Few things embody the task of balancing risk and reward like a manned space rocket sitting on the launchpad as the moment of liftoff approaches. Such a rocket brings together in one time and place all the hopes and objectives for the mission as well as all the risks it carries—risks which, as history shows, are very real.
I always felt a special rooting interest in NASA’s manned space missions because my brother works for the space agency. He’s a fire chief at NASA’s White Sands Test Facility in New Mexico.
But if NASA is an especially good example of the need to balance risk and reward in carrying out a mission, it is not the only organization in that position. Every serious organization is in that situation. All are striving to achieve certain goals in an environment filled with potential dangers, whether caused by nature, technology, or human beings.
The discipline of balancing the potential rewards of an activity against the risks it brings is known as Enterprise Risk Management (ERM).
In recent years, ERM has become increasingly formalized and important. More and more organizations recognize its benefits, and it is increasingly mandated by regulatory requirements.
ERM is about identifying events that might impact the enterprise, managing risk to keep it within management’s risk appetite, and providing reasonable assurance regarding the achievement of entity objectives. Typically it is performed by an organization’s Board of Directors and management, and it is applied in setting organizational strategy across the enterprise.
The ERM framework is made up of eight (8) components:
- Internal Control Environment. The control environment sets the basis for how risk is viewed and addressed, including risk management philosophy and risk appetite. It encompasses the tone of an organization and the ethical values which guide it.
- Objective Setting. The top leadership must set the enterprise goals. ERM ensures that management has a process in place to set objectives. The goals chosen should support and align with the company’s mission and be consistent with its risk appetite.
- Event Identification. Management must identify potential events which might affect the ability of the enterprise to achieve its objectives. These events can be either internal and external, and the evaluators should distinguish between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes.
- Risk Assessments. In assessing risk, managers should look at both inherent risk and residual risk. Each risk should be managed based on the likelihood of its occurrence and the impact if it did occur. (For more on assessing risk, see this recent post.)
- Risk Response. Management should develop a set of actions to align risks with the company’s risk tolerance and risk appetite. These actions could include avoiding risk, accepting it, sharing it, or reducing it.
- Control Activities. The organization needs to establish and implement policies and procedures to help ensure the chosen risk responses are effectively carried out.
- Communication of Relevant Information. Important information should be identified, captured, and communicated in a format and timeframe that enables people to carry out their responsibilities.
- Monitoring. ERM should be continually observed and modified if necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
ERM is a discipline that helps management achieve the company’s performance and profitability targets while minimizing the loss of resources caused by disruptions. It helps a company get to where it wants to go, enabling it to avoid pitfalls and surprises along the way.
The BCMMETRICSTM suite of three business continuity tools can provide significant assistance to companies that have made the decision to implement a vigorous Enterprise Risk Management program.
Tool 1: BIA On-Demand
BIA On-Demand (BIAOD) is a secure, cloud-based tool that gives you everything you need to conduct a complete Business Impact Analysis (BIA) at the company, division, or department level. It facilitates the determination of Recovery Time Objectives and Recovery Point Objectives and the identification of Critical Business Functions and Critical Dependencies. From the ERM point-of-view, BIAOD can help you understand your business process, technology, and vendor needs. It gives you insight into how well prepared you are and identifies areas where you might need to dig in more comprehensively.
Tool 2: Compliance Confidence
Compliance Confidence (C2) is a cloud-based self-assessment tool that gives you a numerical score for your business continuity planning. It looks at program compliance, alignment with industry standards, risk-based auditing, and benchmarking. In terms of ERM, C2 can help you identify where the greatest risks in your enterprise reside.
Tool 3: Residual Risk
Residual Risk (R2) is a cloud-based tool that provides organizations with a quantitative method to evaluate risk. It helps with evaluating your risk mitigation controls (business impact analysis, recovery exercises, etc.), determining residual risk, defining management’s risk tolerance, and assessing inherent risk. R2 takes your ERM to the next level. Used after you have implemented a set of business continuity measures, it helps you determine where you stand now and what should be done next.
For more information on these tools, see the BCMMETRICS home page.
Even if your business does not involve sending humans into space atop giant rockets, it faces significant risks every day. The discipline of ERM can help you manage them, and the BCMMETRICS tool suite can help you substantially in performing Enterprise Risk Management.