When developing a risk management program you are told that you need to do an enterprise-wide risk assessment (ERA). But despite some limited published work on this subject, the question of what constitutes an “enterprise-wide” risk assessment is still quite vague. The concept is straightforward enough – attempt to develop a framework that provides some insight into what the enterprise risk profile looks like. But in practice, this is actually not an easy proposition.
Some of the questions that naturally come up include:
- Does an ERA only look at those risks that could impact the entire organization?
- Should an ERA evaluate every conceivable kind of risk in every part of the company or just the “big ones?”
- Is an ERA conducted from one central group that evaluates risk from throughout the organization?
- Does the ERA take into consideration other risk assessments that are already being conducted?
- Or, is an ERA just a combination of ALL of the individual, detailed assessments rolled into one? And if so, how?
While the fundamentals of an ERA is actually a bit complicated (and will be the subject of numerous upcoming articles), many of these questions come together to one fairly central question. Simply put:
Does “enterprise-wide risk assessment” mean an assessment taken from one central vantage point (the proverbial mountaintop) or is it the summation of a bunch of detailed assessments?
The answer is, it must be both. We cannot escape the fact that risk looks different (and sometimes radically different) depending on your point of view. Take this example.
Suppose you were hired to evaluate a massive brick wall in someone’s backyard, one that was holding the hillside from crashing down on top of their house. How would you go about this? Would you stand back, take a look at the wall and if it looked ok tell the homeowner, “Yep, looks like a pretty sturdy wall. I’d say you’re risk is low.” Or would you approach it by looking very closely at every brick, analyzing each for wear and stress, and then finally using some mathematical formula to take all of your “brick scores” into one big risk score for the wall? When you think of it like this, both of these approaches seem sort of ridiculous, don’t they?
And yet, this is often how we approach risk assessment, by picking one of these two methods to try to establish a risk profile. In truth, just like with the wall, assessing risk must involve both of these methods, a broad view and a detailed view. Either one in isolation will only give you part of the picture. To evaluate our figurative wall you would look at, and assess, the wall overall, certain sections of the wall and the bricks themselves, as well as a whole range of external factors. Understanding enterprise-wide risk management means developing similar methodologies, and this requires some thought and creativity.
Start With the Forest
When developing a risk assessment framework for the enterprise, consideration needs to be given as to how to let senior management estimate their risk profiles across various risk categories. It is very helpful to put a stake in the sand about what you believe is your risk for credit, market, liquidity, operational, strategic, reputation, technology, compliance, reporting, etc. (whatever categories you choose for your risk taxonomy.) But don’t just say “pick a number.” Let management describe why they feel this way in each category? What are some of the factors that they believe rationalize this rating? Are the risk values increasing or decreasing? What internal or external forces would impact these ratings? What major assumptions are built into these ratings? How are these risk ratings tied to the corporate strategy?
Whether you refer to this a “baseline” or “preliminary” or other, the point is to develop a structure to be able to rough out an initial assessment for major risks that you can connect to strategy and at a level that relates to setting risk tolerance.
This part of the exercise accomplishes several important things.
- It respects the fact that management usually (but not always) has a pretty good estimate of its risk even before we fill out 19,000 pages of assessments. Whether that estimate is right or wrong is a different thing altogether.
- It gives you a place to start. It is so much easier to let supporting data move the needle rather than to think it’s going to tell you where it is in the first place (at an enterprise level).
- Finally, (perhaps most importantly), it lets you demonstrate on occasion just how far off management’s understanding of risk is once you develop the more detailed analyses.
The fact is, you never really want to go through a detailed assessment process and think that you’re going to “tell” people what their risk is. You have to let people discover it. And a cultural reality is that if you start from what a person “thinks” is reality and then fine-tune from there, they are often much more open to shifting their perspective than if you started from the detailed data first.
Then Consider The Trees
Most organizations already have a range of different types of detailed assessments, including:
- Operational risk assessments
- Strategic assessments
- Portfolio risk assessments
- Various compliance risk assessments
- IT & information security risk assessments
- Management assessments
Take, for example, the operational risk assessment. When you assess a given process you ask: what could go wrong, how could it go wrong, what would be the impact, what are the related controls, and, finally, what is the residual risk? In doing this, you naturally establish new small bits of data about each of the risks in your taxonomy (credit, market, liquidity, etc.) The results of this assessment will tell you a lot about your overall operational risk profile, but it will also tell you something about other areas of risk as well. By designing a framework that allows risks to be assessed within structured, detailed assessment methods, but that can roll up into a larger “risk profile,” you end up using these individual assessments to either validate or challenge your initial, overall risk ratings.
For Major Risks, Go Back To The Forest View
Part of the value of an enterprise-wide risk assessment structure that includes a higher-level (macro) view is that you can ask questions about the impact of major events that don’t have specific risk owners, such as:
- A building failure
- A shift in market conditions
- A major change in the competitive landscape
- Major political or regulatory changes
- A significant natural disaster
- A dramatic management change
So for these types of events you would want to start by evaluating them globally, determine a rough preliminary assessment of the impact, and then work the questions down through the more detailed assessments to either confirm or challenge your top level assessment. The fact is, people can conceptualize the profile of major risk easier at a macro level than in trying to add up 100 different detailed assessments. Again, it doesn’t mean we don’t do detailed assessments, but the amalgam of the data is really more about validation than determination of enterprise-wide risk. Worst case, if you do start with detailed assessments first, at least make sure that the end result includes a roll-up to an enterprise-wide risk profile view.
Here are a couple of final but important thoughts to remember when creating a risk assessment methodology at both a macro and micro level.
- Risk monitoring must take place at different levels – You can have a million perfect bricks in a wall, but if the whole wall is leaning, you have a problem. Risk needs to be monitored at the process level, at the division level and at the enterprise level. THAT right there is part of what makes a program enterprise-wide. This has implications on culture, tone, frameworks, methodologies and reporting.
- In an ERM model, risk is governed centrally–Part of what makes ERM work is when you create centralized governance systems, such as:
- Standardized assessment methodologies so that data can be aggregated
- Standard risk language
- Definitions for risk measures (What does “yellow” mean? What does “red” mean?)
- Aggregating reporting so that the Board and senior management can talk about risk tolerance which can then be communicated out
- But, at the end of the day, all risk is managed locally – In our wall analogy, you don’t replace walls, you replace bricks. You need people watching the bricks and fixing the broken ones, otherwise it’s only a matter of time before the whole wall becomes unstable. Similarly, while it is important to understand risk profiles, all risk is managed by individuals. We have to understand the risk that exists within individual processes because that is where it is managed.
The ERM Advantage: Building an enterprise-wide risk management framework that provides for evaluating risk at a micro level and macro level is very hard work, and takes a tremendous amount of leadership and creativity. But doing so creates an environment that builds strong connections all the way from corporate strategy right down to individual processes. In the long run, that right there is an incredibly powerful competitive advantage.
For assistance in developing a top-to-bottom, holistic risk assessment framework contact Eric Holmquist at Accume Partners at (856) 793-1581 or email@example.com. Visit accumepartners.com
Top down and bottom up ERA are both required as you say. The difference in utility is the question you are trying to answer. Using your brick wall example. Top Down: Will the wall collapse? Bottom Up: Will 10 bricks require maintenance this month? And if I ignore the mainteance, then (when) will the wall collapse? In both cases, the threat that can kill you is the wall collapasing. Everything else just hurts.
Spot on Mike. Using a holistic framework gives you powerful ability to look at risk from several dimensions, which at the heart of an ERM view.
Eric, I think that many people needlessly overcomplicate this process. You’ve provided a pretty clear discussion here. One thing that I might add, that I’ve found very helpful, is the creation of a Top 10 List (a.k.a. the Letterman List or Key Risk List) at the entity level (valuable at the Business Unit as well). While there are many ways to tackle this project, our latest exercise involved 1) a survey of senior managment as to what they felt were the Top 5-7 risks facing the company, 2) consolidating those responses into a clean list, and 3) a facilitated roundtable to talk through the responses and reach a consensus as to the Top 10 (in our case, we actually had 12 make the list). For each of these key risks we documented the risk owner(s), detailed information about the risk (who, what, where, when, why, and how type of questions), potential exposure ($$ and reputational impact), controls and mitigation strategies in place, the residual risk, and any action items needed to better understand or mitigate the risk.
While the above process certainly gives us a better understanding of our key risks (particularly operational risks, which tend to be ignored sometimes due the difficulty of measuring those risks), I think the greatest value came from the discussion…the conversation that took place during the facilitated session and beyond. Really went a long way to strengthen the risk awareness in the managers that participated.
Thank you for your post. You‘re comments are absolutely spot on. This is the point I’m making in the piece that while we need a detailed assessment process, there is tremendous value in doing a high-level analysis to identify that “Top 10” you talk about. This lets management get their assumptions out on the table so that they are not left unspoken. As you work through more detailed risk assessments, scenario analysis, etc., if that analysis does not support the high-level assessment, you know something is off. I think that this creates a great balancing equation. There is much debate about whether a “Top 10” can be dangerous because of the risk that people over-focus on just that list, but I think as long as you continue to support it with data it brings tremendous value. And you are absolutely right that the most valuable part of the process is the dialog. Awareness breeds ownership and ownership breeds accountability.
According to my opinion security risk, analysis, otherwise known as risk assessment, are fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.