WILSON's View on Risk Management

ERM is powerful when designed as a performance-focused activity. It's not an audit, nor a compliance process. ERM manages the barriers that prevent organizations from achieving their objectives.

Author:
Richard Wilson develops Performance Risk Management capabilities for complex organizations. He has helped the largest companies in North America manage the barriers to their desired performance.

richard.m.wilson@ca.pwc.com | (416) 941-8374

Sunday, April 18, 2010

The "Management" in Risk Management

Once your risks have been assessed and prioritized, how do you develop your risk treatment plan?

A company can do an excellent job of identifying and assessing risk, but ultimately, if the organization doesn’t do anything with what you’ve learned, it isn’t actually risk management yet.

There are many different ways that an organization can respond to risk. For instance you can terminate the risk area if you decide that the risk is higher than your company would prefer to tolerate.

Another response is to transfer the risk. Most commonly companies accomplish this through insurance —you pay another organization to assume their risk. Alternatively, you can contractually transfer or outsource some of those activities to a third party and have them assume both the activity and much of the risk as well.

A third response is the approach many people think of first mitigate risk. In this situation, you apply controls to lower the likelihood of the risk occurring, or lower the impact if it does occur. There are a few different ways to mitigate a risk. First, there are preventative controls which attempt to prevent the situation from happening in the first place. There are also detective controls which alert you that a risk has occurred. If the magnitude of a risk is lower, a detective control can be a fine solution if the impact of the risk is lower.

Another response is to exploit the upside of a risk by capitalizing on new opportunities. By embracing and adopting risk, a company may find that there is a larger business opportunity there than was previously considered.

A final response is to tolerate the risk as it currently exists because it fits within predefined tolerance levels. It is important that management publish within its risk management policy a statement about the company’s risk appetite. The risk tolerances should be aligned with the corporate risk appetite.

These risk treatments constitute the “management” in risk management. Engage risk owners to develop their risk treatments so that they take responsibility for the execution of them as well. Finally, make sure these treatments are reported upon to celebrate successes and ensure accountability.

[Rich]
richard.m.wilson@ca.pwc.com




Posted by
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

About The Author

My photo
Richard is a Director in PwC's Risk Advisory practice with clients in both Canada and the United States.

He is an experienced senior executive with 15 years in a CEO or COO role (publically traded and private firms). Richard has been leading risk management implementations for more than a decade incl. 60 C-level risk assessments, and has led online risk assessments for 30,000 people in 25 countries.

He has advised the largest company in the US on risk management, and he has facilitated a risk assessment for the United Nations. Richard has been published in Compliance Week, Canadian Business, and the Globe & Mail and has been a keynote speaker on the topic of risk at many conferences in both Canada and the US since 2004.