Risk Reporting, Monitoring and Evaluation

ISO 31000 recognizes the importance of feedback by way of two mechanisms: monitoring and review of performance; and
communication and consultation, although both may be interrelated.
Monitoring and review ensures that the organization monitors risk performance and learns from experience. Risks and risk
response activities should be monitored to ensure that significant risks remain within acceptable risk levels, and that
emerging risks and gaps are identified and that risk response and control activities are adequate and appropriate. Internal
audit and the audit committees (or another committee delegated to by the board) play an important oversight role in
confirming that management is monitoring and managing risks in accordance with established levels. Indicators that fall
outside of acceptable risk levels should be escalated with appropriate action plans to bring the risks back within established
risk levels. Those risks that still remain above acceptable risk levels should be considered by the board for their approval of
any necessary resolution strategies. It is also helpful to ‘quantify’ the aggregate exposure of significant risks (or specified
subset of risks) in terms of potential impact on the achievement of strategic objectives. While this is often subjective and
may be difficult to determine, it does help indicate any material change in risk levels from one period to another and could
identify potential risks that may not otherwise be fully noted. It also helps to confirm that the level of aggregate risk
exposure is within the established risk appetite as set out in the risk policy by the board.
It is important to distinguish Key Performance Indicators (KPIs) from Key Risk Indicators (KRIs). Both management and
boards regularly review summary data that include selected KPIs designed to provide a high level overview of the
performance of the organization and its major operating units. These reports are often focused almost exclusively on the
historical financial performance of the organization and its key units and operations. It is however important to recognize
that these measures may not provide an adequate ‘early warning indicator’ of a developing risk because they mostly focus
on results that have already occurred.
While KPIs are important to the successful management of an organization, senior management and boards also benefit
from a set of KRIs that provide timely leading indicator information about emerging risks. Measures of events or trigger
points

5
that might signal issues developing internally within the organization or potential risks emerging from external events, such
as macroeconomic shifts that affect the demand for the organization’s products or services, may provide rich information
for management and boards to consider as they develop and execute strategies within the organization.
The board, audit committee and senior management should require the results of the ERM process to be reported to them
in their oversight capacity and to gain assurance that risks are being managed within approved risk levels.
At a minimum report to the audit committee (or other designated committee) and/or board should:
• Summaries the nature and magnitude of significant risks;
• Highlight all significant risks and those risks that exceed their acceptable risk levels;
• Identify the timeframe and status of any additional risk management activities that may be required to bring risks within
approved risk levels;
• Identify any negative trends of higher risk areas and any changes to risk management activities;
• Highlight any new risks including their risk assessment, risk response and management activities;
• Identify any material emerging risks; and
• summarize any exceptions to established policies or limits for key risks.

On a periodic basis, the board should review all high-risk areas (even those that are appropriately mitigated within
acceptable levels) in order to have a full understanding of all the significant risks facing the organization.

Element: Ensuring Continuous Risk Management Learning

Continuous learning is fundamental to more informed and proactive decision making. It contributes to better risk
management, strengthens organizational capacity and facilitates integration of risk management into an organizational
structure. A supportive work environment is fundamental to continuous learning. Valuing learning from experience, sharing
best practices and lessons learned, and embracing innovation and responsible risk taking characterizes an organization with
a supportive work environment.
Since continuous learning contributes significantly to increasing capacity to manage risk, the integration of learning plans
into all aspects of risk management is fundamental to building capacity and supporting the strategic direction for managing
risk. The critical challenge is to show that risk is being well managed and that accountability is maintained while recognizing
that learning from experience (mistakes) is important for progress.

Risk Management Checklist

Building on what needs to be included within a risk management policy, Table 3.7, highlights in a structured
manner the key elements that need to be considered for an appropriate integrated enterprise risk management framework
and what systems and structures need to be in place.

6
7
8
 Control and Compliance Processes
Control is a broad concept that means different things to different people. The Chartered Institute of Internal Auditors (IIA)5
definition explains it in concise terms as: “Any action taken by management, the board and other parties to manage risk and
increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the
performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved”. You will
notice this sounds very similar to risk management, which it is.
The control environment refers to the way the board and senior management set the tone of the organization. It is part of
the culture of the organization influencing how risk is viewed and how control enters the consciousness of the people. It is
an expression of the ‘way things are done’. Every organization operates differently, which is revealed through organizational
ethics, values, structure, reporting lines, authority, rules and the documentation of policy.

The IIA defines control processes as: “the policies, procedures and activities that are part of a control framework, designed
to ensure that risks are contained within the risk tolerances established by the risk management process”.
Governance all too often focuses on control and compliance, largely driven by legislation or regulation. However, control
and compliance can be a process that helps improve business performance more widely beyond those areas that are
governed by legislation and regulation. Often organizations forget to ask themselves the purpose of control.

There are therefore a range of control categories that may need to be addressed, some which have received much attention
and have been largely driven by external influences, and others which have received less attention and are largely internally
driven – see Table 3.8.

9
The overriding challenge within the area of control and compliance is how you practically link policy and processes with
compliance, in a manner that is not overtly complicated. For the more complex you make the process, the less it will get
used,
and the less strategic alignment it will deliver. The only real mechanism of doing so is through automation, where policies,
processes and controls are inter-linked and responsibility of each is assigned and progress monitored on a scheduled basis
automatically through software. In order to avoid redundant compliance activities, it is critical to create a matrix that
captures the relationships among business processes, the risks associated with processes, the internal controls deployed to
mitigate the risks, the tests used to validate the effectiveness of the controls and finally the regulations or internal policies
to which the internal controls apply.

There is no right or wrong approach to looking at control: it is more a case of developing a control environment that suits
your organization. Control is a means to an end, not an end in itself.

COSO explains there are a number of components that need to work together within a control framework to help an
organization achieve its objectives, see Fig. 3.8.

An organization where all the components are working well and are embedded is more likely to achieve its objectives and
have a strong and sustainable future.

10