We want to thank everyone who joined us this week for our latest training session, Enterprise Risk Management in policyIQ. In this 60 minute webinar, we highlighted how to apply the policyIQ technology to your ERM program.
Check out the recording of the session, download the slides, or keep reading for a brief summary.
ERM – A Six Phase Approach
RGP’s Governance, Risk and Compliance practice has developed a six phase approach based on years of working with companies around the world to implement effective Enterprise Risk Management. In policyIQ, we use the same six phases to organize and structure ERM.
Enterprise Risk Management Sustainable Process
Use policyIQ Technology to add Efficiency Every Step of the Way
In this training session, we covered ways that clients use policyIQ within each phase of the ERM process. For more information, reach out and schedule some time to talk about your ERM needs!
Preparation: Corporate Goals & Objectives and Cultural Evaluation
ERM should be implemented to support corporate goals and objectives, so ensure that you have those goals clearly documented and made available to all employees. Remember – policyIQ provides free read-only access, allowing you to easily make that information available to all at no additional cost!
And if you aren’t certain whether your organization is ready for ERM, use policyIQ to survey your employees and better understand the current risk environment. Perhaps you’ll find that most employees are risk adverse, while you may later find that your corporate goals require an aggressive risk approach. Knowing that there is a disconnect allows your team to provide additional training, tailored mentoring or even to think about some new hires in key positions.
Phase 1: Risk Inventory
Before you can start prioritizing your risk, you need to really understand all of the risks that impact your business. We discussed two possible approaches:
a. Use a standard list of risks and ask employees to tell you if the risks apply
b. Start with a blank slate and ask employees to think of all of the risks that keep them up at night.
In either case, policyIQ aggregates all of the responses, including aggregating the contents of Excel files that might be sent out to capture risks in that “blank slate” approach. And remember – don’t just survey your executives and senior management! Employees at all levels of the organization will provide different insight into risk, and asking a cross-section of individuals will help to identify risks that you may otherwise not be aware of.
Ask employees to tell you what “keeps them up at night” – and aggregate responses from multiple spreadsheets into a single report.
Phase 2: Consistent and Specific Risk Measures
When prioritizing risks, be sure that the measurements used are specific and consistently applied. Ranges of dollar amounts, for example, represent the impact of a risk.
Phases 3 & 4: Clear Risk Appetite Statement and measurable Risk Tolerance
Effective ERM requires a clearly articulated Risk Appetite Statement, describing the amount of risk and kinds of risks that the company is willing to accept. Are you risk adverse? Risk Aggressive? Do you accept some risk, but have zero tolerance for others?
High level Risk Appetite Statements can then be broken down into specific and measurable Risk Tolerance statements. Risk Tolerance is something that can be measured, tested and adjusted for a certain type of risk.
Define your Risk Appetite and break down specific and auditable Risk Tolerance measurements.
Phase 5: Reviewing Risk KPIs / Auditing Risk Tolerance
Regularly review actual performance against those Risk Tolerance measures. Document your audit results in policyIQ, remembering to include the data that was tested as attachments to your test results.
Document the testing and conclusions. Be sure to upload the data tested. If risk is not being managed appropriately – too little or too much risk being taken – document your remediation plan and assign it with deadlines, reminders and follow-up directly in policyIQ!
Phase 6: Incorporate ERM into the rest of your business
Finally, it is critical that your ERM program doesn’t exist in a silo. Risk management is happening all around your business, and the results are feeding your ERM program. Link those lower level process risks and mitigation procedures to your ERM program, giving full visibility into all levels of risk management.
We are looking forward to working with many of you to implement Enterprise Risk Management into policyIQ! Contact us to schedule a meeting – no cost and no obligation – so that we can discuss the specific aspects of your ERM program that can be improved through technology.