Enterprise Risk Management


Published on

A discussion on why and how to adopt an enterprise risk framework within your organization.

  • Be the first to comment

  • Be the first to like this

Enterprise Risk Management

  1. 1. Enterprise Risk Management<br />A suggested approach<br />Copyright 2009 Esposito Consulting Group<br />
  2. 2. Risk Management Defined<br />Enterprise risk management deals with risks and opportunities that affect value creation or preservation<br />Risks are both opportunities and threats<br />Risks exist at the:<br />Strategic / corporate level<br />Portfolio level<br />Project level<br />Operational level<br />Copyright 2009 Esposito Consulting Group<br />
  3. 3. Enterprise Risk Management<br />Management must strike an optimal balance between growth goals and related risks. An effective framework seeks to:<br />Align risk appetite and strategy<br />Enhance risk response decisions<br />Reduce operational surprises and losses<br />Identify and manage cross-department risks<br />Seize offered opportunities<br />Improve capital deployment<br />Copyright 2009 Esposito Consulting Group<br />
  4. 4. Examples of Enterprise Risk<br />Geographic Expansion<br /><ul><li>Strategic / Corporate</li></ul>Large-scale project implementation<br /><ul><li>Program</li></ul>Customer Privacy Violation<br /><ul><li>Operational</li></ul>Copyright 2009 Esposito Consulting Group<br />
  5. 5. Risk Management Standard Application<br />Communicate and Consult<br />Identify<br />Evaluate<br />Treat <br />Define <br />Analyze<br />Monitor and review<br />Copyright 2009 Esposito Consulting Group<br />
  6. 6. Example<br />Root Cause<br />Risk<br />Consequence<br />Downstream Effect<br />Broken Shoelace<br />Trip & Fall<br />Broken Wrist<br />Medical Bills<br />It is important to delineate what is the root cause and what is the risk. The broken shoelace is not the risk – that is the root cause. The risk is the adverse outcome (i.e. huge, unexpected medical bills).<br />Copyright 2009 Esposito Consulting Group<br />
  7. 7. Measuring risk impact<br />Risk is measured in two ways:<br />Probability – the evaluated likelihood of a particular threat or opportunity actually occurring<br />Impact – the evaluated effect or result of a particular risk actually happening<br />The resultant risk score is used build the risk table<br />Copyright 2009 Esposito Consulting Group<br />
  8. 8. Standard Risk Table<br />Modeled upon AS/NZ 4360 Standard<br />Copyright 2009 Esposito Consulting Group<br />
  9. 9. Addressing Risk – Four Approaches<br />Reject – The “head-in-the-sand” approach. Not recommended.<br />Accept – Risk is within organization appetite. Risk accepted “as is”.<br />Transfer – A third-party assumes some or all of the risk (example – insurance).<br />Mitigate – Take action to address areas outside acceptable limits.<br />Copyright 2009 Esposito Consulting Group<br />
  10. 10. Assigning Ownership<br />Once risks have been identified and scored, an owner must be assigned.<br />All risks are entered into a Risk Register – a description of the risk; its score; its mitigation action; its assigned owner; and its expected completion date.<br />Copyright 2009 Esposito Consulting Group<br />
  11. 11. Continuous Monitoring<br />Establish standard metrics – key performance indicators (KPIs) and key risk indicators (KRIs)<br />KPIs measure progress toward goal.<br />KRIs measure how risky an activity is – the possibility of future adverse impact.<br />Copyright 2009 Esposito Consulting Group<br />
  12. 12. Contact Us<br />Esposito Consulting Group<br />303 Third Street, Suite 206<br />Cambridge, MA 02142<br />p: 619.301.9708 | f: 617.812.0477<br />e: MicheleEspositoECG@gmail.com<br />Turning challenges into opportunities<br />Copyright 2009 Esposito Consulting Group<br />