The concept of enterprise risk management (ERM) has been around for long enough to be largely accepted as a normal part of doing business. It is rare for large public and private sector organisations not to have a formal ERM program, and even small businesses will usually have applied some of the principles of ERM even if not the strict documentation of them.
However, once ERM programs have been developed and implemented, there is some question as to whether ongoing oversight is sufficient to ensure organisations are gaining full value and protection from their programs.
Official and effective oversight of the ERM program should be developed as a part of the Monitoring and review stage as described in clause 4.5 of ISO 31000 Risk management. This stage should involve activities such as regularly checking that the ERM program is still accurate, appropriate and effective, and reporting on risk management performance to the Board and/or senior management team.
Unfortunately, once the energy to identify risks and prepare risk treatment plans has been expended, it is all too easy for the monitoring and reporting processes to receive minimal attention. The lack of effective oversight resulting from poor risk monitoring and reporting processes will undermine the ERM program and may result in negative consequences arising from unidentified or poorly managed risks.
To achieve effective ERM oversight and maximise the value of the program to your organisation, it is key to ensure that the following processes are in place:
- Regular review of the status of implementation of the risk treatments
- Regular review and re-analysis of the identified and emerging risks
- Reporting to Board/senior management of high-ranking risks, the change in the risk profile, and progress towards risk treatment plan implementation
- Ensuring that the Board/senior management is receiving risk reporting information in a suitable form for inclusion in the strategic planning process
- Consideration of whether risk is being managed differently across the organisation (silos) and how to re-integrate any differences
- Regular review of the overall currency and effectiveness of the ERM program e.g. an annual review
- Developing and monitoring Key Risk Indicators for risk in the same way that Key Performance Indicators are used for productivity and quality.
Please contact QRMC for more information.