ERM programs all start out with a suggestion that you must identify your risks.
Risks should be identified within several major categories. Here is a typical list of categories for an insurer:
- Insurance Risks
- Investment RIsks
- Foreign Exchange
- Other Counterparty Risks
- Operational Risks
- Human Resources
- Strategic Risks
- Group Risks
Sounds simple enough. But there are two ways to do this that give very different results.
- Top Down
- Bottom Up
The bottom up process is urged by COSO and requires volumes of documentation and hours and hours of meetings and discussions. The result is a list of as many as 100 or more risks for a major sized organization. This process requires at least a year to accomplish. However, at the end of that year, the top executives of the firm will find that the product may well not be ready for them to get any use out of it.
That is because risk identification and in fact risk management takes on very different character at different levels of the organization. There almost needs to be three different risk management programs at any larger organization. One that is oriented to the top management, one that is oriented to the middle management and one that is oriented to the supervisory levels.
The COSO type risk identification process is designed to serve the supervisory and middle management. The initial risk identification process is done at the supervisory level, which at a very large organization can mean hundreds of people. The findings are eventually summarized and ranked, but the summary is at a level that is appropriate for middle management attention.
The top management is better served by a risk identification process that is more top down. If top management is unable or unwilling to do the risk identification work themselves, then it can be a middle up process.
Regardless of how the process is started or ended, there will need to be guidelines for for the significance of risks. A typical bottoms up risk identification can end up with well over 100 risks often as many as 200.
Prioritization is the second half of this basic risk management step. And the prioritization will depend upon the significance of the risks and significance will be based upon a measurement of the risks. Which is the second fundamental practice of ERM.
The thresholds should be established for significance of risks that should get board attention, a lower threshold that should get top management attention, then a lower threshold for middle management attention and a lower threshold for risks to get attention from supervisors.
None of the risks identified by the detailed bottoms up process are unimportant, but it is important to determine WHO they should be important to.
Risks can be mapped in a frequency severity matrix.
The third step of this practice is to classify the significant risks between those risks that are known by management to be well controlled and those that are less well controlled.
Immediate attention can then be focused on those risks that were shown to be of high significance and lower control, providing an immediate valuable product out of this very first stage of ERM.
This post is the first in a series to discuss the 8 ERM Fundamental Practices. There is more material for starting ERM programs at Introduction to ERM.Explore posts in the same categories: Risk Identification comment below, or link to this permanent URL from your own site.