Enterprise Risk Assessments Consider Both the Forest and the Trees

When developing a risk management program you are told that you need to do an enterprise-wide risk assessment (ERA). But despite some limited published work on this subject, the question of what constitutes an “enterprise-wide” risk assessment is still quite vague.  The concept is straightforward enough – attempt to develop a framework that provides some insight into what the enterprise risk profile looks like. But in practice, this is actually not an easy proposition.

Some of the questions that naturally come up include:

• Does an ERA only look at those risks that could impact the entire organization?
• Should an ERA evaluate every conceivable kind of risk in every part of the company or just the “big ones?”
• Is an ERA conducted from one central group that evaluates risk from throughout the organization?
• Does the ERA take into consideration other risk assessments that are already being conducted?
• Or, is an ERA just a combination of ALL of the individual, detailed assessments rolled into one? And if so, how?

While the fundamentals of an ERA is actually a bit complicated (and will be the subject of numerous upcoming articles), many of these questions come together to one fairly central question.  Simply put:

Does “enterprise-wide risk assessment” mean an assessment taken from one central vantage point (the proverbial mountaintop) or is it the summation of a bunch of detailed assessments?

The answer is, it must be both.  We cannot escape the fact that risk looks different (and sometimes radically different) depending on your point of view. Take this example.

Suppose you were hired to evaluate a massive brick wall in someone’s backyard, one that was holding the hillside from crashing down on top of their house. How would you go about this? Would you stand back, take a look at the wall and if it looked ok tell the homeowner, “Yep, looks like a pretty sturdy wall. I’d say you’re risk is low.”  Or would you approach it by looking very closely at every brick, analyzing each for wear and stress, and then finally using some mathematical formula to take all of your “brick scores” into one big risk score for the wall?  When you think of it like this, both of these approaches seem sort of ridiculous, don’t they?

And yet, this is often how we approach risk assessment, by picking one of these two methods to try to establish a risk profile.  In truth, just like with the wall, assessing risk must involve both of these methods, a broad view and a detailed view.  Either one in isolation will only give you part of the picture. To evaluate our figurative wall you would look at, and assess, the wall overall, certain sections of the wall and the bricks themselves, as well as a whole range of external factors.  Understanding enterprise-wide risk management means developing similar methodologies, and this requires some thought and creativity.

Start With the Forest

When developing a risk assessment framework for the enterprise, consideration needs to be given as to how to let senior management estimate their risk profiles across various risk categories.  It is very helpful to put a stake in the sand about what you believe is your risk for credit, market, liquidity, operational, strategic, reputation, technology, compliance, reporting, etc. (whatever categories you choose for your risk taxonomy.)  But don’t just say “pick a number.” Let management describe why they feel this way in each category?  What are some of the factors that they believe rationalize this rating? Are the risk values increasing or decreasing? What internal or external forces would impact these ratings? What major assumptions are built into these ratings? How are these risk ratings tied to the corporate strategy?

Whether you refer to this a “baseline” or “preliminary” or other, the point is to develop a structure to be able to rough out an initial assessment for major risks that you can connect to strategy and at a level that relates to setting risk tolerance.

This part of the exercise accomplishes several important things.

• It respects the fact that management usually (but not always) has a pretty good estimate of its risk even before we fill out 19,000 pages of assessments. Whether that estimate is right or wrong is a different thing altogether.
• It gives you a place to start. It is so much easier to let supporting data move the needle rather than to think it’s going to tell you where it is in the first place (at an enterprise level).
• Finally, (perhaps most importantly), it lets you demonstrate on occasion just how far off management’s understanding of risk is once you develop the more detailed analyses.

The fact is, you never really want to go through a detailed assessment process and think that you’re going to “tell” people what their risk is. You have to let people discover it. And a cultural reality is that if you start from what a person “thinks” is reality and then fine-tune from there, they are often much more open to shifting their perspective than if you started from the detailed data first.

Then Consider The Trees

Most organizations already have a range of different types of detailed assessments, including:

• Operational risk assessments
• Strategic assessments
• Portfolio risk assessments
• Various compliance risk assessments
• IT & information security risk assessments
• Management assessments

Take, for example, the operational risk assessment.  When you assess a given process you ask: what could go wrong, how could it go wrong, what would be the impact, what are the related controls, and, finally, what is the residual risk?  In doing this, you naturally establish new small bits of data about each of the risks in your taxonomy (credit, market, liquidity, etc.)  The results of this assessment will tell you a lot about your overall operational risk profile, but it will also tell you something about other areas of risk as well. By designing a framework that allows risks to be assessed within structured, detailed assessment methods, but that can roll up into a larger “risk profile,” you end up using these individual assessments to either validate or challenge your initial, overall risk ratings.

For Major Risks, Go Back To The Forest View

Part of the value of an enterprise-wide risk assessment structure that includes a higher-level (macro) view is that you can ask questions about the impact of major events that don’t have specific risk owners, such as:

• A building failure
• A shift in market conditions
• A major change in the competitive landscape
• Major political or regulatory changes
• A significant natural disaster
• A dramatic management change

So for these types of events you would want to start by evaluating them globally, determine a rough preliminary assessment of the impact, and then work the questions down through the more detailed assessments to either confirm or challenge your top level assessment. The fact is, people can conceptualize the profile of major risk easier at a macro level than in trying to add up 100 different detailed assessments.  Again, it doesn’t mean we don’t do detailed assessments, but the amalgam of the data is really more about validation than determination of enterprise-wide risk.  Worst case, if you do start with detailed assessments first, at least make sure that the end result includes a roll-up to an enterprise-wide risk profile view.

Here are a couple of final but important thoughts to remember when creating a risk assessment methodology at both a macro and micro level.

• Risk monitoring must take place at different levels – You can have a million perfect bricks in a wall, but if the whole wall is leaning, you have a problem.  Risk needs to be monitored at the process level, at the division level and at the enterprise level. THAT right there is part of what makes a program enterprise-wide. This has implications on culture, tone, frameworks, methodologies and reporting.
• In an ERM model, risk is governed centrally–Part of what makes ERM work is when you create centralized governance systems, such as:
  • Standardized assessment methodologies so that data can be aggregated
  • Standard risk language
  • Definitions for risk measures (What does “yellow” mean? What does “red” mean?)
  • Aggregating reporting so that the Board and senior management can talk about risk tolerance which can then be communicated out

   

• But, at the end of the day, all risk is managed locally – In our wall analogy, you don’t replace walls, you replace bricks.  You need people watching the bricks and fixing the broken ones, otherwise it’s only a matter of time before the whole wall becomes unstable. Similarly, while it is important to understand risk profiles, all risk is managed by individuals. We have to understand the risk that exists within individual processes because that is where it is managed.

The ERM Advantage: Building an enterprise-wide risk management framework that provides for evaluating risk at a micro level and macro level is very hard work, and takes a tremendous amount of leadership and creativity.  But doing so creates an environment that builds strong connections all the way from corporate strategy right down to individual processes.  In the long run, that right there is an incredibly powerful competitive advantage.

For assistance in developing a top-to-bottom, holistic risk assessment framework contact Eric Holmquist at Accume Partners at (856) 793-1581 or eholmquist@accumepartners.com. Visit accumepartners.com