Communication with stakeholders
During the information gathering stage of the ERM process, it is vital to hear from as many voices as practical. Risk assessment sessions are designed to identify “inherent risks” – those risks without any consideration of mitigating controls. And from these sessions, all types of risks are fair game for ERM documentation, from all stakeholders.
When establishing the ERM framework, it is important to ensure all stakeholders are provided updates along the way. By maintaining a steady stream of information from senior management to stakeholders, it strengthens the base and it keeps everyone engaged in the entire process. Employees (and others) have too often been involved in an effort for the greater good only to have nothing provided to them specific to results, action plans or procedures that may ultimately affect their daily operation. An effective ERM process must keep stakeholders involved to maintain the momentum of creating a more risk-aware culture.
The risk assessment process is complete, all documentation is complete and a report was published. Now what? The natural progression leads to control testing and an evaluation of the control environment. Testing will identify control deficiencies and an evaluation of the control environment will develop a barometer of the control culture. Once all control issues have been identified, prioritizing and action planning must follow next.
Highly rated risks in your organization must be addressed. Without an ERM framework, if a risk comes to fruition, with all the bad ink that will come your way, you can claim you were unaware. However, an eyes-closed position is not only unadvisable, it can be extremely harmful to your organization. With a well-established ERM framework, you will be aware of the risks facing your organization. But this also places your organization at risk: knowing what your risks are, yet doing little to ensure the risk is adequately mitigated. A simple resolution: take action and document well.
Prioritization of risks and appropriate action planning are essential elements in the ERM framework: understanding the risk and developing plans to mitigate the risk. If a negative event occurs during your planning process, while your organization is in the process of risk mitigation, you will be in a far better place.