GRC Tuesdays: Use of Enterprise Risk Management to Break Risk Silos? It’s about Mapping!

In a previous blog, Harmonizing Different Risk Management Terminologies, I shared my conviction that companies should use a single shared terminology if they intend to bring down the walls that have siloed risk management practices by department over the years, like IT risk, EH&S risk, project risks, and so on.

I’d like to take this a step further in this post. Indeed, to me, enterprise risk management (ERM) is cross-risk. In my mind, it doesn’t exclude any risk typology simply because it’s aimed at providing a global risk profile for the organization regardless of the original source of information. The only way that it can efficiently do so is by consolidating all risks from all departments to provide a unified view to the executives.

One of the major objections that I’ve heard—and which I can understand to some extent—is that different departments have different methods for assessing risks and that this leads to comparing apples and pears. I do acknowledge this fact, but I don’t think it should stop companies from integrating all risks in one ERM framework.

In this post, I would like to suggest a simple approach to do so that would then enable comparability of cross-topics risk events.

Let’s Take Environment, Health and Safety (EH&S)

I’m no advanced expert in environment, health and safety (EH&S) topics but I understand that fault tree analysis (FTA), hazard and operability (HAZOP), layers of protection analysis (LOPA), and others are the most used assessment techniques in this domain.

Nevertheless, regardless of the method applied, the output of a risk assessment process within an EH&S department or any other is the very same—the likelihood that the event will occur in the future and, should it manifest, what would be the consequences for the organization.

It’s the very same for all other risk categories: financial, human capital, reputation, technology, compliance, and so on. And if I was a business owner, I would not only be interested in the impact each category could have, but also what is the overall picture for my company.

One Scale for the Company

First step to be able to compare risks across categories is to define and reference a single scale for the entire organization. Be it a 4 by 4 where you have 4 impact levels and 4 likelihood levels, or a 5 by 5—it just needs to be shared and understood by all.

I can already hear some say, “But my EH&S risk has different impacts to the IT risk!” That’s perfectly correct and not an issue at all.

What I would recommend is that users document the impacts relevant to their risk and then use a relative value for the assessment, as illustrated below.

Here’s an example of a scale mapping.

As you can see in this example, it’s just a question of mapping. Each department can then continue assessing its risks using their favourite method and technique, and then simply report their consolidated assessments into the ERM framework using the organization-wide impact scale.

This means little to no change management, but it also means that you are now able to compare all risks across the organization!

What’s more, using relative scales means that they apply to all departments, projects, and assets, irrespective of their size and location.

Enjoy a Single Reporting!

You’re now ready to reap the benefits of this approach—management can view all the risks the organization faces, compare them, and make a decision based on fully consolidated information.

• There no longer needs to be a reconciliation of inputs from different sources. And this means that the central risk management department can start linking the risks together to create the complete chain of events.
  • A missing work permit issue could create a delay on a project that could in turn negatively influence the overall delivery of a good or service, hence impacting the company’s core objectives.
• What’s more, this will enable the use of simulation methods to understand the best case and worst case on the entire organization should one of the critical risks happen and trigger other events as illustrated above.
• Finally, this will also help to define better tailored mitigation and recovery strategies for each potential output.

What about you? How do you manage the multitudes of risk assessment techniques?

I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard !