Article
Enhancing ERM: Moving beyond the traditional risk assessment
Dec. 17, 2024 · Authored by Corey Parker, John A. Rogula, Travis Allison
This is the second leg of our journey through the world of enterprise risk management (ERM). In our previous webinar, we explored how to build a strong foundation with ERM essentials. Continuing that journey in our most recent webinar, we dove deep into the process of enhancing your enterprise risk assessment (ERA) beyond the traditional approach.
Naturally, the first question we must consider is—what is a traditional approach to enterprise risk assessments?
Traditional approach to an enterprise risk assessment
At its core, there are three components of a traditional risk assessment: risk identification and gathering, risk analysis and prioritization, and outcomes and reporting.
- Documentation collection and inspection methods can be manual and burdensome
- Resources (e.g., time/effort) can impact the risk coverage (e.g., the depth of documentation and information reviews)
- Risk identification is primarily driven by manual efforts, such as document reviews, interviews and surveys
- Risks are gathered internally and often fail to capture independent, outside or collaborative perspectives
- Limits the benefits of anonymity/confidentiality
- Focused primarily on threats, not opportunities
- Risks can be subject to human error in interpretation and/or biased perspectives (i.e., recency bias or confirmation bias)
- Qualitative inputs require additional validation and confirmation
- Quantitative inputs depend on the availability and reliability of data
- Reliant primarily on impact and likelihood (which limits considerations beyond these two components)
- Equal weighting given to impact and likelihood
- Outputs can require manual adjustments (risk smoothing)
- Limited perspectives on risk (e.g., operational OR compliance OR financial) that results in problems and/or issues
- Embraces a short-term view and neglects long-term and/or strategic goals and objectives
- Outcomes lack action (heatmaps often focus on inherent risks)
- Does not consider nature of risk (i.e., the tolerance for the risk)
- Does not inform consensus
- Minimizes black swan events
Article Tags
Next up
