Getting Started with a Risk Management Program

Every year companies look at their list of things that they plan to do “someday” and decide that this is the year to tackle implementing Enterprise Risk Management (ERM).

But many of them fail to get very far with that goal.

They start out with hopes to build an ERM program but never see the light at the end of the ERM tunnel.  They never get to the point of having a valuable process.

WillisWire has featured five ERM posts in 2014 that, if followed, can lead to a tangible and useful first level ERM process.  There are two primary objectives of ERM:

  • To make sure that the company has a consistent level of risk management for all of the major risks of the organization.
  • To use the information from the processes that are built up to accomplish the above to make strategic decisions about the risk profile that enhance the ability to achieve its objectives.
Excerpt from the IAA report in Enterprise Risk Management:
The terms “risk” and “risk management” are commonly viewed through a lens of avoiding “bad” things happening and limiting the downside. Whilst understandable, the more enlightened view emerging is one of connecting risk to value maintenance and creation. This includes, for example, the empowerment of people to exploit opportunities. Indeed, market watchers view the ability to anticipate and react to a market opportunity to be as important as readiness for a potentially significant business disruption.
Moreover, the importance of the risk management culture is naturally being linked with effective ERM practices.

The five risk management practices are needed to create a complete risk control cycle (the first ERM objective above) for all of the major risks of the firm.

  1. Risk Identification
  2. Risk Measurement
  3. Risk Limits and Controlling
  4. Risk Organization
  5. Risk Policies and Standards

RISKVIEWS has posted a number of times on ERM Systems.  Several times there have been classes for ERM beginners, in Seoul, South Korea; Nairobi, Kenya;  Almaty, Kazakhstan; Mexico City, Mexico and Lausane, Switzerland.  See Introduction to ERM where slide decks and suggested readings are posted.


Explore posts in the same categories: Enterprise Risk Management


You can comment below, or link to this permanent URL from your own site.

4 Comments on “Getting Started with a Risk Management Program”

  1. By insisting upon a ‘risk’ focus, the endless stream of experts succeed at keeping themselves in work but at the expense of organisations who are ill-prepared for the reality of uncertainty!

    Enterprise Resilience Management is what is required because it is the ability of a specific business system to withstand probable, possible and plausible events…NOT the misguided belief that predictions of probable events, based upon correlations in generic data, is the extent of the exposure that can be/should be prepared for…that will determine the financial impact of an unforeseen or unforeseeable future event.

    How can RM seriously claim to manage based upon reflexive analysis of correlations in data without a means of identifying and monitoring causal relationships and the ‘unintended consequences’ of ill-informed attempts to manage?

    • riskviews Says:

      See the discussion of Plural Rationality
      A fixation on Uncertainty is one of the four Risk Attitudes. A fixation on statistics is another.
      Sometimes one is right and sometimes the other, but other times neither are right.
      Sometimes the sky is actually falling and neither thinking about uncertainty nor statistics will save you – but minimizing risk will. And there are other times when those who blithely ignore risk will lap the risk managers on the racetrack of business life. Most of the largest, most successful companies at one time in their life simply put the pedal to the floor and accelerated wildly blowing past the competition who were running their businesses more cautiously.

      • Interesting…but useable and practical!?

      • Thanks to global inter-connectedness, the spread and pace of ‘high impact low probability’ events serve as a constant reminder that, without ‘complete knowledge’ we CANNOT know sufficient to categorise a great deal as risk. I.E. we do not have sufficient data or resource to look out and forward to try to predict or even anticipate. One persons unmanaged risk is another’s uncertainty and when each is connected, though business interactions, but knowledge of exposures limited is it better to try to predict innumerable outcomes or to commit to building resilience as the means to address the probable (risk), possible and plausible (uncertain) events!?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: