What to Present to Your Risk Committee
Steven Minsky | March 3, 2015
The RIMS Risk Management Society (LogicManager’s co-author for the RIMS Risk Maturity Model) promotes the adoption of Risk Committees for organizations looking to formalize their enterprise risk management processes.
With more organizations adopting risk committees or similar governance groups, the question remains: What should risk managers present to their risk committee; or conversely, what should risk committees ask that their managers present to them?
Forrester Research, in their report on measuring GRC and ERM performance, identifies over 30 metrics for organizations use to assess the health of their risk management programs. Here are the 3 examples you should adopt immediately for your enterprise risk management program.
Level of Engagement in the Risk Management Process
Arguably, the level of stakeholder engagement is the best indicator to capture impact your program is having on the company’s risk exposure. Without engagement, both from the front line and from senior management, your program is just another silo.
Engagement can be measured a number of different ways. You can look at how often reports are provided to leadership, how many employees are trained in the ERM process, or how frequently front line managers are updating their risk and mitigation environments. While the method may vary by organization, the goal should be to reach out to approximately 15-30% of the overall employee base according to your industry.
Try tracking how many individuals are involved in the risk management process, and measure that number against the 10-20% benchmark. If you’re substantially below, it might be time to increase the scope of your risk assessment process to collect more data.
Risk Remediation Activates Approved for Implementation
Very simply, this metric captures what you are doing to manage the most critical risks you’ve identified. You should know what project has been approved, who is responsible for its execution, and the approximate date the mitigation activity will go into effect.
If your risk management program isn’t tracking a similar metric or doesn’t have responsibility for executing these activities, keep in mind that nearly all approved governance activities are practices in mitigation. Whether it’s a policy change or procurement of new security software, your risk management program should be able to provide context to which project is of the highest priority, and doing so will provide your program clout from a strategic decision making perspective.
Upcoming Risk Management Activities
We’ve covered a few indicators that demonstrate what your program has done and is doing, but what about what it will do? What activities are on the radar for your risk management team? Who will you be working with? Risk management is built on 90 days wins, so knowing what’s next is of the utmost important in establishing the viability and sustainability of any risk management program.
The risk management committee should be able to provide guidance and feedback on what other departments may be struggling with. There are countless examples of how risk management may be able to assist and integrate with the governance silos of your enterprise, the risk committee should help you establish which one is of the greatest priority.