Enterprise Risk Management (ERM) is a risk assessment that spans the entire organization in review of key risk that could affect your organization’s ability to achieve its strategic objectives. According to the recent American Institute of Certified Public Accounts (AICPA) survey The State Of Risk Oversight: An Overview Of Enterprise Risk Management Practices, respondents indicated that unanticipated risk events (likely cyber and reputation risk events), and emerging best practice expectations are the most frequently cited factors by organizations embracing ERM. It is becoming more widely accepted and expected that performing an enterprise-wide risk assessment is simply part of an organization’s governing body’s duty of care responsibility, and not fulfilling this duty can to some degree be considered negligence. With more organizations adopting risk committees to champion ERM, we would like to help you get started on your journey.
What should be presented to the risk committee?
- Annually updated risk universe. Your organization’s risk model should be updated annually to reflect your organization’s risk environment. This will be utilized as a framework to ensure that the full risk universe is considered during the risk discussions.
- Heatmap of top risk scenarios and remediation plans. Compiled risk scenarios should be ranked according to significance and likelihood of occurrence. Items above the line are candidates for further investigation, workshops and mitigation plans.
What are some questions the risk committee should be asking?
- What is the level of engagement? The answer to this question is one of the best indicators to capture the impact your ERM program is having on the company’s risk exposure. Without engagement, your ERM initiative may be just another silo. Implementing training and surveys across your organization helps with increased involvement. By doing this you are assisting in creating a more risk-aware environment and working to imbed it in the culture over time.
- What is the status of risk remediation activities that have been approved for implementation? Your committee should be kept informed about what projects have been approved, who is responsible for the project execution, and the approximate date the remediation activity will go live.
What are some critical success factors for your new risk committee?
- Develop Procedures. Create a procedure document for conducting the ERM framework and process, such as an ERM charter that answerers the following questions: Who is responsible for initiating and conducting risk assessments? Who will participate? What steps will be followed? How will disagreements be handled and resolved? What approvals will be needed? How will the assessments be documented? How will they be maintained? To whom will the reports be provided?
- Create standard tools (such as questionnaires), and formalized reporting (such as heatmaps).
- Be sure to involve business and technical experts on your committee. Business managers generally have the best understanding of the criticality and sensitivity of business operations, and of the systems and data that support these operations. Technical personnel—like IT, CPAs and Risk Advisory specialists—bring an understanding of vulnerabilities as well as knowledge of impacts, associated costs and the controls that are implemented.
- Formalize timing of risk reporting to your governing body. Set a standard for quarterly meeting topics and templates to be presented. Ensure it is on the meeting agenda for your governing body at least annually.
What are example quarterly agenda items for the risk committee?
Aronson’s risk advisory group advises organizations and often helps facilitate a quarterly structure for risk reporting. Below is an example of quarterly risk committee meeting topics along with a formal annual presentation to the governing body:
- Q1 committee meeting—Agree on who will receive surveys
- Q1 Interim activity—Send surveys to identified stakeholders
- Q2 committee meeting—Review updated risk universe and top identified risks (based on survey results)
- Q2 Interim activity—Perform peer benchmarking, risk workshops and interviews to identify solutions
- Q3 committee meeting—Report on suggested mitigation activities and receive approval from committee
- Q3 Interim—Begin to implement mitigation and remediation plans
- Q4 committee meeting and annual board/governance meeting—review and present overall ERM reporting to formal governing body with top identified risks and status of implementation of mitigation plans
Aronson’s risk advisory group helps promote the adoption of Risk Committees for organizations looking to formalize their enterprise risk management processes. With more organizations adopting risk committees or similar governing bodies, we would like to help you get started on your journey.
For more information or if you are interested in risk advisory services related to training, design of your program, or assurance over your controls, please contact our risk advisory experts at 301.231.6200.