The Enterprise Risk Management (ERM) evaluation and treatment process begins with a review of all of the information from the risk identification and analysis stages. Normally a group of interdisciplinary managers address the risks in a forum of open and honest discussion. They prioritize the risks by order of qualitative and quantitative importance. The teams often need outside professional assistance to measure the results of the risk analysis, and to have these persons or firms offer opinions about the appropriate future treatments. This process is at the heart of what risk management executives balance every day to enhance organizational value. If the organizational risks are eliminated or mitigated, then the value of the organization increases.
To illustrate how this works, let’s review a few of our past examples. The risks are prioritized and evaluated by the level of qualitative or quantitative threat. From last month’s article, examples of ERM organizational evaluation questions may be:
• Now that we understand what our competition is planning with their new products, how will we change our plans or enhance our operations to face the competitive pressures of our current or new products with our existing or new infrastructure?
• Our industry is changing rapidly with the introduction of new technology. What steps do we need to take to improve our competiveness by investing in new programs to remove all unnecessary costs?
• With the introduction of new payment and communication programs for our client administration, what will we do to protect our reputation and client data from cyber threats?
• How will be more competitive by reducing costs in our existing risk management programs through the use of predictive analytics, and continuous monitoring systems?
The objective of evaluating and treating risks is to reduce the exposures and costs they may present to the organization. The environment, culture, personnel or tools of the organization, or specific function, may need to change by applying specific controls and treatments. By listing risks in an order of the most significant to the least significant, then identifying a range of options for treating the risks will help managers create action plans for implementing treatments.
Choosing the right treatment option is critical, and requires a significant amount of thought and communication with those persons affected. The teams should listen carefully to all concerned parties, and then take the appropriate steps to thoroughly measure the options against various threat scenarios. “Playing”, “experimenting” and “testing” the risk treatments are necessary actions to determine the final treatment option(s). Additionally, costs versus benefits should be measured to attempt to come up with the most effective treatment plans. Once the treatment is chosen, action plans should consist of:
• Projecting the set of task(s) to carry out the plans in an organized way
• Determining the resources required to support the action plans
• Assigning the personnel and related organizational duties
• Creating timeline to implement the plans
• Measuring the criteria for each task or desired outcome
• Reporting and monitoring requirements and tools
Since the initial draft plans will be fallible, there should be many testing activities built into the plan. The testing actions will act to “harden” the treatment options. Also, the options should be reviewed by many different disciplines such as governance, compliance, financial, legal, human resources, operations, and other management disciplines. These disciplines should attempt to measure and report the expected effectiveness against any social, political and economic factors.
There may be tasks within the timelines to run active pilot programs with limited scope, perhaps within a small section of the organization. This is a desirable activity if there is ample time to do so. It will allow the teams to observe real life simulation models to replicate and temper appropriately throughout the organization for the risks contemplated. Remember, being flexible and open to all ideas during the testing phases allows the treatment plans to gain acceptance throughout the organization. In the end, perhaps only a small group or single individual will decide the proper treatments for each risk profile. With the proper tools and flexibility the monitoring process will allow the entire organization to see what changes need to be made in real life circumstances.
Ultimately, the organization will know if the treatments are meeting the business objectives of risk elimination or mitigation for increased stakeholder value, and the executive team will take appropriate action to further evolve the evaluation and treatment plans. Stay tuned for the next installment in our series where we discuss risk mapping and monitoring.