United States

A four phase approach to effective risk management


Download white paper: Enterprise risk management: A pragmatic, four-phase implementation plan

The sharp downturn of financial markets in 2007, which was felt by global and domestic businesses, is a classic illustration of why prudent enterprise risk management (ERM) is critical to sustainable success.

Despite heightened interest by both business leaders and regulatory bodies about ERM, it's wise to recognize that there is no "one-size-fits-all" solution. A sound ERM framework should reflect a company's culture and its supporting governance structure. In addition, any successful ERM initiative must have strong backing from a company's board and executive team leaders, as well as an enthusiastic, high-level champion who can help drive the program.

To help business leaders gain a detailed grasp of ERM preparation and execution, McGladrey recently published Enterprise risk management: A pragmatic, four-phase implementation plan. This white paper tackles the core components of risk identification and risk management, summarized in an actionable, step-by-step process. A snapshot of key highlights for each phase includes:

Phase one: Risk program development. In this initial step, the focus is on designing the ERM strategy and program. This typically includes identifying an ERM sponsor or champion, as well as a core team that will oversee the implementation. In addition, this step includes a "tone at the top" and risk appetite assessment, the development of a common risk vocabulary, customization of ERM tools and templates, and confirmation of project scope.

Phase two: Risk assessment and prioritization. This step focuses on identifying and documenting a company's risk portfolio. Some specific tasks in this phase include management interviews and surveys to review and capture enterprise risks, a risk evaluation of all functional areas in the business, risk categorization, and initial risk prioritization.

Phase three: Risk treatment. This step moves the ERM process from planning to implementation. It includes a discussion of mitigation strategies for prioritized risks, based on the organization's previously identified risk appetite and tolerance. In addition, the ERM committee should review control gaps and improvement opportunities during the risk treatment phase. Based on the strategies developed from those discussions, the committee can follow-up with management to jointly evaluate the overall risk treatment approach.

Phase four: Risk validation and monitoring. As a final step, this phase establishes a validation strategy for each prioritized risk. This validation can be completed by using a variety of testing options, which can include control self-assessments, internal audits, or third-party reviews. To be effective, the validation must be able to verify that risk mitigation strategies are delivering the intended results. Longer-term, an organization should implement ongoing tools to monitor and report on the effectiveness of its risk mitigation strategies.

If done well, an effective ERM program can provide competitive advantage, because it balances corporate strategy and sound business performance with risk identification, mitigation and continuous monitoring.