3 Key Metrics to Establish Your Risk Management Program’s Foundation

Matt Kunkel | December 17, 2020
Black entrepreneur analyzing graph on laptop at workplace

Risk management is no longer something that only the risk or compliance departments care about, over the last few decades, it’s become an enterprise-wide responsibility. In light of this evolution from a business and operational issue to a key strategic driver and governance concern, senior management is keenly focused on understanding the risk environment and building a culture of risk awareness. As a result, there is an increasing responsibility and opportunity for GRC professionals to highlight their work and share their insights with their board, the C-suite, and other stakeholders in their organization. 

Risk professionals work with a vast amount of data and oversee numerous cross-functional processes. How can that information be distilled so that it accurately demonstrates the significance and value of what GRC professionals do while providing the insights boards and management teams need to ensure appropriate risk oversight?

Mastering Risk Metrics

Start by taking a holistic view of the business and distilling the metrics that matter most for your organization. These metrics can be viewed as both key performance indicators or KPIs, which speak to the performance of your ERM framework, but also key risk indicators or KRIs, that highlight the evolving scope of risk so you can prepare for the future. 

The below metrics are constructive in providing a backward look at how well your existing ERM system and practices have fared. But they can also provide a springboard for more productive discussions about the changing nature of the risks your organization faces. 

1. Risk Appetite and Risk Tolerance Versus Risk Exposure

When aggregated, a review of the company’s risk appetite and risk tolerance in comparison with risk exposure ensures that the organization is operating in a manner consistent with its strategic and operating objectives and risk is being managed appropriately. 

In addition to reviewing these metrics on an enterprise-wide basis, this should be detailed for risk types (including third-party, cyber, and IT security risks), risk concentrations, risk interrelationships, and the likelihood of occurrence. 

This review also provides an opportunity to detail mission-critical risks, their potential impact, and any mitigants or action plans in place. If the firm is taking outsized risks in any one area or capacity, it’s critical to build organizational awareness so that it can be managed appropriately. 

This presents a prime opportunity for a discussion of risk exposure and factors that may involve risk appetite and tolerance. If your organization is considering or in a digital transformation program, should the firm review its risk appetite? Are there digital risks that are not adequately being captured by existing tools or processes? In another example, as organizations move to an increasing number of remote employees, what does the expanding risk perimeter mean for your risk exposure, and do you have the right tools and processes in place to protect your firm? 

2. Risk and Controls Incidents

Tracking the number and type of risk incidents will help you understand whether your ERM processes and systems are capturing and monitoring risks and the accuracy of the measurement methodology. This analysis will also highlight if there is a need for systemic fixes in the event that incidents are unanticipated, greater in severity than expected, or recurring.

A discussion of risk and controls incidents should not be a recap of last year’s incidents and how they can be avoided in the future. Depending on the audience, it could be the foundation for a deeper discussion about your organization’s risk culture and level of risk awareness. If there is inconsistency within your firm about how risk is perceived and managed, is it due to a lack of awareness or understanding? Are there opportunities to enhance risk culture? These deeper questions help demonstrate the value of risk management and build a shared culture of risk. 

3. Process Areas Involved In Risk Assessment and Mitigation

For a risk-aware organization, ERM is a firmwide responsibility and not solely a risk management function. Risk management may be responsible for ensuring that identification, assessment, and reporting of risk is occurring, but they do not own the risk. The process owners own the risk based on the type and scale and are the ones closest to any adverse impact. The greater the number of process areas and owners involved, the more accurately risk is being captured and addressed by those who bear the critical responsibility of management and mitigation. 

As risk is reviewed in light of process areas and owners, how can the relationship between risk management and those process areas be strengthened? Is there a shared vocabulary and consensus around the risk calculation and mitigation process? Are there opportunities for closer partnership? 

A risk management platform provides the tools to enable GRC professionals to capture, assess, and mitigate risks and then report on progress. In addition, it provides a foundation for a more risk-aware culture so that your organization can take a more forward-looking view of risk. 


Further Reading

GRC Insights Delivered to your Inbox