Connect the Dots with Enterprise Risk: From the Boardroom to the Front Lines

Enterprise risks are interconnected, yet many organizations still manage them in silos. Businesses that can navigate the enterprise risk management (ERM) lifecycle and connect risk data can enhance their decision-making from the boardroom to the front lines. There are four components of the ERM lifecycle, and we’ll cover each to help you better connect your risks so you can protect and drive your business forward.

Part 1: Identification  

The first phase of the ERM lifecycle, identification, begins by tying risks to a specific strategic objective, a measurable goal with a defined deadline. For example, a business might want to expand its geographical footprint and revenue. So, a sample  strategic objective may read “Expand market presence by entering three new geographies within the next five years, achieving a 15% increase in overall revenue.” 

The business can identify the risks associated with this objective using two components: the condition, or potential risk, and the consequence, or the risk’s impact. For example, one risk could be a failure to comply with regulatory requirements (the condition), which may result in delays, fines, and penalties (the consequences). 

Once you know your risks, establish a taxonomy to help you organize them. The first taxonomy layer is typically the overall risk category. The second layer might include organizational risks that impact strategic objectives, financial performance, and long-term sustainability. The third level could entail a more granular risk statement that maps to multiple locations (if applicable) and business units. 

Part 2: Risk Assessment

The second phase of the ERM lifecycle is risk assessment, a framework typically involving three components. The first is the criteria, which could consist of groupings such as the risk’s impact, significance, probability of occurrence, control strength, and velocity. The second includes rankings and definitions. The third, calculations, involves inherent risk (pre-mitigation activities), management control effectiveness, and residual risk (post-mitigation activities). 

The output of this exercise is a formula. For example, a business might calculate:

Impact x likelihood – control strength = residual risk score 

When a business benchmarks this score against its risk appetite— the amount of risk it’s willing to bear to meet its objectives—it increases the rigor and intentionality of its risk management function to make more informed decisions and achieve desired business outcomes.

Part 3: Response and Mitigation

The third phase of the ERM lifecycle is response and mitigation. The risk assessment is your blueprint for determining the appropriate risk response and mitigation steps, including accepting, deferring, avoiding, monitoring, transferring, or mitigating the risk. Organizations often develop a plan based on risk ranking, prioritizing a high residual risk level. A quick response is critical when the impact and probability of these risks are high combined with a low or ineffective control environment. 

From there, the risk team can create a mitigation plan detailing the steps they must complete, the remediation owners responsible for each action, the completion timeline, documenting supporting files and tracking through resolution. 

Part 4: Monitoring and Reporting

The fourth and final phase of the ERM lifecycle is Monitoring and Reporting. Monitoring gives the risk team a real-time representation of how the risk genuinely performs within the organization. Key risk indicators (KRIs) are integral to monitoring a risk’s performance. The risk team can assign owners to KRIs to provide updated scores for a specific period and then review the historical trend of these values over time. While businesses can link KRIs to risks, they can also tie KPIs to strategic objectives. After completing the risk assessment, the risk team may want to automatically calculate or update the residual risk scores determined in the evaluation. 

Organizations require different ways to review and report on their risk environment, including, but not limited to, assessment scores and framework requirements tied to those risks to get a complete picture. Risk teams generally need access to the following types of reporting:

• List views enable you to see all assessed risks. AuditBoard’s list views include the impact, likelihood, and strength of controls, the final risk scores, assessment comments, and mitigation plans. In addition, businesses can see those framework requirements, referenced controls, or other fields. 
• Dashboards provide a high-level representation of the risk environment while allowing users to drill down into the specifics.
• Word-based reports incorporate assessment scores plus the relevant mitigation plans for the risk assessed over a specific period. Having a standardized report to share with the Executive Board while documenting details from the risk assessment is key to management alignment. The word-based report template in AuditBoard pulls in risk assessment scores and specific risk fields, all in a format that the Board can understand. 

Successfully navigating the ERM lifecycle means pursuing a connected risk experience. By getting a complete view of your risks, controls, frameworks, policies, audits, auditable entities, and issues, you can fortify your organization’s risk strategy and decision-making.