On Thursday last week, our team continued our policyIQ solution-focused series by highlighting our Enterprise Risk Management solution. Our intention was to provide attendees with a view of the full solution; including how to develop an ERM process based on best practices gleaned from our experienced ERM professionals, as well as how to implement the policyIQ technology to effectively manage documentation and gain efficiencies with automation of several steps of the process.
If you would like some additional guidance or assistance with the implementation of your ERM process, please contact us and we’ll put you in touch with the best contact to meet your needs!
Access the policyIQ ERM Webinar On-Demand
If you missed the webinar, you are welcome to review the recording. (Sorry, no CPE credit for watching the video.) It is accessible on our training page or you may click here to launch the webinar directly.
The Super-Cliff-Notes Version of our policyIQ ERM Session
“A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Distinguish between ERM, IA and SOX
ERM is not about a system of internal controls, financial reporting or testing…ERM is about decision making!
High Level Process and the Role of policyIQ
- Perform a Risk Inventory: senior management interview
- Capture using policyIQ’s Forms Management functionality
- Evaluate what policies and procedures you have in place to meet those risks
- Use policyIQ Reports to comb through your existing Policies and Procedures (if you have them in policyIQ)
- Determine what Enterprise Risks exist: interview business unit management, assess materiality
- Document Enterprise Risks in policyIQ Pages
- Use policyIQ’s Forms Management functionality to help business unit management to assess materiality, then update Enterprise Risk Pages
- Identify and assess organization’s Capabilities to manage risks: help business unit managers to assess capabilities and to record benchmarks for each.
- Document organization’s Capabilities in policyIQ Pages; link to relative Enterprise Risks and to related Internal Controls
- Use policyIQ’s Forms Management functionality to help business unit management to assess capabilities’ benchmarks, then update Capabilty Pages
- Review Residual Risks; those that are not adequately managed with capabilities
- Use policyIQ Reprts to oversee Enterprise Risks and their relationship to Capabilties. Use filters to narrow down to high materiality Enterprise Risks or Enterprise Risks linked to “Weak” Capabilities.
- Develop a gap plan (to address the residual risks)
- Document Management’s response to Residual Risks in your Enterprise Risk Pages.
- You might also decide to create ERM Gap Pages to better document the vulnerability, management’s response and the planned remediation activity/activities
- Execute the gap plan
- Document the execution or remediation within the Enterprise Risk Pages and/or within your ERM Gap Pages.
I do much better with visual aids!
Practice Makes Perfect!
We have a generic “play place” for you to create sample content, forms, reports and to experience the process of moving content through the workflow. We just “refreshed” this site with all of the examples that were presented in our ERM session. If you would like to be granted access to the Practice site, send us an email to let us know and we’ll get you set up!
Keep in mind that we will “refresh” this Practice site each month with the latest examples from our Solution-focused session. In effect, we copy the Training site to create a new Practice site each month. For this reason, you will not be able to save content in the practice site from month to month and users will need to shoot us an email each month if you would like to be granted access to the Practice site.
The Questions and Answers from our Session’s Chat
As promised, we have the questions and answers (in some cases with a little bit more detail than we had time to provide during the session) right here in our blog:
Q: When you talk about documenting “capabilities”, are these capabilities that are currently in place, or are they processes we’d like to put in place to help manage the risk?
A: Short answer = both! In the early stages of implementing ERM, risk management team will assess what policies and procedures and other practices are already in place that address the recently identified risks. Once the full evaluation of enterprise risks, existing capabilities and gap analysis takes place, your organization will likely make plans to improve some of the existing capabilities and may also introduce new ones!
Q: Can the product do a “heat map” showing all risks plotted on a X and Y axis of impact and likelihood?
A: A Summary Report would provide a good representation of this – with the X axis being Impact and the Y axis being Likelihood. The “heat map” would show the higher numbers at the intersections. (policyIQ would not have the color coded / shaded areas.)
Q: Can we get the presentation slides as a PDF? Thanks!
A: We have these slides in our help guide! If you aren’t yet a user in policyIQ, contact our support team for a trial site or access to the practice site.
Please let us know how we can support you to get started!