Risk Profile Development – Measuring and Monitoring the Risks
Last month we discussed the process of risk evaluation and treatment for risk profile development. In this installment we will briefly describe the next steps to measure and monitor risk profiles.
The Enterprise Risk Management (ERM) measurement and monitoring process is uniquely developed for the specific needs of each organization. The process can be simple or complex depending upon what has been found in the identification, analysis, evaluation and treatment stages. Some organizations have one individual attending to the measurement and monitoring of all identified risks, and others have integrated internal and external teams with scores of individuals managing complex risk scoring and mitigation programs. The keys are to customize a product and service platform that fits each organization, and then strike a balance of costs versus benefits for the various risk management programs.
Most organizations have some form of financial risk taking and transfer to balance the financial impact of frequent and catastrophic events. Therefore, it is helpful to create a “map” of all of the risks that have been identified so that an ongoing measurement and monitoring process may be easily seen and understood by the team. The map should provide enough detail to “visualize” the general risk taking and transfer positions, to be further analyzed and managed by qualified internal and external team members. A simple version of a risk map may consist of two views, one viewpoint associated with frequency of threats or occurrences, and another with a risk severity viewpoint. By analyzing the data using various viewpoints will allow the team to address the most important causes and conditions associated with the threats or risks.
To create a map, the team will need a system to gather the key data for scoring and reporting. As an example of multi-view risk mapping, the U.S. Federal Emergency Management Agency’s (FEMA’s) Risk MAP 3 programs provide states and counties with flood information and tools they can use to enhance their mitigation plans and take action to better protect their citizens. Another example is Aon’s Crisis Management political risk map which describes each country’s risk profile on a scale from “no risk” to “severe”.
Each individual organization’s "map(s)" will capture the risk profiles, and the measurement tools will inform the organization for further action involving:
• Current and emerging risks from a changing operating environment;
• Prioritization of the risks, and how such risks are to be mitigated and managed;
• Risk tolerances, and how they are to be communicated;
• Assessment of the resources (internal and external to the organization) to manage and mitigate significant risks; and
• Ongoing education and training to evolve the existing risk management structures to keep abreast of the changing environments.
Within the strategic risk management team, it is essential that there be an ongoing review of the key factors that are driving organizational risk and associated costs. For those unique situations where the events or threats are significant, there should be an open line of communication and planning at the senior levels of the organization including members of executive team and board of directors.
When a senior member of the risk management team walks down the hall, they should not be greeted with a negative reaction of “Oh no, what happened now”, but rather “OK, how are we dealing with this situation now, and what additional resources are needed” approach. Periodic reviews of risk management plans and procedures by senior executive management are essential to create the proper communication with the board of directors and stakeholders.
One thing is absolutely certain in today’s world. The operating environment for every organization will change, and the risk management programs need to be monitored regularly to keep pace with these changes. Through continuous monitoring and review, lessons will be learned from the risk management process to update treatment plans and future outcomes.