An enterprise risk management program should identify gaps across the organization, it should also include processes and methodologies that quantify and measure the value of the ERM program. Four crucial risk management metrics are:
The number of systemic risks identified: Systemic risk identification detects upstream and downstream dependencies across all levels and business areas of an organization. Additionally, this metric will identify areas that would benefit from centralized controls, which would eliminate the extra work and investment of maintaining separate activity level controls, thereby increasing organizational efficiency.
The percentage of process areas involved in risk assessments: ERM is inherently cross-functional and cannot be performed in silos. Risk, much like a business, is the sum of its parts. An incident or risk event in one area of the business will affect other areas within the business.
Process owners own the risk; risk managers own the completeness, timeliness, and accuracy of the risk information. As more process owners become involved in risk assessments, the more accurate and forward-looking information is more likely to be collected.
The percentage of key risks monitored: Organizations need a more holistic understanding of how the business metrics they rely on daily are tied to risk. If a risk or activity changes, organizations have no way of knowing if and how the change will impact their metrics. Through risk assessments and linking risks to activities, organizations can start prioritizing the activities that are most in need of monitoring.
Regular risk assessments enable the detection of increased threat levels and potentially emerging risks before they materialize. Following this process will prevent business metrics from being pushed out of tolerance.
The percentage of key risks mitigated: Here, transparency is key. While having a good sense of your overall risk coverage is important, it’s not nearly as valuable as understanding the coverage of your organization’s key risks. All risk assessment should be based on standardized criteria, so you can determine a uniform tolerance, or cut level, throughout the organization based on resulting assessment indexes.
This will help to prioritize resources, allocating them to risks in need of stronger coverage and reducing inefficiencies that come from wasting resources on low-impact risks. With a tolerance level, this gap analysis will also serve to identify emerging risks as they rise out of tolerance, indicating that current mitigation activities are no longer sufficient.
By tracking these metrics, organizations are able to more effectively mitigate existing risks and detect emerging risks long before they are able to have a detrimental impact on the organization.
You can assess the strength of your own ERM program and create a roadmap for improving performance today with the free RIMS Risk Maturity Model (RMM).
The RMM uses the metrics referenced above to produce the data needed to measure the effectiveness of your risk management program. It is best practice for process owners throughout organizations to complete over half of the RMM standards so that these metrics can be automatically aggregated into a single report suitable for presenting to the board.