Article

Enhancing ERM: Moving beyond the traditional risk assessment

Dec 17, 2024 · Authored by Corey Parker, John A. Rogula, Travis Allison

This is the second leg of our journey through the world of enterprise risk management (ERM). In our previous webinar, we explored how to build a strong foundation with ERM essentials. Continuing that journey in our most recent webinar, we dove deep into the process of enhancing your enterprise risk assessment (ERA) beyond the traditional approach.

Naturally, the first question we must consider is—what is a traditional approach to enterprise risk assessments?

Traditional approach to an enterprise risk assessment

At its core, there are three components of a traditional risk assessment: risk identification and gathering, risk analysis and prioritization, and outcomes and reporting.

Risk identification and gathering

Documentation collection and inspection methods can be manual and burdensome
Resources (e.g., time/effort) can impact the risk coverage (e.g., the depth of documentation and information reviews)
Risk identification is primarily driven by manual efforts, such as document reviews, interviews and surveys
Risks are gathered internally and often fail to capture independent, outside or collaborative perspectives
Limits the benefits of anonymity/confidentiality
Focused primarily on threats, not opportunities

Risk analysis and prioritization

Risks can be subject to human error in interpretation and/or biased perspectives (i.e., recency bias or confirmation bias)
Qualitative inputs require additional validation and confirmation
Quantitative inputs depend on the availability and reliability of data
Reliant primarily on impact and likelihood (which limits considerations beyond these two components)
Equal weighting given to impact and likelihood
Outputs can require manual adjustments (risk smoothing)

Outcomes and reporting

Limited perspectives on risk (e.g., operational OR compliance OR financial) that results in problems and/or issues
Embraces a short-term view and neglects long-term and/or strategic goals and objectives
Outcomes lack action (heatmaps often focus on inherent risks)
Does not consider nature of risk (i.e., the tolerance for the risk)
Does not inform consensus
Minimizes black swan events

In a traditional enterprise risk assessment approach, the shortfalls of each component are plentiful—they’re overly manual, are often burdensome, require months to complete, are subject to human error and utilize a right here, right now approach without a strategic and integrated view that truly encompasses the risk environment across the entire enterprise.

A traditional enterprise risk assessment approach isn’t all bad (there’s a reason it’s the traditional method, after all) … but there’s certainly room for improvement. And that’s where an enhanced approach comes into play.

Enhanced approach to an enterprise risk assessment

Building upon the traditional method, an enhanced approach to enterprise risk assessments incorporates five risk identification tools and techniques:

Intentionally involving a diversity of stakeholders
Leveraging historical data and industry benchmarks
Considering both internal AND external sources
Continuous monitoring and adaptation of your risk profile
Collaboration and communication across risk function

Graphic displaying different risk identification tools and techniques

When infusing these attributes into the traditional approach, those same three components (risk identification/gathering, risk analysis/prioritization and outcomes/reporting) become far more robust.

Risk identification and gathering

Starts with asking how you measure performance as an organization—what is your performance score card—and speaks to the language of the business
Focuses on potential risks that will then keep you from achieving or accelerating your performance—not speed bumps, but rather roadblocks
Results demonstrate coverage of risks across the enterprise—a mix of financial, operational, regulatory, external-emerging, strategic and technological risks
Provides participants with a universe of risks to consider, but allows them an opportunity to contribute/share their own risks
Conducted through collaboration software—building consensus quickly and enabling the anonymous sharing of comments regarding identified risks
Data is processed through the collaboration tool (easy data collection and management)
Can have more individuals participate and provide insights
Allows you to collect insightful information:

o Risk names and definitions

o Scenarios of concern

o What performance measures would be impacted if the risk materialized?

o How would you know the risk is occurring (measurement)?

o What are you doing to mitigate the risk? What else should you consider doing?

o What do you believe is the needed response (enhance, manage, watch)?

Risk analysis and prioritization

Uses impact, likelihood, management preparedness and velocity
May place emphasis on impact (to not minimize black swan events)
Focuses on needed response versus position in a heatmap
Accounts for the nature of and tolerance for the risk

Outcomes and reporting

Balance of strategic and operational risks, internal and external risks
Focuses on future uncertainties versus issues
Results in a view of needed response for the risks and is focused on consensus
Results in information gathering that enables further evaluation of the risk (e.g., quantification, risk response plan development, etc.)
Considers the tolerance levels for the risks
Highlights black swan events for consideration

Other considerations

Aligns with the business cycle and the development of a long-range/strategic plan
Takes weeks, not months, and can be performed multiple times per year

Integrated risk assessments

As seen above, a critical aspect of an enhanced approach to enterprise risk assessments is risk integration. And what we mean by risk integration is not siloing your enterprise risk assessment but rather allowing it to be done in coordination with other risk and business functions across the enterprise (compliance and internal audit). The goal is to place less strain on the business—and, specifically, the participants in the process—so they’re not completing three or four or five separate risk assessments across multiple risk functions.

This integration allows you to start understanding, across your organization, exactly if/where you’re building consistency in your risk definitions, identifications and tolerance profiles. It allows for a singular, consistent domain for building out a tailored risk universe. It helps you better understand root causes/drivers and coordinate the development of enterprise mitigation strategies to reduce said risks to acceptable levels.

And when you think about risk prioritization, if you’re utilizing consistent scales (on likelihood, impact, management preparedness and velocity) across all risk functions, you’re standardizing this process, enterprise-wide, and allowing for consistent reporting and an enhanced level of clarity and understanding of your risk environment from top to bottom.

The bottom line

Embracing an enhanced approach to enterprise risk assessments is not a simple, one-size-fits-all endeavor. But moving beyond the traditional approach—through collaborative tools, external risk scanning, cross-functional integration and properly leveraging technology—can help elevate both the results and value of your risk assessments.

Whether you’re a seasoned risk professional or just starting your journey, we encourage you to take the next step toward an enhanced approach. Let’s go there, together.

Start your ERM journey

Connect with us

To explore tech-enabled enterprise risk assessments—including a hands-on demo of various collaboration tools—and to examine possible ERA outputs, reimagined risk assessment processes and more, watch our on-demand webinar above.