Risk Benchmarking – Enterprise Risk Management
The following describes the approach and methodology for undertaking a risk management benchmarking exercise
The risk management process will be compared with and measured against worldwide best practice and international risk management standards
The ability to manage significant risks effectively is an increasingly critical success factor for all organizations. Badly informed or poorly executed risk management, on the other hand, can easily spell disaster
As each month passes the importance of risk and assurance increases or so it would appear from the ever-increasing coverage being given to the subject. The result is that risk management has been catapulted from being a useful tool to become the very pulse of the organization and the yardstick by which its management is judged.
The benchmarking exercise will assess all aspects of the risk management process by reviewing documentation, reports, etc and interviews with key personnel
1. Risk Management Strategy and Approach
- Evaluation of the strategy against best practice
- Communication and understanding of the strategy
- Risk management standards adopted
- Risk management terminology used
- Definition and understanding of risk appetite
- Linkage to Corporate and business objectives
- The extent to which opportunities are encompassed
- Link to surprises and near misses
- Inclusivity of the process
- The Risk management framework
- The approach adopted to sell the benefits to management
- Benefits projected
2. Risk Identification and Evaluation
- Methods used to identify risk
- Sources of risk
- Risk definitions – including use of inherent (gross) and residual (net) risks
- Categories of Risk and how determined
- Risk workshops – the approach used
- Sifting and clustering he risks – the approach used
- Use of scenario planning
- How have more complex risks been assessed? egg Monte Carlo simulations and Bayesian Networks
- Measuring the impact and the likelihood of occurrence of each risk
- Approach adopted
- Risk matrix – evaluation against best practice
- How has the approach ensured consistency
- Ease of understanding by managers using the process
- Reliability of the information gathered
3. Assessment of Risk Mitigation
- The approach adopted – workshops or other approaches
- The method employed to assess risk mitigation
- Identification of risk exposures
- Determination of exposures (the 4 Ts – terminate, tolerate, treat or transfer)
- Establishment of action plans.
- Risk treatment analysis – how have the cost/ benefits of dealing with exposures / exploiting opportunities been assessed?
4. The output from the Risk Process
- Risk register – a method adopted
- The extent to which risks have been identified at the appropriate level
- How has consistency been ensured
- The approach adopted to deal with anomalies
- Risk owners – how have these been determined
- Flagging interdependencies – if one risk treatment is changed the other party or parties impacted need to be notified. How has this been dealt with
- Reports for Senior Management
- Board reporting to review progress in addressing the exposures – a method adopted
- The approach adopted to ensure new risks identified and included
- Are annual statements required by risk owners? – What is included?
5. Embedding the Risk process
- How have corporate risks been linked to the Strategic planning process
- Has the process been adopted across the organization?
- Have all functions embraced the process?
- How have operational risks into the business planning process
- The approach adopted for risk tracking
- How has the decision-making process been influenced by the adoption of the formal risk management process?
- What benefits have been delivered?
- What changes to business processes have resulted?
- Linkage to Performance management – a method employed
- Has the risk process changed the culture in any way?
- How has the momentum been kept up
- Integration of incident management
- Integration of Business Continuity planning
- How has the risk program impacted priority setting?
- Have risk champions been identified via the process?
- How has the process been audited?
- Next steps planned
6. Interviews with key personnel
- If practical, short interviews (20 minutes) with key decision makers i.e. the Chief Executive, other Directors and Chairman of the Audit Committee should be arranged
- A comprehensive report identifying the strengths of the current process and opportunities for improvement will be prepared
– Business risk