Enterprise risk management (ERM) is the recognized best practice for managing risks. The American National Standards Institute / American Society of Safety Professionals / International Organization for Standardization (ANSI/APPS/ISO) 31000 standard provides guidance for this process. In this standard, risk is defined as “the effect of uncertainty on objectives, and risk management is the coordinated activities to direct and control an organization in regard to risk.”
“An organization may use an ERM approach to make better decisions using a collaborative, accessible, consistent, and mission-focused decision-making process,” said Sara Gibson, Senior Risk Services Manager at Safety National. “It can also be great to proactively and consistently identify and manage key risks to achieve critical objectives and strategic goals. Furthermore, it can improve communication, and foster cooperation and innovation.”
A successful enterprise risk management approach requires the following first three elements.
1. The program is designed with leadership commitment.
- Top leadership must commit by setting objectives and assigning resources and personnel.
- Leadership needs to convey the value to the organization and stakeholders.
- Leadership needs to communicate the program continuously and establish commitment throughout the entire organization.
- There should be a shared understanding of the organization’s mission, vision, and strengths to identify the most critical risks to the organization’s core values and strategic goals.
- Leadership should empower all employees to act as risk managers to evaluate and assess risks.
2. Identify risks with a strategic lens for both threats and opportunities.
Consider these questions:
- What must be achieved for a core value driver or new strategy to succeed?
- What assumptions are related to the organization’s core value driver or new strategy?
- What keeps you up at night? Sometimes, this overlooks critical undiscovered risks and is often short-term without considering long-term and strategic risks.
3. Analyze, prioritize, and communicate risks.
- Categorize risks as strategic, operational, financial, reputational, compliance-related, and how they might impact key value drivers in the short- and long-term.
- Prioritize risks based on their frequency and severity (risk register).
- Develop plans to lower the likelihood of adverse risk or increase in areas where the organization is too risk-averse.
- Continue monitoring for changes and communicating throughout the organization.