3.5 Enterprise-Wide Risk Management Process
The implementation of an Enterprise-Wide Risk Management Process is an approach that allows an organization to manage all the risks that have potential upside and downside effects on the organization.
The Enterprise-Wide Risk Management Process is cyclical and addresses all the risks that have the potential for positive or negative effects on an organization.
The five steps of the Enterprise Wide Risk Management Process are listed in sequence:
Scan the Environment
The first step in the process is to look at the internal and external environments that the organization exists in to see where risk can adversely affect the organization or create opportunities. The information gained from this important first step can be used to make decisions as to how the risk management process is aligned with the organization’s objectives. If the objective of the organization is fire safety, then the risk management process should be aligned with this objective by preventing fires and reducing their impact.
There should be an understanding between risk management and others in the organization as to the meaning and alignment of risk criteria. Risk criteria can be defined as the causes of risk and effects of risk, metrics to measure the effects of risk, timeframe, methods to determine levels of risk, and approaches to addressing combinations of risk.
Scanning the environment could also include looking at other organizations working in the same sector and their management of risk. For example, a police force that is establishing a formal risk management offering would be wise to communicate with other police forces to learn about risks and opportunities that could also affect them.
Identify Risks
Risk identification is the second step in the Enterprise-Wide Risk Management Process. It involves collecting a list of key and emerging risks that could have an effect on the organization’s objectives. In an enterprise approach, it is foreseeable that one risk could very well extend into other risk quadrants. For example, an organization’s carelessness with respect to environmental stewardship would normally be classified as a hazard risk since there could be harm to property, personnel, or liability. The publicity resulting from the environmental event could also influence the organization’s reputation by involving one or more of the other three risk categories (operational, financial, strategic).
Analyze Risks
Risk analysis is the third step in the process. Defined risk criteria can be used to determine the source, cause, likelihood (frequency, probability) and consequences (impact, severity) of the risks that have been identified. Risk analysis can be qualitative, quantitative, or a combination of both. If the previous environmental example under Identify Risks is used, the harm caused by the environmental event can be quantified or measured. The reputational risk, however, might be more difficult to measure and would likely be expressed qualitatively.
Treat Risks
A risk assessment involves the steps of identifying and analyzing risks in the organization, followed by treating risk, which is the fourth step in the process. Risk treatment involves strategies, controls and techniques that are implemented to respond to an organization’s risks. It should be noted that more than one technique is often required to address a risk. For example, if a potential fire loss (total level of risk) to a key distribution centre that is not sprinkled would drastically affect profits (risk criteria), then the organization should respond by installing a standard sprinkle system to minimize the impact. The financial impact of a fire on the organization would be reduced by purchasing guaranteed cost insurance at the distribution centre. Although there is a real upside to installing a sprinkler system in a building, there is also the downside created by the accidental escape of water from the sprinkler system or someone shutting off the water to the sprinkler system. This is an example of how addressing one risk can create another risk! The risk response to this newly created risk would be to install a water shut alarm designed to notify personnel that the water has been shut off to the sprinkler system and to install low-pressure and water flow alarms that will notify personnel that water is flowing through the sprinkler piping.
The Five Risk Responses Used to Treat Risks
- Avoid the risk
- Modify the likelihood and/or impact of the risk
- Transfer the risk
- Retain the risk
- Exploit the risk
Monitor and Assure
The final step in the Enterprise-Wide Risk Management Process is to review and monitor results by improving risk assessment, determining the effectiveness of controls, analyzing the successes and failures of events, noting changes inside and outside of the organization and identifying emerging risks.
To maintain a high standard of risk management, the cyclical nature of the Enterprise-Wide Risk Management Process would require that the five-step process be continued in response to the modern risk environment.