Real estate building with view of windows outside

Article

Enhancing ERM: Moving beyond the traditional risk assessment

Dec. 17, 2024 · Authored by Corey Parker, John A. Rogula, Travis Allison

This is the second leg of our journey through the world of enterprise risk management (ERM). In our previous webinar, we explored how to build a strong foundation with ERM essentials. Continuing that journey in our most recent webinar, we dove deep into the process of enhancing your enterprise risk assessment (ERA) beyond the traditional approach.

Naturally, the first question we must consider is—what is a traditional approach to enterprise risk assessments?

Traditional approach to an enterprise risk assessment

At its core, there are three components of a traditional risk assessment: risk identification and gathering, risk analysis and prioritization, and outcomes and reporting.

Risk identification and gathering

Documentation collection and inspection methods can be manual and burdensome
Resources (e.g., time/effort) can impact the risk coverage (e.g., the depth of documentation and information reviews)
Risk identification is primarily driven by manual efforts, such as document reviews, interviews and surveys
Risks are gathered internally and often fail to capture independent, outside or collaborative perspectives
Limits the benefits of anonymity/confidentiality
Focused primarily on threats, not opportunities

Risk analysis and prioritization

Risks can be subject to human error in interpretation and/or biased perspectives (i.e., recency bias or confirmation bias)
Qualitative inputs require additional validation and confirmation
Quantitative inputs depend on the availability and reliability of data
Reliant primarily on impact and likelihood (which limits considerations beyond these two components)
Equal weighting given to impact and likelihood
Outputs can require manual adjustments (risk smoothing)

Outcomes and reporting

Limited perspectives on risk (e.g., operational OR compliance OR financial) that results in problems and/or issues
Embraces a short-term view and neglects long-term and/or strategic goals and objectives
Outcomes lack action (heatmaps often focus on inherent risks)
Does not consider nature of risk (i.e., the tolerance for the risk)
Does not inform consensus
Minimizes black swan events