Steps in the Enterprise Risk Management Process
Enterprise risk management seeks to maximize shareholder value in a company. It is a relatively new term used to include all the areas of risk that were previously fragmented. Risk was lumped into four domains: hazard, financial, operational, and strategic. Although these domains are still applicable to risk management discussions and developments, each came about when a particular discipline realized they could capitalize on a domain of risk. One example being the insurance industry. Hazard risk was a good framework to sell the many insurable risks for which they already provided coverage. By combining all four domains, enterprise risk management offers streamlined solutions across all domains and acknowledges that risk is not domain independent. It was not until enterprise risk management gathered the four domains that it became the continuous process that makes it so effective. The process is as follows:
- Risk Identification
- Risk Analysis (Risk Assessment, Quantification, Interpretation, Report)
- Risk Response
- Risk Control
- Risk Monitoring
1. Risk Identification
Risk Identification is the detection and recognition of risk factors. A risk factor is an event or condition that, if encountered, causes financial harm. It is best for risk factors to be in the simplest unit of risk possible. An example will help illustrate this point. Let us look at the management team. What possible risk could be present? Our first concern would be the risk of a changing management team. If we take a moment to think, we can see that there are two smaller units of risk: the sudden loss of a key-person and finding a replacement for a key-person. We’ve now identified two risk factors. The smaller portions allow a company to implement clear and concise action plans for each. It also ensures that no detail is hidden or missed. The sudden loss of a key-person may be addressed through insurance coverage while the replacement of a key-person requires advanced succession planning. Each solution is very different. If we had not separated the two risk factors, we might have tried to apply one solution. Only one risk factor would have been solved, while the other would be unchecked.
Enterprise risk management is a continuous process that forces us to revisit each step. A good enterprise risk manager will acknowledge that new risk may arise or risk factors were not fully identified.
2. Risk Analysis
Risk Analysis begins by taking a single risk factor. Analysis will take subjective information and convert it to a quantitative score. To quantify risk, one must determine the possible financial impact and the likelihood of occurrence. A third piece of information, the current conditions within a company, can be gained through an assessment. These three pieces of information calculate a score that not only allows a company the ability to benchmark across an industry, but also an ordered list of risk factors based on importance to a specific company.
When risk analysis is revisited, the most common variable to re-examine is the current conditions within a company. If risk control has been successful, current conditions will have improved and the score for a risk factor is improved. Possible financial impact and the likelihood of occurrence strive to be universals. They are not exempt from re-examination; however, they are less likely to change.
3. Risk Response
Risk Response is unique to each company. It is a structured action plan to address the risk factors. It selects which risk factors to deal with, the individuals who will address each factor, and the goal to be accomplished for each factor. Depending on the size of a company, risk response will determine the resources available. Smaller companies may have less labor hours to dedicate while larger firms could hire a new individual. The same consideration is made for financial resources. It is easy to see how this step is revisited each time an adjustment is made to the entire enterprise risk management process.
4. Risk Control
Risk Control implements a solution that will ultimately reduce or transfer risk. Solutions have many different needs. Some solutions require a new document or form that will be used in daily operations. Others require lengthy business plans outlining corporate change or hours of research used towards making a decision. If there is more than one solution, weigh the cost on available resources to choose the best fit for the company. Do not overlook the value of outside help. Each company has only one set of experience, while industry specialists will have examined and helped many companies. The goal is preventative risk control, not reactive risk control. Revisit risk control when a solution is not effectively working or to improve operations by setting a higher goal.
5. Risk Monitoring
Risk Monitoring is vital to realizing actual gains from the entire enterprise risk management process. Although simple, ensuring that solutions from risk controls are being incorporated and accepted will provide the most return. It is too easy to be complacent with an implemented solution only to have it shortly forgotten. Without monitoring, enterprise risk management will be viewed as an expense that only has a residual “feel good” mentality.