From Risk to Resilience: ERM and Tools to Help You Manage Uncertainty

Given the rising uncertainty of today’s environment, every organization should implement an enterprise risk management (ERM) program. Mastering the eight core areas of ERM can be daunting, but software tools can lighten the burden and light the way.

Related on MHA Consulting: The ABCs of ERM: The Rise of Enterprise Risk Management

Rockets, Risk, and Reward

Few things embody the task of balancing risk and reward like launching manned rockets into space. I’ve always had a special interest in NASA’s manned space missions because my brother works for the space agency, as a fire chief at White Sands Test Facility in New Mexico.

However, NASA is not alone in its need to balance risk and reward in carrying out a mission. All serious organizations are in the same situation. All are striving to achieve certain goals in an environment filled with potential dangers, whether caused by nature, technology, or people.

The discipline of balancing the potential rewards of an activity against the risks is known as enterprise risk management (ERM). In recent years, ERM has become increasingly formalized and important as more organizations recognize its benefits and it is increasingly mandated by regulatory requirements.

ERM is about identifying events that might impact the enterprise and managing risk to keep it within management’s risk appetite. Typically conducted by an organization’s management and board of directors, and applied in setting organizational strategy across the enterprise, ERM endeavors to provide a reasonable level of assurance that the organization will be able to achieve its objectives.

The ERM Framework

As mentioned, the ERM framework is made up of eight core components:

1. Internal Control Environment. The control environment sets the basis for how risk is viewed and addressed, including risk management philosophy and risk appetite. It encompasses the tone of an organization and the ethical values which guide it.

2. Objective Setting. The top leadership must set the enterprise goals. ERM ensures that management has a process in place to set objectives. The goals chosen should support and align with the company’s mission and be consistent with its risk appetite.

3. Event Identification. Management must identify potential events which might affect the ability of the enterprise to achieve its objectives. These events can be either internal and external, and the evaluators should distinguish between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. 4. Risk Assessments. In assessing risk, managers should look at both inherent risk and residual risk. Each risk should be managed based on the likelihood of its occurrence and the impact if it did occur. (For more on assessing risk, see this recent post.)

5. Risk Response and Mitigation. Management should develop a set of actions to align risks with the company’s risk tolerance and risk appetite. These actions could include avoiding risk, accepting it, sharing it, or reducing it.

6. Control Activities. The organization needs to establish and implement policies and procedures to help ensure the chosen risk responses are effectively carried out.

7. Communication of Relevant Information. Important information should be identified, captured, and communicated in a format and timeframe that enables people to carry out their risk management responsibilities.

8. Monitoring. ERM should be continually observed and modified if necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

ERM is a discipline that helps management achieve the company’s performance and profitability targets while minimizing the impacts caused by disruptions. It helps a company get where it wants to go, enabling it to avoid pitfalls and surprises along the way.

Tools to Help with ERM

Implementing ERM from a standing start is challenging. Even organizations that have an existing risk management program can struggle to achieve excellence across all eight components of the ERM framework.

Fortunately, software tools are available that can help organizations track their risks and identify and close gaps. Several organizations provide such tools and many are excellent.

Among the options is MHA Consulting’s proprietary software suite, BCMMETRICSTM, a highly capable toolset and one we use every day in conducting engagements with our clients. All the BCMMETRICSTM tools can help organizations implement an ERM program and improve at risk management, but three are uniquely effective in this role:

Compliance Confidence. Assesses the current state of the customer’s BC program based on the company’s alignment with any of the widely recognized business continuity standards (FFIEC, ISO 22301, NFPA 1600, etc.). Displays results in an easy-to-understand format, include “FICO-like” score and dashboard needle gauge with the result color-coded red, yellow, or green (“Not compliant,” “Moderately compliant,” “Very compliant”). Compliance Confidence’s ability to identify gaps and pinpoint areas of high risk in a resiliency program makes it a highly valuable addition to any ERM effort.

BIA On-Demand. Provides everything needed to conduct world-class business impact analyses (BIAs), the type of study that is the foundation of any sound BIA program. Swiftly identifies critical business processes and applications across the organization, telling users what they most need to protect to minimize the impact of events. Addresses quantitative and qualitative impacts and calculates recovery time objectives (RTOs), eliminating the need for manual calculations by users. BIA On-Demand can help organizations understand their business process, technology, and vendor needs, giving them insight into how well prepared they are and identifying areas where they might need to dig in more comprehensively. By identifying gaps between RTOs and actual recovery capability, BIA On-Demand can help organizations determine where the greatest recovery risks lie, a key aspect of ERM.

Residual Risk. Provides end users with the ability to effectively manage and identify residual risk in their continuity program. Gives management the ability to set risk tolerances across their business continuity program and measure, based on performance, where the program meets or exceeds risk tolerances. This ensures proper resources are always utilized across the program ensuring a high value of investment and risk reduction in the right areas. This data and information is critical to a best-of-class ERM program.

To learn more about Compliance Confidence, BIA On-Demand, Residual Risk and the other BCMMETRICS^TM tools, go to the platform’s homepage. Click here to request a demonstration of how the suite can help your organization improve at ERM.   

From Risk to Resilience

The challenging nature of the contemporary risk landscape has made it incumbent on every serious organization to implement enterprise risk management (ERM). The ERM framework comprises eight areas ranging from the control environment and enterprise goals to risk response, effective communication, and ongoing monitoring.

Fortunately, help in implementing ERM is available in the form of software solutions such as MHA Consulting’s BCMMETRICS suite. By integrating ERM into their core operations, organizations can transform potential vulnerabilities into a structured plan for sustained success, thus moving from risk to resilience.

Further Reading

• Why BCM and ERM Should Be BFFs 
• The ABCs of ERM: The Rise of Enterprise Risk Management 
• The Evolution of ERM: Adapting Risk Management for a Disruptive Age 
• The Risk Management Process: Manage Uncertainty, Then Repeat 
• Don’t Just Hope: Choosing Strategies to Mitigate Risk