Using Risk Assessment Templates to Prioritize Business Measures
Steven Minsky | July 6, 2011
The number of business measures within organizations is typically growing. Measures are often added on a reaction basis to loss events that have already occurred. Wouldn’t it be valuable to be able to focus on forward-looking measures? In most organizations, these preventative, proactive measures are indistinguishable when grouped with reactive measures, because the metrics do not formally tie back to any commitments or risks.
What if a risk or activity changes? Organizations have no way of knowing how and if these changes will affect their risk metrics. Risk Assessments and linking risks to activities allows organizations to start prioritizing what activities need to be monitored. Through quarterly (or even annual) business risk assessments, organizations can detect increased threat levels and identify new emerging risks before they materialize and bring your risk metrics out of tolerance.
Business risk metrics are important because you cannot improve what you cannot measure. However, large numbers of unconnected goals is problematic because:
- Measurement fatigue – staff may simply ignore many measures because of a lack of time to assess them.
- Measure obsolescence – in a changing environment there is no effective way of knowing when measures no longer apply.
- Lack of prioritization – picking the measures to focus on is likely to be on an ad hoc basis and upon the whim of current staff.
- Lack of continuity – changes in the organization or the development of new lines of business may result in new measures while existing measures may be more effective.
- Lack of coordination – often measures apply to multiple risks or commitments across functional lines. The inability to formally tie measures to risk or commitments does not promote inter-functional coordination resulting in business silos and duplication of effort.
- Wasted resources – The amount of resource available to accomplish business goals and to mitigate risk is finite. Staff will often continue to manage to obsolete or unimportant measures rather than aligning with current imperatives.
- Resistance to change – A difficulty to apply past experience to a changing business environment resulting in a tendency to “reinvent the wheel.”
Much of the necessary information exists in organizations today; the missing piece is formalizing these critical connections. Enterprise Risk Management (ERM) software has functionality to identify risks and commitments; assess them based upon likelihood, impact and assurance; evaluate whether action is needed; devise mitigation or business building activities if needed, specify and record measurements to track effectiveness, and finally formalize the connection between all of these activities.
Connecting the measurements to the risk mitigation activities and business initiative data and then back to the underlying risk and commitments will provide the following benefits:
- ERM Reports: Explicit prioritization of measures based upon a risk/reward index and a dashboard presentation on the heat map dashboard in LogicManager.
- Operational Risk Management: Real-time trending of measures on an ongoing basis with measure consolidation used to direct management attention to problem (out of tolerance) conditions.
- Risk Assessment Templates: Allow for rational elimination of measures that have low priority or non-existing connections to risks or strategic imperatives.
- Performance Management: Facilitate new business initiative business measurements prioritized upon risk or business commitments.
- Resource Allocation: More effective use of scarce resources.
The key is working with the functional managers to make the connections. The immediate benefit will be to identify measures that are not connected to any risk or initiative and to determine if they should be eliminated. Then, once the connections are made, use the management tools in your Enterprise Risk Management software on an ongoing basis to improve utilization of business measures within your organization.