The Department of Homeland Security (DHS) Office of Risk Management and Analysis (RMA) conducted a survey to see what actions are being taken by both public and private sector organizations with respect to their enterprise risk management efforts. Their study consisted of over twenty, one-hour interviews with executives at Fortune 500 organizations, staff-level risk managers at governmental agencies, and individuals from other organizations who understand risk management well. They used this study to help guide the RMA and the Risk Steering Committee in their efforts of building a risk management program for the DHS. They have also taken some advice from the results recorded. These are the key areas that respondents listed from the survey:
Integrating Risk Management and Analysis Across Organizations
- Organizations are trying to understand and manage risk at a holistic, enterprise-wide level: Organizations want to fully understand how risk affects the whole entity and what they can do to manage those risks.
- Risk is understood and assessed in relation to the organization’s objectives: They are looking to tie objectives into major risk assessments.
- Risk management should be incorporated into strategic planning: Prioritizing the idea of risk management as a part of strategic planning.
- Organizations focus on strengthening their tracking and monitoring of risks: Conducting more periodic risk assessments.
- Leadership must be aware of risks: Incorporate risk management into regular top leadership meetings.
- Use of proper communications about risks: Creating a more efficient level of communication of risks from top to bottom in the organization.
- Alignment of Risk Management in Organizational Structure
- Organizations need to customize risk management programs to fit their culture: Each organization is different so there is no one standard risk management program to rely on.
- Support of risk management from the leadership level is critical: Executive sponsorship is a key mentioned throughout all respondents.
- Accountabilities for risk management need to be defined: Make sure everyone knows who is responsible for their part.
- ERM needs some form of central risk management offices and committees: Use of tools and techniques to accomplish central risk management.
- Executives serve as sponsors of risk management programs: Make sure the executives act as a sponsor for each risk management technique throughout the organization.
- Limited scope needs to be broadened within organizations: Limited resources lead to limited risk management programs that must be broadened over time.
- Use of comparative studies and maturity models: Use of standards to benchmark results.
- Implementing risk management should be expanded within the staff: Change the attitude about risk management throughout the whole organization.
Successful Risk Analysis Techniques
- Keep risk information in a simple and relevant style: It is very easy to have misunderstandings involved with risk information so there must be simplicity drawn into the presentation.
- Establish a formal risk position: This allows for an organization to decide on the amount of risk they are willing to accept that could affect their ability to achieve their goals.
- Must identify emerging risks: Desire to anticipate major risks before they happen.
- Provide anonymity when assessing risk: This helps to eliminate any fear of reporting risks to leaders or executives.
- Diversify thought when considering risk: It is necessary to incorporate a wide range of backgrounds and viewpoints into the analysis.
Public vs. Private Sector
- Secure consistent support from leadership: Many public sector respondents listed that support was tough to garner due to high turnover rates.
- Manage politically controversial risks: Public sector must deal with this where private sector avoids these more so.
- Manage risks at an enterprise-wide level: Private sector is doing this more so than public sector.
- Link risk management and key objectives: Lack of this has caused the public sector to fall behind the private sector participants in implementing enterprise risk management programs.