How to Measure your Enterprise Risk Management Effectiveness
Steven Minsky | March 2, 2017
We are often asked for insight on business measures and key performance indicators (KPIs) that can be used to track overall progress and risk management effectiveness. The key question risk managers should ask is: How do I measure the value ERM is delivering to my organization?
The following are examples of risk management metrics that will quantify and measure the value your ERM program is providing:
Number of root-cause risks identified:
Systemic risk identification uncovers areas of upstream and downstream dependencies throughout your organization. This includes instances when one department’s activities inadvertently cause strain on other areas.
The benefit of uncovering these dependencies is compounded by a focus on identifying root cause. Knowing the fundamental why behind a risk event is the only way to consistently design effective, efficient controls.
Additionally, the root-cause method helps identify areas that would benefit from centralized controls – which eliminate extra work associated with the maintenance of separate activity-level controls – increasing organizational efficiency.
Percentage of process areas involved in risk assessments:
ERM is cross-functional in nature and cannot be performed individually by each silo; a business is the sum of its parts, and the same is true of risk. Risk events occurring in one functional area almost always have at least minor ramifications in other functional areas within the business.
Process owners (i.e. managers who aren’t risk managers) “own” the risk itself, but risk managers are responsible for the completeness, timeliness, and accuracy of risk information. The more involved process owners are with risk assessments, the more accurate and forward-looking information will be.
This direct exposure and knowledge of risk is why pushing assessments “to the front lines” is so integral to effective risk identification. Who but the process owner, who is directly exposed to it every day, is most qualified to evaluate the risks associated with that process?
If assessments are only conducted at the senior management level, they tend not to improve risk management effectiveness. They highlight issues that the board and c-suite are already aware of. The real value of a risk assessment is only unlocked when it reveals new information, which is accomplished when it is completed by front-line management.
Percentage of key risks mitigated:
Having a sense of your overall risk coverage is important. Even so, it’s not nearly as valuable as knowing how key risks are covered. When risk assessments are conducted with standardized criteria, organizations can determine a tolerance threshold for risk assessment scores throughout the organization. This cut level makes it easier to focus resources towards more serious risks that are above or trending toward that maximum tolerance level.
Such risks should receive more attention and resources to improve the mitigation strategy. Concentrating resources in this manner is far more effective than spending them on risks that would not have a major impact. This gap analysis with tolerance levels will help you to identify emerging risks as they rise out of tolerance, and as it becomes clear that some mitigation activities in place are no longer sufficient.