Reviewing Risk – A Framework Idea 

The Institute of Risk Management describes Enterprise Risk Management (ERM) as “the overall philosophy that consolidates the management of individual risks into a unified and consistent approach across the whole enterprise.” While there is no one-size-fits-all approach to Risk Management (RM), and its application varies by industry, robust frameworks can be applied universally to enhance effectiveness.  

One of the most recognized approaches to ERM is Plan, Implement, Measure, Learn (PIML). This approach is recommended because it promotes a holistic, continuous improvement cycle mentality. Reviewing risk is not a start-stop process; it must be integrated into both, the strategy and operations of the organization. 

Plan  

Risk management begins at the board or senior management level, where it aligns with the organization’s objectives and core values. This phase involves identifying the total risk exposure across the organization and highlighting the interconnected nature of risks within different business areas and functions. It is also the stage where the organization’s risk appetite—the willingness to undertake risk activities over the short and long term—is set. 

 Suggested Activities: 

Align RM with organisations objectives – Ensure that risk management strategies support the organization’s goals and values. 

Identify total risk exposure – Evaluate risks across all areas of the business to understand their interdependencies. 

Set risk appetite – Define the level of risk the organization is willing to accept in pursuit of its objectives. 

Implement 

During the implementation phase, the focus is on establishing a risk register and categorising risks in a way that aligns not only with the organisation’s objectives but its internal reporting structures. This involves assessing what is at stake and the potential consequences and likelihood of risks materializing. 

Suggested Activities: 

Create/Update the Risk Register – Document all identified risks, including their potential impacts and the measures in place to mitigate them. 

Risk Categorization -Ensure that risk categories are meaningful and aligned with the organization’s functions and objectives. Clearly outline what is at stake, the extent of potential consequences, and the likelihood of risks occurring. 

Communication- Ensure that risk management practices are not only communicated effectively across all levels of the organization, from top management to operational staff but also understood. By understanding what part of risk management each person is involved with in their own role, it is better appreciated and applied day to day.  

Measure

Effective risk management requires continuous monitoring and testing of controls. This ensures that the controls in place are functioning as intended and are effective in mitigating risks. 

Suggested Activities: 

Monitor what matters – Focus monitoring efforts on critical controls and ensure they are operating as documented in the risk register. 

The ‘All and Always Test’ – Regularly test your controls to ensure they are always effective and consistently applied by everyone. Controls that fail this test need to be re-evaluated and adjusted. 

Accurate Reporting- Maintain accurate and timely reporting of risk management activities to ensure transparency and facilitate informed decision-making. Make the reports interesting and interactive, useful and concise to engage your audience. Risk reporting should be accessible for all to enable transparency across the organisation.   

Learn 

The learning phase involves using insights gained from monitoring and testing to improve the risk management process. This includes planning audits and risk assurance activities to ensure that risk management is not siloed and is considered within the broader context of the organization’s environment. Following on from risk reporting being available to all, these activities should also be clearly communicated and explain why they are important. Clear and consistent communication will enable a ‘no blame culture’ and help with the tacit learning with organisation.  

Suggested Activities: 

Audit Planning – Develop audit plans to provide risk assurance and ensure that risk management practices are effective and comprehensive. Be mindful of different busy periods within each function and plan around these to acknowledge the importance of the work that function produces.  

Continuous Improvement – Use feedback from audits and monitoring to refine risk management strategies and controls. Communicate the lessons learned to all so everyone understands their part in the larger picture. 

Holistic Approach – Manage risk appetite in the context of the organization’s operating environment. This means considering risks in relation to compliance, operations, risk aversion, and tactics as part of the decision-making process.  

Identify Opportunities – By considering both positive and negative aspects of risk, management can identify new opportunities and address challenges associated with current opportunities.  

  

By integrating these elements into a continuous cycle, organizations can ensure that risk management is a dynamic and integral part of their strategic and operational processes. This approach not only helps mitigate potential risks but also enables organizations to leverage risk management as a tool for identifying opportunities and driving sustainable growth. 

 

Recent News

Table Tennis Ireland Logo

Table Tennis Ireland Chooses CalQRisk to Optimise their Governance Strategy

Table Tennis Ireland have onboarded the CalQRisk solution to better their approach to board and committee meetings. Table ...
Read More

CalQRisk Shortlisted as Best in RiskTech at the 2024 CIR Risk Management Awards

CalQRisk has been shortlisted for the RiskTech category in the CIR Risk Management Awards in 2024. The Risk ...
Read More
business meeting

Reviewing Risk – A Framework Idea 

The Institute of Risk Management describes Enterprise Risk Management (ERM) as “the overall philosophy that consolidates the management ...
Read More

Ten Things to Learn from Managing an Incident 

Incidents, while often complex and challenging, provide valuable learning opportunities that can enhance an organisation's resilience and strategic ...
Read More

Are you Doing Control Testing in your Organisation?

Regulators, boards, auditors, and other stakeholders all have an increased focus on controls (and their effectiveness) so how ...
Read More
Blue Ocean Logo

CalQRisk Announces a Strategic Partnership with Blue Ocean Reinsurance Group

CalQRisk, a leading provider of governance, risk, and compliance (GRC) software, is thrilled to announce a strategic partnership ...
Read More
laptop and writing in notebook

Minimum Competency Code – ‘And miles to go before I sleep’

The 1st October 2024 effective date for the expansion of the scope of the Minimum Competency Code 2017 ...
Read More

Decoding the Digital Operational Resilience Act (DORA): CalQRisk’s Jargon Buster

Navigating the complexities of regulatory compliance can be daunting, especially with evolving digital landscapes. Enter the Digital Operational ...
Read More

Ten Things to Learn from Managing an Incident 

Incidents, while often complex and challenging, provide valuable learning opportunities that can enhance an organisation's resilience and strategic ...
Read More

Navigating Risk: A Strategic Approach to Risk Management 

In the vast ocean of business, navigating through turbulent waters demands more than just a sturdy ship; it ...
Read More