A.3.3. Risk Management¶
Identify risk to mitigate or accept, with reaction plans.
The capability Risk Management (A.3.3) is part of the capability area Business Enablers in the Business Pillar.
Identify risk to mitigate or accept, with reaction plans.
Risk management --- The identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
Risk Management has traditionally been an integral, and sometimes implicit, part of an Enterprise’s Business Governance practices. Though there are guidelines for business governance in every country, not all are formulated as regulations; some are only generally accepted norms of conduct1. Some examples of well-known governance and risk frameworks are
- The BASEL Accord framework (for financial services organizations) used by regulators globally for their specific jurisdiction directives covering management practices around operational, credit and market risks
- COSO, a private sector initiative (sector agnostic) dedicated to helping organizations improve performance by developing thought leadership that enhances internal control, risk management, governance and fraud deterrence
Enterprises use a variety of internal control systems, both formally and informally, to monitor their governance mechanisms. The COSO-model2, for example, defines internal control as ...designed to provide reasonable assurance of the achievement of objectives in the following categories:
- Operational Effectiveness and Efficiency
- Financial Reporting Reliability
- Applicable Laws and Regulations Compliance
A recent study3 on the practices around ERM has highlighted the following:
- Effective risk management is a priority among boards of directors; organizations are facing pressures from a number of stakeholders to provide more risk information and business leaders want to be better prepared when unexpected risk events emerge to avoid being surprised
- Most organizations continue to struggle to integrate their risk management and strategic planning efforts; risk tolerances are not formally articulated as part of their strategic management activities
- There are a number of impediments to advancing an organization’s risk management processes, with the belief that "risks are managed in other ways besides ERM" dominating the list
- There is a heavy emphasis on risks related to technology, legal/compliance and financial issues, with ERM processes less focused on emerging strategic/market/industry risks or risk related to reputation
- There are opportunities to reposition an entity's risk management process to ensure risk insights generated are focused on the most important strategic issues
Warn
Work in progress, this is just the results of an initial brainstorm session, needs to be worked out
- External risk: Are threats identified (according to but not exclusive to your SWOT analysis)?
- Do you have a threat-matrix?
- Is there a threat-risk score?
- External risk: Cyber-threats, have they been identified?
- Preventable risks
- Strategy risks
- Scoring risks:
- Is the risk-appetite defined by the board?
- How do you translate identified risks or threats into action?
Warn
Work in progress, describe the 5 maturity levels of this capability
Contribution to the Enterprise¶
Considering the above on the state, imperatives and opportunities in an enterprise’s risk management practices, we highlight below a few key focus areas where EKG can help/enable enterprises:
Holistic, inter-related, strategy aligned and performance monitoring integrated risk management¶
The topical approaches to risk management is a direct result of the silos of operations in various enterprise units. As outlined in the earlier sections, through Business Identities, EKGs can enable enterprises to align business strategy with the operating model and the performance management, thus creating bridges between and aligning the silos of operations to enterprise strategy. The interrelationship, in the context of strategic objectives, can enable risk management to evaluate and monitor risk in a holistic manner. Qualitative and subjective metrics to more quantitative and objective metrics based risk management practices: Narrowly focused risk factors, owing to siloed specialisations have led to use of predominantly qualitative metrics in risk monitoring. EKGs can help align risk factors with metrics in performance management, thus helping in use of more effective quantitative objective metrics in risk monitoring.
Evaluation and prioritization of emerging risks through explorative analysis:¶
Specialised areas of risk dominate focus of risk management, while strategic issues require a coordinated action across multiple operational areas. In helping to align risk monitoring more closely to the strategic issues, EKGs can enable enterprises to evaluate and prioritize key emerging risks affecting the strategy through enterprise wide, exploratory scenario-based analysis.
Warn
Work in progress, describe how this capability is possibly being delivered today in a non-EKG context and optionally what the issues are that EKG could or should improve
Warn
Work in progress, describe how this capability would be delivered or supported using an EKG approach, making the link to the "how" i.e. the EKG/Method.
Warn
Work in progress, list examples of use cases that contribute to this capability, making the link to use cases in the catalog at https://catalog.ekgf.org/use-case/..
-
Integration of Risk Management with Business Processes, 2009, European Union Agency for Cybersecurity (ENISA), ↩
-
Enterprise Risk Management Integrating with Strategy and Performance, Executive Summary, 2017, Committee of Sponsoring Organizations of the Treadway Commission (COSO) ↩
-
2021 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, 12th Edition, 2021, Enterprise Risk Management Initiative Staff}, NC State, Poole College of Management. ↩