Enterprise Risk Management:
Building Awareness, Understanding & Action
How does a financial services company launch an Enterprise Risk Management (ERM) program with a department of just a few?
The Onspring team had the opportunity to work with an organization to help build their ERM program from the ground up. Now, with multiple years of data to review, the company has discovered tangible benefits, wide sweeping perception improvements and actionable data to facilitate change in the right direction.
Although the ERM program has seen new leadership over the years at this organization, the Onspring platform and the team behind it has remained consistent—a strong advantage to the new ERM stakeholders. The Onspring team was able to help connect the dots from data collected in various events.
For example, one data set involved a series of risk evaluation records, which were created by executives in the organization. The executives had joined together for a several-hour session to evaluate, risk by risk, the impact, likelihood and velocity of previously identified risks. Each participant in this meeting created an evaluation for each risk on the list, with overall results calculated live during the session. These results allowed the executives to discuss while in the same room, helping generate consensus and bring up issues that may not be known to the whole group.
The next phase included a series of surveys sent to managers and executives. These surveys spanned the next three years. Each of these surveys asked recipients to review a risk scenario and provide an impact and likelihood value for each scenario. Many of the scenarios overlapped over the various survey initiatives.
Taking each whole survey response and risk evaluation, the team then divided the responses into their own records with the following structure:
Risk
Respondent
Survey / Measuring Event
Impact Score / Rating
Likelihood Score / Rating
Risk Score / Rating
This detailed data allows the ERM team to track the overall risk perception and build a common understanding, awareness and action plan for the organization.
With the data structured in this way, the organization configured reports to address many questions, such as:
- What has been the average risk score for this risk year over year?
- Which of the risks has trended upward or downward with time?
- Are the consistent outliers with score data over the various metric collection activities?
Beyond these, the Risk team was able to create more specific reports to answer questions around perception risk. For example, “What is the difference in average score from all survey responders vs. those who are being surveyed for the first time this year?”
The risk team could also see not only their overall risk heat map but also the individual response heat map.
Here’s an example: Out of 20 responses, a risk’s average score was a 9 (3 – Impact & 3 – Likelihood), but there were three responses which rated that risk as 5 – Impact & 5 – Likelihood. The ERM team could see this position on the heat map and investigate with those individuals.
- Are they in the same department?
- What does that department perceive that the rest of the participants do not?
- Are they in the same management level?
- What needs to be addressed with these three respondents or what needs to be brought to the attention of the rest of the respondents?
As the team continues to think ahead for their ERM program, they intend to add objective measures to the tracked risks, in addition to the subjective, opinion-based data already being collected. Tracking incidents, findings, and issues and sharing the information across departments will allow them to evaluate (with measurable data) how the identified risks actually play out in business operations. Then, they can communicate high risk items that may be “under the radar” to stakeholders, as well as assure their employees in cases of perceived high risks that don’t translate to actual events.
This data-driven approach will allow them to take a more proactive stance against risk, strengthening their operations.