Skip to main content
Poole College of Management
Enterprise Risk Management Initiative
ERM Fundamentals

Seven Question Guide to Assessing Your Enterprise Risk Management Practices

May 1, 2009 3-min. read

This article, “Enterprise Risk Management Assessment Guide,” authored by Bruce McCuaig, discusses how there is an increasing focus on risk management causing risk professionals and organizational leaders to reexamine their risk management practices. There are seven questions these professionals should consider in evaluating risk management tools, improving risk management practices, and conducting an overall assessment of ERM in an organization.

Is Your Risk Management Process Really Assessing Risk?

Many risk management practices are focused on identifying and assessing the risk of control failure rather than on the risk the control is in place to mitigate. Identifying and assessing controls is a valid approach but one that is insufficient by itself. It is first important to know what risks the controls are addressing and to identify those risks. Risk-based thinking has the premise that risks are predictable and avoidable and tracks loss events, analyzes root causes, and eliminates or mitigates the cause of the risk failure.

Is Your Risk Assessment Context Driven?

The history of risk assessment suggests that problems often come either from not looking in the right place for risks or from looking in the right places and failing to find the risk. Organizations should use a context-driven risk assessment to identify all the topics or areas that need to be risk assessed. It is unlikely that the right contexts will be identified and addressed from within the organization due to narrow vision, short-range thinking, or lack of an enterprise-wide perspective. Therefore, context should be identified at the organization level and related risk assessments should be coordinated by senior management and the board.

Does Your Risk Management Process Address Root Cause of Failure?

The control-based approaches that predominate today typically have no requirement for root cause analysis, but simply identify and report control breakdowns. It is important to track incidents, near misses, and loss events in order to analyze and address the root cause of failure and prevent is recurrence.

What Does Your Business Performance Tell You About Risk?

Many risk and control professionals fail to consider business performance when assessing risks or controls. However, looking at business performance issues can indicate symptoms of ineffective risk management. Some symptoms may include process performance or error rates that are off target, material variances between budgeted and actual costs or efficiencies, and variances that cannot be explained by known risks. Performance variances such as these should be explained as unidentified or unmanaged risks. Likewise, consistent business or process performance can be evidence of effective risk and control management.

What Do Risks Tell You About Your Controls?

Organizations experience many types of risks, often in multiple locations or contexts, and the nature and level of these risks will change constantly. Because of this, most risks cannot be controlled, but must be managed. Risk management involves clarifying accountability and decision rules and continuously updating information and reporting. Indications that risks are being managed include the ability to identify in which contexts risks exist, to track frequency distributions of instances of risks by type, and to track incidents, loss events, and actions associated with key risks; a recognition of risk identification and assessment in the compensation and reward system; and an identification of risks tolerances and appetite.

What Do Controls Tell You About Your Risks?

Good risk management considers a variety of risk responses. Controls are only one of these risk responses and too many controls may be evidence of lack of effective risk management practices, indicating a greater knowledge about controls than about risks. Good risk management practices generally produce a risk-to-control ratio of at least 3:1, with a ratio of greater than one being desirable. Low risk-to-control ratios indicate business management has not been involved in risk identification, is unwilling to be candid, or is not completely honest. With increased knowledge of risks, control portfolios are able to become increasingly effective and efficient, resulting in a smaller number of more powerful controls.

Are You Up For the Task of Risk Management?

Risk management requires certain knowledge, skills, and experience requirements of risk management leaders. Some of these requirements include knowledge of best practices in a wide range of technology implementation, experience leading and completing ERM assessments, and an understanding of major industry-specific risk and control assessment frameworks. Risk management is a relatively new field with great potential to help address and resolve problems in organizations and many fundamental tools, practices, knowledge, and skills exist today to help in achieving these goals.

Original Article Source:  “Enterprise Risk Management Assessment Guide,” Thomson Reuter, May 2009

More From Enterprise Risk Management Initiative

Side of Hunt

What is Enterprise Risk Management (ERM)?
Executive Perspectives on Top Risks 2024

REPORT: Executive Perspectives on Top Risks for 2024 and a Decade Later
Elona Ruka-Wright

Integrating ERM with Other Risk and Assurance Functions