Setting objectives for ERM

ISO 31000:2018 31 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/11/ERM_-Setting-and-Implementing-Objectives-for-Effective-Risk-Management.wav

Setting objectives for Enterprise Risk Management (ERM) is a critical step in aligning risk management practices with an organization’s strategic goals as it is associated with the objective for organization as a whole. Well-defined ERM objectives ensure that risks are identified, assessed, and managed in a way that supports the organization’s mission and vision. These objectives typically focus on risk identification, mitigation, and exploiting opportunities to create value. Key Steps in Setting Objectives for ERM:

  • Align with Organizational Strategy: Ensure that the ERM objectives are directly tied to the overall strategy and mission of the organization. The risk management framework should support the achievement of business objectives, whether they focus on growth, innovation, operational efficiency, or compliance.
  • Support Stakeholder Needs: Understand the risk tolerance and appetite of key stakeholders, including investors, customers, employees, regulators, and partners. The ERM objectives should balance risk and reward in a way that meets these stakeholders’ expectations.
  • Address Different Types of Risk: Define objectives around the various categories of risks, such as:
    • Strategic Risks: Relating to long-term goals and strategic initiatives.
    • Operational Risks: Impacting day-to-day operations and processes.
    • Financial Risks: Associated with cash flow, investments, or market exposure.
    • Compliance Risks: Arising from regulatory requirements or legal obligations.
    • Reputational Risks: Affecting public perception or brand value.
  • Foster Risk Awareness and Culture: Set objectives that promote a strong risk-aware culture across the organization. Everyone from top management to operational staff should be encouraged to understand and manage risks proactively. Training and communication should be part of the ERM framework.
  • Integrate ERM into Decision-Making: Objectives should focus on integrating risk considerations into day-to-day decision-making processes. This includes incorporating risk assessments into capital investments, mergers and acquisitions, product launches, and any other major business decisions.
  • Encourage Risk Innovation: Beyond managing traditional risks, ERM objectives can promote the identification of risks as opportunities. For example, organizations can leverage new technologies, markets, or partnerships to create value from emerging risks, such as cyber threats or regulatory changes.
  • Monitor and Adapt to Change: One key objective of ERM should be to establish a dynamic and responsive risk management process. Risk environments change over time (e.g., through market volatility, technological advances, or new regulations), and the ERM framework should include regular reviews and updates of risk assessments and controls.
  • Establish Metrics and KPIs for Risk: Define specific metrics to measure the success of ERM. These key performance indicators (KPIs) may include:
    • Reduction in financial losses due to risk events.
    • Improvement in risk mitigation and control effectiveness.
    • Timeliness of response to risk events.
    • Alignment of risk exposure with risk appetite.

Example of ERM Objectives can be :

  1. Protect Organizational Assets- Ensure that physical, financial, and intellectual assets are protected through a comprehensive risk assessment and control program.
  2. Enhance Decision-Making- Improve decision-making processes by ensuring that risk data and analysis are incorporated into strategic business decisions.
  3. Achieve Regulatory Compliance- Maintain compliance with applicable laws and regulations by continuously monitoring legal and regulatory changes and implementing necessary adjustments.
  4. Improve Operational Efficiency- Identify operational risks that may impact business continuity and implement risk management strategies to minimize disruptions.
  5. Maximize Opportunities from Emerging Risks: Proactively assess and respond to emerging risks (e.g., technological, environmental, or geopolitical changes) to turn potential threats into competitive advantages.
  6. Maintain Stakeholder Confidence- Strengthen stakeholder confidence by providing transparency in how risks are managed, showing the organization’s resilience and adaptability.

When setting objectives, it’s useful to apply the SMART criteria:

  • Specific: Clearly define the risk areas (e.g., financial, operational, compliance).
  • Measurable: Establish metrics to track performance (e.g., number of risk incidents).
  • Achievable: Ensure objectives are realistic given the organization’s resources.
  • Relevant: Align objectives with the organization’s strategy and risk appetite.
  • Time-bound: Set timelines for when each objective should be achieved.

For example Reduce operational disruptions due to supply chain risks by 15% over the next 12 months by enhancing supplier risk assessments and improving supplier diversification.

Implementing objectives in ERM

Implementing objectives in Enterprise Risk Management (ERM) requires a structured approach that ensures that risk management processes are integrated into all aspects of an organization. The ERM framework seeks to align risk management objectives with the organization’s strategic goals, improve decision-making, and enhance resilience across the enterprise. Below are the steps and key considerations for implementing ERM objectives

  1. Align ERM Objectives with Organizational Strategy: ERM objectives must be aligned with the organization’s strategy to ensure that risk management efforts support overall business goals. To achieve this, the organization must:
    • Understand strategic goals: Identify the organization’s short-term and long-term goals and the risks that could impact them.
    • Set risk appetite and tolerance: Define how much risk the organization is willing to accept in pursuit of its objectives (risk appetite) and the thresholds of acceptable risk (risk tolerance).
    • Ensure executive buy-in: Senior leadership should endorse and actively promote the alignment of risk management with the strategic objectives of the organization.
  2. Establish a Governance Structure: An effective governance structure is essential for implementing ERM objectives. Governance ensures that roles, responsibilities, and accountability for risk management are clearly defined across the organization.
    • Define roles and responsibilities: Identify key stakeholders (e.g., risk managers, department heads, executive leadership) who are responsible for identifying, assessing, and managing risks.
    • Create a risk committee: Establish a risk management or governance committee that oversees the ERM implementation process and reports to the board on risk-related issues.
    • Set up reporting lines: Ensure that there are clear lines of communication for reporting risks from all levels of the organization to senior management and the board.
  3. Identify and Prioritize Risks: For ERM to be effective, risks must be systematically identified, assessed, and prioritized based on their potential impact on the organization’s objectives.
    • Risk identification: Conduct a comprehensive risk assessment across departments to identify potential risks that could affect achieving the organization’s goals. Use tools like SWOT analysis, scenario planning, and risk workshops to gather input from various stakeholders.
    • Risk categorization: Categorize risks based on their source (e.g., operational, financial, regulatory, strategic, cybersecurity) and their potential impact on organizational performance.
    • Risk prioritization: Assess risks based on their likelihood and impact. This can be visualized using a risk heat map or risk matrix, which ranks risks according to priority.
  4. Develop Risk Response Strategies: Once risks are identified and prioritized, organizations need to develop strategies to manage these risks effectively. ERM offers several ways to respond to risks:
  • Risk avoidance: Eliminating activities or exposures that may lead to risk.
  • Risk mitigation: Implementing controls or processes to reduce the likelihood or impact of risks.
  • Risk transfer: Shifting risk to a third party (e.g., through insurance or outsourcing).
  • Risk acceptance: Acknowledging that some risks are worth taking based on their potential rewards, provided they fall within the organization’s risk tolerance.

Each risk should have a designated response plan based on the organization’s risk appetite and tolerance.

5. Integrate ERM into Business Processes: Risk management objectives must be embedded into core business processes and decision-making. This includes:

  • Operational integration: Embed risk management practices into day-to-day operations, ensuring that managers at all levels consider risk in their decision-making processes.
  • Strategic planning: Incorporate risk assessments into strategic planning sessions to ensure that risks are accounted for when setting long-term goals and plans.
  • Project management: Integrate ERM into project management frameworks to identify and manage project-specific risks from the start.

6. Build a Risk-Aware Culture: To successfully implement ERM objectives, the entire organization must develop a risk-aware culture where employees understand the importance of managing risk and are empowered to raise concerns about potential risks.

  • Training and education: Provide regular training for employees at all levels to help them understand the importance of risk management and how they can contribute to managing risks within their roles.
  • Risk communication: Foster open communication about risks, encouraging staff to report risks or concerns without fear of negative consequences.
  • Leadership support: Senior leadership should demonstrate commitment to risk management by emphasizing its importance in all business decisions and promoting a culture of risk awareness.

7. Monitor and Review Risk Management Performance: Continuous monitoring and review are essential to ensure that risk management objectives are met and that the ERM framework is functioning effectively.

  • Risk monitoring: Implement systems to monitor key risk indicators (KRIs) and other performance metrics related to risk. Automated tools and dashboards can provide real-time monitoring of risks.
  • Regular reviews: Schedule periodic reviews of the risk management framework to ensure that it remains relevant as the organization evolves and new risks emerge.
  • Internal audits: Conduct internal audits of the risk management framework to assess the effectiveness of controls and processes.
  • Performance metrics: Use metrics such as the number of risks identified, risk incidents, or the success of risk mitigation strategies to evaluate the effectiveness of the ERM process.

8. Reporting and Communication: Transparent reporting and communication about risks and risk management activities help ensure accountability and support continuous improvement.

  • Risk reporting: Develop regular risk reports for senior management and the board that outline key risks, how they are being managed, and any changes in the risk landscape.
  • Stakeholder communication: Keep internal and external stakeholders informed about significant risks and how they are being managed. This includes investors, regulators, and employees.
  • Risk dashboards: Use visual tools, such as risk dashboards, to provide an overview of key risks and trends across the organization in a clear, concise manner.

9. Leverage Technology for ERM Implementation: Technology can enhance the efficiency and effectiveness of ERM implementation by automating key processes and providing real-time risk data.

  • Risk management software: Use ERM software to streamline the process of risk identification, assessment, and monitoring. These tools can also facilitate collaboration and improve transparency.
  • Data analytics: Leverage data analytics to identify trends, predict potential risks, and assess the effectiveness of risk mitigation strategies.
  • Risk visualization: Tools like dashboards and heat maps help in visualizing risk data, enabling better decision-making.

In Enterprise Risk Management (ERM), objectives are set at different levels—strategic, tactical, and operational—each with distinct purposes and timeframes. These levels of objectives help align ERM efforts with the overarching goals of the organization, ensuring that risk management supports decision-making across all areas of the business. Here’s an overview of the differences between these objective levels:

1. Strategic Objectives

Strategic objectives in ERM are long-term goals aligned with the organization’s mission, vision, and overarching strategy. They focus on high-level risks that could impact the organization’s ability to achieve its long-term vision and sustain its competitive advantage. Strategic objectives are typically set by top leadership and have a broad, organization-wide impact.

Characteristics of Strategic Objectives:

  • Timeframe: Long-term (often 3–5 years or more).
  • Scope: Organization-wide; aligns with the mission, vision, and overall business strategy.
  • Focus: Deals with significant, high-level risks that could impact long-term sustainability or growth.
  • Examples:
    • Ensuring business continuity in case of major disruptions (natural disasters, economic downturns).
    • Expanding into new markets while managing regulatory and geopolitical risks.
    • Maintaining a specific market share by managing risks related to innovation and competition.
    • Achieving sustainable growth by integrating ESG (Environmental, Social, and Governance) risk management into core operations.

In ERM, managing strategic objectives involves:

  • Risk identification and prioritization of potential threats and opportunities.
  • Scenario analysis and stress testing to understand the impact of uncertain, high-impact events.
  • Developing risk appetite statements that outline the level of risk the organization is willing to accept in pursuit of strategic goals.

2. Tactical Objectives

Tactical objectives are medium-term goals that bridge the gap between strategic objectives and operational activities. These objectives focus on specific departments or functions within the organization and are typically aligned with achieving strategic goals. Tactical objectives involve implementing policies, programs, and processes that help mitigate risks at the functional or departmental level.

Characteristics of Tactical Objectives:

  • Timeframe: Medium-term (typically 1–3 years).
  • Scope: Departmental or functional level, such as finance, IT, or marketing.
  • Focus: Addresses risks that affect the ability to achieve strategic objectives, focusing on functional areas.
  • Examples:
    • Enhancing cybersecurity measures in the IT department to protect against data breaches.
    • Improving supply chain resilience in procurement to mitigate supplier-related risks.
    • Strengthening internal controls in finance to prevent fraud and ensure regulatory compliance.
    • Developing training programs in HR to reduce risks related to talent retention and compliance.

In ERM, managing tactical objectives involves:

  • Setting risk tolerance levels for each department or function based on its role in the overall strategy.
  • Establishing key risk indicators (KRIs) and metrics to monitor risks in specific areas.
  • Cross-functional coordination to ensure that tactical objectives align with and support strategic goals.

3. Operational Objectives

Operational objectives are short-term goals focused on day-to-day activities. These objectives are narrow in scope and detail the specific actions needed to ensure the efficient and risk-free functioning of business processes. Operational objectives are often set at the management or supervisory level and focus on mitigating immediate risks that could disrupt routine operations.

Characteristics of Operational Objectives:

  • Timeframe: Short-term (usually less than 1 year).
  • Scope: Process or activity level; focuses on day-to-day operations within specific teams or units.
  • Focus: Addresses specific, immediate risks to ensure smooth functioning of daily activities.
  • Examples:
    • Ensuring workplace safety protocols are followed to reduce accident risks.
    • Monitoring compliance with data handling processes to prevent data loss.
    • Maintaining equipment regularly to avoid downtime in manufacturing.
    • Implementing daily transaction monitoring in finance to detect anomalies or potential fraud.

In ERM, managing operational objectives involves:

  • Real-time risk monitoring to identify and respond to risks as they arise.
  • Implementing standard operating procedures (SOPs) that integrate risk controls into daily activities.
  • Training and awareness programs for staff to ensure compliance with risk management protocols.

Key Differences

  • Strategic objectives are broad and involve managing high-level risks that impact the organization’s future.
  • Tactical objectives support strategic goals through specific departmental initiatives.
  • Operational objectives are immediate and focus on the daily actions that minimize disruptions to essential activities.

Each level of objective plays a role in ensuring a cohesive ERM approach, as the management of day-to-day risks at the operational level supports departmental objectives, which, in turn, align with and facilitate the achievement of strategic goals. Integrating all three levels of objectives creates a comprehensive risk management framework that supports resilience and aligns with organizational strategy.

implementing strategic objectives in ERM

Implementing strategic objectives in Enterprise Risk Management (ERM) requires a top-down approach where risk management is tightly integrated with the organization’s overall strategy. Strategic objectives in ERM focus on long-term, high-level goals that ensure the organization can withstand challenges, seize opportunities, and continue its mission. Here are the key steps for implementing strategic objectives within an ERM framework:

1. Define and Align Strategic Objectives

Strategic objectives in ERM should be clearly defined and aligned with the organization’s mission, vision, and overall strategy. This involves understanding what the organization wants to achieve in the long term and identifying the risks that could impact these goals.

Key Actions:

  • Strategic Goal Setting: Ensure strategic goals (e.g., growth, market expansion, innovation) are established by leadership.
  • Risk Identification: Identify potential risks that could impact achieving these strategic goals. This includes both external risks (e.g., regulatory changes, market volatility, technological disruption) and internal risks (e.g., operational inefficiencies, cybersecurity).
  • Risk Appetite and Tolerance: Define the organization’s risk appetite—the amount of risk the organization is willing to take to achieve its strategic goals. Risk tolerance levels can be established for different risk categories, indicating the acceptable limits of exposure.

Example:

If an organization’s strategic objective is to expand into new international markets, risks like geopolitical instability, compliance with foreign regulations, and cultural differences need to be considered. ERM will help assess these risks and ensure that expansion efforts stay within the company’s risk appetite.

2. Integrate ERM into Strategic Planning

For effective implementation, ERM must be embedded into the strategic planning process. Risk considerations should be factored into the development of strategic initiatives, major projects, and investments.

Key Actions:

  • Risk Analysis in Strategic Planning: During strategic planning sessions, assess the risks and opportunities of each strategic initiative. Use tools like SWOT analysis or PESTLE analysis to identify external risks (e.g., political, economic, social, technological, legal, environmental) and internal vulnerabilities.
  • Scenario Planning: Use scenario planning to evaluate how different risk scenarios could affect the organization’s strategic goals. This helps in understanding potential future environments and preparing risk mitigation strategies accordingly.
  • Risk-Adjusted Decision Making: Incorporate risk-adjusted decision-making to prioritize projects or investments based on their risk-return profiles. High-risk projects should be pursued only if they align with the company’s risk appetite and have strong risk mitigation plans in place.

Example:

If the organization is considering launching a new product, ERM can assess risks related to market acceptance, production costs, and competition, helping decide if the project should proceed, be postponed, or require additional risk mitigation steps.

3. Develop Risk Response Strategies

Once strategic risks have been identified and analyzed, organizations need to develop response strategies to manage these risks in alignment with their strategic objectives.

Key Actions:

  • Risk Mitigation Plans: For each identified risk, develop risk mitigation plans. These may include implementing controls, transferring risk (e.g., through insurance), or accepting the risk if it falls within the organization’s risk appetite.
  • Contingency Planning: Prepare contingency plans for high-impact, low-likelihood risks (e.g., natural disasters, major regulatory changes). These plans ensure the organization can respond quickly if such risks materialize.
  • Innovation and Opportunity Risk: Use ERM not only to mitigate risks but also to explore opportunities. For example, strategic risks like market disruption or technological advances might present opportunities for innovation if managed proactively.

Example:

A technology company pursuing digital transformation as a strategic goal might face risks like technology failure, staff resistance, or data security issues. ERM would develop strategies to mitigate these risks, such as investing in IT infrastructure, offering employee training, and enhancing cybersecurity protocols.

4. Establish Governance and Accountability

Successful implementation of strategic objectives through ERM requires a strong governance structure to oversee risk management processes and ensure accountability at all levels of the organization.

Key Actions:

  • Risk Governance Framework: Establish a risk governance framework that defines roles and responsibilities for managing strategic risks. The board of directors and executive leadership should have oversight of risk management, while specific risk owners (e.g., department heads) are responsible for managing risks in their areas.
  • Risk Committees: Create a risk management or governance committee that meets regularly to review the organization’s risk profile and assess whether strategic risks are being managed effectively.
  • Clear Reporting Lines: Ensure clear reporting lines so that strategic risks identified at the operational level are communicated to senior management and the board. This ensures that emerging risks are addressed in a timely manner.

Example:

For a company expanding into international markets, a governance structure would include risk owners for specific areas (e.g., legal, finance, operations) to ensure that all risks related to foreign market entry are being managed. The risk committee would regularly assess the risks and report them to the board.

5. Monitor and Measure Risk Performance

Continuous monitoring and measurement are critical to ensure that risk management efforts are effective and that strategic objectives are on track. ERM provides tools and metrics to monitor key risks and measure performance against strategic goals.

Key Actions:

  • Key Risk Indicators (KRIs): Develop and track KRIs that provide early warnings about emerging risks or shifts in the organization’s risk profile. These indicators should be linked to the achievement of strategic objectives.
  • Risk Dashboards: Use risk dashboards to provide real-time data on risk performance, showing how well the organization is managing its strategic risks. Dashboards can include visual tools like risk heat maps to prioritize risk response.
  • Periodic Reviews: Conduct regular reviews of the ERM framework to ensure that risk management strategies are still aligned with the organization’s changing strategic objectives. These reviews should assess whether new risks have emerged and whether existing risk controls remain effective.

Example:

A financial institution with a strategic objective to grow its lending portfolio might monitor KRIs like loan default rates, regulatory changes, and economic indicators. If loan defaults increase beyond acceptable limits, the institution would adjust its lending criteria or risk appetite accordingly.

6. Foster a Risk-Aware Culture

Building a risk-aware culture throughout the organization is essential for implementing strategic objectives through ERM. A culture where employees at all levels understand the importance of risk management ensures that risk is considered in decision-making and day-to-day activities.

Key Actions:

  • Training and Awareness: Provide ongoing training to employees and leaders on risk management principles and the importance of aligning risk management with strategic objectives.
  • Risk Communication: Establish open lines of communication about risk across the organization. Encourage employees to report potential risks without fear of negative consequences.
  • Leadership Example: Senior leadership should model risk-aware behavior by demonstrating how they consider risks when making strategic decisions. This helps embed risk management into the organization’s culture.

Example:

If senior leaders regularly communicate how risk factors are influencing strategic decisions, it reinforces the importance of risk management throughout the organization, encouraging all employees to engage with ERM processes.

7. Communicate Progress and Risk Insights

Clear and consistent communication about how ERM supports strategic objectives ensures transparency and accountability at all levels of the organization.

Key Actions:

  • Risk Reporting: Develop regular reports on the organization’s risk profile and the status of strategic risks. Share these reports with the board, senior leadership, and relevant stakeholders.
  • Stakeholder Engagement: Engage with internal and external stakeholders, such as investors and regulators, to communicate how risks are being managed to support strategic objectives.
  • Risk-adjusted Performance: Provide insights into how risk management is affecting organizational performance, demonstrating how strategic objectives are being achieved in a risk-conscious manner.

Example:

A company undergoing digital transformation might regularly report to the board and investors on how it is managing risks related to the project, including cybersecurity and operational disruptions, ensuring stakeholders that these risks are under control.

Implementing tactical objectives in ERM

Implementing tactical objectives in Enterprise Risk Management (ERM) involves bridging the gap between the high-level strategic goals of the organization and the day-to-day operational activities. Tactical objectives are typically medium-term and focus on the risks faced by individual departments, functions, or business units as they work towards achieving strategic objectives. To effectively implement tactical objectives in ERM, the process must involve clear planning, coordination between departments, and the development of specific risk management practices at the functional level. Here’s how you can implement tactical objectives within an ERM framework:

1. Translate Strategic Goals into Tactical Objectives

The first step in implementing tactical objectives is translating the organization’s long-term strategic goals into actionable, department-specific objectives. Each department or business unit must identify how its role contributes to the broader strategy and what risks might prevent it from meeting those objectives.

Key Actions:

  • Break Down Strategic Objectives: Identify how strategic objectives (such as entering a new market or improving customer satisfaction) apply to each department. For example, if the strategic goal is digital transformation, the IT department might focus on enhancing infrastructure and cybersecurity, while HR may focus on reskilling employees.
  • Risk Identification: Each department should identify the specific risks that might impact their ability to achieve tactical objectives. These risks could be related to technology, finance, compliance, or operations.
  • Align Departmental Goals: Ensure that tactical objectives align with both strategic goals and the organization’s risk appetite. Departments should work within the risk tolerance set at the strategic level, while considering specific risks within their functional areas.

Example:

A manufacturing company with a strategic goal to expand production capacity may translate this into tactical objectives for different departments:

  • IT Department: Enhance automation systems to support higher production volumes.
  • Operations Department: Streamline supply chain processes to reduce lead times.
  • HR Department: Hire and train additional staff to meet increased production demands.

2. Develop Risk Response Plans at the Functional Level

Once risks are identified at the departmental level, it’s important to develop specific risk response plans that address those risks in a way that aligns with both tactical and strategic objectives. Risk responses may include mitigation, avoidance, transfer, or acceptance strategies tailored to the specific needs of each department.

Key Actions:

  • Mitigation Strategies: Implement risk controls specific to each department. For instance, the finance department may enhance internal controls to prevent fraud, while the IT department may upgrade cybersecurity protocols.
  • Risk Transfer: Some departments may choose to transfer risks, such as outsourcing certain processes or purchasing insurance for key assets.
  • Contingency Plans: Develop contingency plans for high-impact risks that could disrupt departmental functions. These should be detailed and actionable, with clear steps for managing risks if they materialize.

Example:

A finance department might develop mitigation strategies for risks related to cash flow management, while the operations team could establish contingency plans to manage supply chain disruptions (e.g., alternate suppliers, safety stock).

3. Establish Departmental Key Risk Indicators (KRIs)

Tactical objectives require measurable indicators to track risk performance and monitor progress. Establishing Key Risk Indicators (KRIs) at the departmental level allows teams to monitor risks and take proactive measures before they escalate into bigger problems.

Key Actions:

  • Identify KRIs: Each department should identify specific KRIs relevant to their tactical objectives. KRIs act as early warning signals of potential risk exposures and should be aligned with department goals.
  • Integrate KRIs with KPIs: Where possible, integrate KRIs (which measure risks) with Key Performance Indicators (KPIs), which measure success against department objectives. This ensures that risk and performance are managed together.
  • Monitor in Real-Time: Use dashboards or reporting tools to monitor KRIs in real-time, providing insights into how well departments are managing risks and where adjustments may be needed.

Example:

For the IT department, KRIs might include system downtime or the number of cybersecurity incidents. For HR, KRIs could be employee turnover rates or the number of compliance violations related to labor laws.

4. Foster Cross-Departmental Coordination

ERM requires collaboration between departments to ensure that risks are managed consistently and effectively. Cross-departmental coordination ensures that different functions are working towards common tactical objectives, and that interdependencies between departments are understood and managed.

Key Actions:

  • Cross-Functional Risk Committees: Establish cross-functional risk committees to facilitate collaboration. These committees can help identify and address risks that span multiple departments (e.g., risks that affect both IT and operations).
  • Shared Risk Databases: Use shared risk management databases or tools where departments can report and track risks in a centralized manner. This promotes transparency and ensures that all departments have access to critical risk information.
  • Regular Communication: Facilitate regular communication between departments to share insights on emerging risks, mitigation strategies, and lessons learned. Cross-departmental workshops or meetings can be useful for aligning on shared objectives.

Example:

If the finance department is concerned about liquidity risks that could impact project funding, it should coordinate with the operations department to ensure that cash flow risks are considered when planning production schedules.

5. Assign Risk Ownership and Accountability

Each department should have clear ownership of its risks and be accountable for managing them effectively. Assigning risk ownership ensures that individuals or teams are responsible for monitoring, reporting, and mitigating risks within their functional areas.

Key Actions:

  • Appoint Risk Owners: Designate specific risk owners within each department who are accountable for monitoring and managing departmental risks. Risk owners should report directly to departmental heads and coordinate with the ERM team.
  • Establish Accountability Structures: Develop clear accountability structures that define who is responsible for specific risk management actions. This could include creating risk response teams or assigning risk managers to oversee specific areas (e.g., compliance, technology, health and safety).
  • Performance Reviews Linked to Risk Management: Consider linking risk management performance to departmental evaluations. This ensures that departments are rewarded for effectively managing risks and meeting tactical objectives.

Example:

In the marketing department, a senior manager might be responsible for overseeing risks related to brand reputation, while the operations department assigns risk owners to manage supply chain risks.

6. Implement Risk Control Mechanisms

For each tactical objective, it’s important to put in place specific risk control mechanisms that ensure risks are managed in day-to-day activities. These controls help minimize exposure to risks and ensure that departments can meet their objectives effectively.

Key Actions:

  • Internal Controls: Implement internal controls within each department to mitigate specific risks. For example, finance departments may introduce stronger financial oversight processes, while IT departments can enhance access control systems to reduce cybersecurity risks.
  • Standard Operating Procedures (SOPs): Develop SOPs that embed risk management into daily operations. SOPs should include steps for identifying and addressing risks as they arise, ensuring consistency in how risks are handled.
  • Risk Audits: Conduct regular audits of risk management practices within each department to ensure that controls are working as intended. Audits can identify weaknesses in risk controls and highlight areas for improvement.

Example:

An internal audit team may regularly review how the procurement department manages supplier risks, ensuring that SOPs for vetting suppliers and managing contracts are being followed.

7. Monitor and Report on Tactical Risks

Tactical risks should be monitored continuously to ensure that departments remain on track to achieve their objectives. Reporting mechanisms should be in place to provide regular updates to senior leadership on how well departments are managing risks in relation to tactical objectives.

Key Actions:

  • Continuous Risk Monitoring: Use risk monitoring tools and dashboards to provide real-time updates on departmental risks. This allows for quick responses to emerging threats.
  • Regular Reporting: Implement a reporting structure where department heads report on risk management efforts and outcomes. Reports should focus on how well risks are being managed in alignment with tactical objectives and how this supports the organization’s overall strategy.
  • Risk Reviews: Conduct regular risk reviews where department heads and the ERM team assess whether risk management efforts are effective. These reviews should also consider any changes in the external environment that could impact tactical objectives.

Example:

The finance department might provide quarterly reports on liquidity risks and how these are being managed to support broader financial objectives, while the IT department could report on cybersecurity risks and the effectiveness of controls.

8. Adjust and Improve Based on Feedback

Finally, implementing tactical objectives in ERM is an ongoing process. As departments monitor risks and assess the effectiveness of their controls, they should adjust their approaches based on feedback and changing conditions.

Key Actions:

  • Continuous Improvement: Use feedback from audits, reviews, and risk reporting to continuously improve risk management practices within each department. This might involve refining risk controls, updating SOPs, or reallocating resources to address emerging risks.
  • Risk Learning Culture: Foster a culture where departments are encouraged to learn from past risk management experiences. Regular debriefs after risk events (e.g., cybersecurity breaches, supply chain disruptions) can help departments improve future risk responses.
  • Adapt to External Changes: Departments should be agile in adjusting their risk management practices in response to changes in the external environment, such as new regulations, market trends, or technological developments.

Example:

If the legal department identifies changes in data protection regulations, they should quickly adjust compliance strategies and communicate the changes to relevant departments, such as IT and HR.

Implementing operational objectives in ERM

Implementing operational objectives in Enterprise Risk Management (ERM) involves embedding risk management into the organization’s day-to-day processes and ensuring that risks affecting routine operations are identified, assessed, and managed effectively. Operational objectives are short-term and focus on achieving efficiency, productivity, and regulatory compliance in the organization’s core activities. Operational risks tend to be more specific and frequent compared to strategic or tactical risks. Here’s a step-by-step approach to implementing operational objectives in ERM:

1. Identify Operational Risks at the Process Level

Operational risks are typically related to the failure of people, processes, systems, or external events. To effectively manage these risks, the first step is to identify specific risks that could affect the achievement of operational objectives in each department or function.

Key Actions:

  • Process Mapping: Conduct detailed mapping of key operational processes (e.g., production, customer service, IT, procurement) to understand where risks could arise. Each department should outline its critical processes and identify risk points within them.
  • Risk Assessment: Use risk assessment techniques such as Failure Mode and Effects Analysis (FMEA) or Risk and Control Self-Assessment (RCSA) to evaluate the likelihood and impact of potential risks on operations.
  • Classify Risks: Group operational risks into categories such as human error, system failures, supply chain disruptions, compliance breaches, or environmental hazards to facilitate targeted risk management.

Example:

In a retail company, operational risks could include supply chain delays, inventory management errors, and point-of-sale system outages. The operations team would need to map out these processes and identify where risks are most likely to occur.

2. Develop Risk Controls and Mitigation Strategies

Once operational risks are identified, the next step is to develop specific controls and mitigation strategies to minimize the likelihood and impact of these risks on daily activities.

Key Actions:

  • Design Internal Controls: Implement controls to prevent or reduce operational risks. These might include automated system checks, segregation of duties, process standardization, and quality control procedures.
  • Risk Mitigation Plans: For each risk, create a mitigation plan that outlines steps to prevent the risk or reduce its impact if it occurs. These plans should be tailored to the specific needs of each process or department.
  • Process Improvements: Identify opportunities for process improvements that can reduce exposure to operational risks, such as enhancing workflow efficiency, investing in technology, or improving employee training.

Example:

In a manufacturing setting, a risk control might involve automating quality checks on production lines to reduce human error. In an IT department, a risk control could include setting up automatic system backups to prevent data loss.

3. Establish Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs)

To monitor and measure the effectiveness of risk controls, it is essential to establish Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) related to operational objectives.

Key Actions:

  • Develop KRIs: Identify specific KRIs for each department that provide early warning signals of emerging operational risks. KRIs should be monitored regularly to detect any deviations from acceptable risk thresholds.
  • Link KRIs to KPIs: Where possible, align KRIs with operational KPIs, which measure performance against operational goals. This ensures that departments can manage both risk and performance together.
  • Risk Dashboards: Use risk dashboards or monitoring tools to visualize and track KRIs and KPIs in real-time, allowing for timely responses to emerging risks.

Example:

For a logistics department, KRIs might include delivery times or the number of damaged goods reported, while KPIs could focus on the percentage of on-time deliveries. Monitoring these indicators helps the department manage risks related to delivery delays or damage in transit.

4. Assign Risk Ownership and Accountability

Clear ownership and accountability are critical in managing operational risks. Each department should have designated risk owners responsible for monitoring and managing risks within their area of operations.

Key Actions:

  • Appoint Risk Owners: Assign specific individuals within each department as risk owners. These individuals will be responsible for monitoring operational risks, implementing controls, and reporting on risk status.
  • Define Roles and Responsibilities: Clearly define roles and responsibilities for risk management at the operational level. This could include defining who is responsible for identifying risks, implementing controls, and responding to risk events.
  • Embed Accountability in Daily Operations: Make risk management a part of daily operational responsibilities by incorporating it into job descriptions and performance evaluations.

Example:

In a healthcare facility, the operations manager may be the risk owner for patient safety risks, ensuring that all safety protocols are followed and incidents are reported immediately.

5. Foster a Risk-Aware Culture at the Operational Level

Building a risk-aware culture within the organization’s operational functions is crucial to ensure that employees understand their role in managing risks and are proactive in reporting potential issues.

Key Actions:

  • Training and Awareness Programs: Conduct regular training for employees on the importance of risk management and the specific risks related to their daily tasks. This can include workshops on incident reporting, compliance, or process safety.
  • Encourage Risk Reporting: Establish a culture of open communication where employees are encouraged to report risks or process failures without fear of blame. A no-blame reporting system helps identify risks early before they escalate.
  • Leadership Engagement: Operational leaders should model risk-aware behavior and emphasize the importance of risk management in their communications and actions.

Example:

In a financial services company, front-line employees should be trained to recognize and report suspicious activities or fraud, while also following strict compliance protocols to mitigate operational risks.

6. Monitor Operational Risks Continuously

Continuous monitoring of operational risks ensures that departments can respond to risks in real-time and adjust controls as needed to maintain operational efficiency and minimize disruptions.

Key Actions:

  • Real-Time Monitoring Tools: Use technology and monitoring tools to track operational risks continuously. Systems can be set up to alert teams when KRIs exceed acceptable thresholds or when unusual patterns are detected.
  • Routine Risk Assessments: Conduct regular risk assessments to identify any new operational risks or changes in the risk profile. These assessments should be part of ongoing operational reviews and not just performed during major events.
  • Incident Management Systems: Implement incident management systems to track and respond to operational incidents (e.g., system failures, compliance breaches, safety incidents). These systems can help record data on incidents, track responses, and analyze root causes to prevent future occurrences.

Example:

A call center may use monitoring software to track call volume, customer complaints, and system outages in real-time. If call volumes spike unexpectedly, the system can flag this as a potential risk, prompting managers to investigate the cause and adjust staffing or processes accordingly.

7. Conduct Regular Audits and Reviews

To ensure that operational risks are being managed effectively, it’s important to regularly audit risk controls and review the effectiveness of risk management processes at the operational level.

Key Actions:

  • Internal Audits: Schedule internal audits to assess whether departments are following established risk management procedures and if risk controls are functioning as intended. Audits can identify gaps in processes and recommend improvements.
  • Process Reviews: Conduct periodic process reviews to identify inefficiencies, control weaknesses, or emerging risks. Process reviews should focus on high-risk areas and evaluate the adequacy of risk mitigation strategies.
  • Feedback and Improvement: Use audit and review findings to continuously improve operational risk management practices. Departments should act on audit recommendations and adjust controls or processes where necessary.

Example:

An internal audit team may review the procurement process in a manufacturing company to assess how effectively suppliers are being vetted and whether the company is exposed to supply chain risks.

8. Adjust Risk Management Based on Changing Conditions

Operational environments are dynamic, and risks can evolve over time due to internal changes or external events. ERM at the operational level should be flexible enough to adapt to these changes.

Key Actions:

  • Continuous Improvement: Encourage a mindset of continuous improvement within operational functions. Departments should regularly assess whether existing risk controls remain effective or need to be updated based on new risks or changes in the business environment.
  • Adapt to External Changes: Be prepared to adjust operational risk management practices in response to external factors such as new regulations, market conditions, or technological advancements.
  • Scenario Planning: For key operational risks, departments can use scenario planning to anticipate potential future disruptions (e.g., supply chain disruptions, cybersecurity incidents) and develop plans to manage those risks proactively.

Example:

If a regulatory change introduces stricter compliance requirements, an operations team in the healthcare sector may need to update its patient data management processes to ensure compliance with new privacy laws.

Aligning objectives to risk management principles

Aligning objectives to risk management principles ensures that the organization’s goals are pursued with a clear understanding of the risks involved and with adequate measures to manage those risks effectively. When objectives are aligned with risk management, the organization is better positioned to achieve its goals in a sustainable way, adapting as needed to changing conditions while preserving value. To achieve this alignment, organizations can use the following principles:

1. Integrate Risk Management into Objective Setting

To align objectives with risk management, risk considerations should be embedded in the process of setting and prioritizing objectives from the beginning. This ensures that objectives are realistic and achievable within the organization’s risk appetite.

Key Actions:

  • Conduct a Risk Assessment Before Objective Setting: Assess the risks associated with each potential objective, considering both external and internal factors. Identify and prioritize objectives that align with the organization’s capacity to manage associated risks.
  • Align with Risk Appetite: Ensure that the objectives do not exceed the organization’s risk appetite and tolerance levels. If objectives fall outside of this range, they should be adjusted to balance ambition with risk.
  • Risk-Adjusted Planning: When setting objectives, consider risk scenarios and adjust plans based on potential risk impacts (e.g., alternate timelines, budget adjustments, or contingency strategies).

Example:

A bank setting an objective to expand its lending portfolio would need to assess the risk of loan defaults in different economic scenarios and adjust its target or credit criteria to stay within risk tolerance.

2. Establish Clear Ownership and Accountability

Ownership and accountability for managing risks associated with objectives should be clearly assigned to specific individuals or teams. This helps ensure that risks are continuously managed, and that responsible parties are motivated to achieve objectives while upholding risk management standards.

Key Actions:

  • Designate Objective Owners: Each objective should have a designated owner responsible for overseeing both the achievement of the objective and the associated risk management activities.
  • Embed Risk Responsibilities in Job Roles: Incorporate risk management responsibilities directly into job descriptions and performance evaluations for those accountable for key objectives.
  • Link Incentives to Risk-Adjusted Performance: Performance incentives should encourage not just achieving objectives, but achieving them within risk tolerance and with effective risk management practices.

Example:

In a product launch, the project manager could be designated as the objective owner, with specific responsibilities for managing product quality and regulatory compliance risks.

3. Develop Risk-Informed Decision-Making Processes

Risk management principles encourage decision-making that considers both opportunities and risks. By making risk-informed decisions, organizations can pursue objectives more confidently and avoid unintended consequences.

Key Actions:

  • Use Risk Assessment Tools: Apply tools like risk matrices, cost-benefit analysis, and scenario planning to evaluate potential risks and rewards associated with key decisions.
  • Prioritize Objectives Based on Risk and Value: Rank objectives not only by potential value but also by risk exposure, ensuring a balance between high-reward and low-risk objectives.
  • Encourage a Culture of Informed Risk-Taking: Promote a culture where managers and employees understand that risk is a natural part of achieving objectives and are encouraged to make informed risk choices.

Example:

When considering an objective to enter a new market, a company could use scenario planning to assess risks related to regulatory compliance, political stability, and competitive dynamics before proceeding.

4. Set Risk-Aware Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs)

Using risk-aware KPIs and KRIs helps track performance and risk exposure in a way that aligns with the organization’s objectives. KPIs measure success in achieving objectives, while KRIs monitor potential threats that could impact those objectives.

Key Actions:

  • Define KRIs Aligned with Each Objective: For each objective, establish KRIs that act as early warning signs of risks that could affect progress. For instance, customer complaints could serve as a KRI for product quality.
  • Balance KPIs with KRIs: Ensure that KPIs (focused on achievement) are balanced with KRIs (focused on risk), so objectives are pursued without overlooking risk factors.
  • Regular Monitoring and Reporting: Use dashboards or reports to continuously monitor KPIs and KRIs, allowing for timely adjustments to objectives or strategies if risks materialize.

Example:

For an objective related to improving customer satisfaction, KPIs might include customer feedback scores, while KRIs might track the volume of complaints or return rates as indicators of potential issues.

5. Maintain Flexibility and Adaptability in Objectives

Risk management principles emphasize the importance of agility in the face of changing conditions. Objectives should be adaptable to reflect changes in the organization’s risk environment, such as economic shifts, regulatory changes, or emerging threats.

Key Actions:

  • Regular Risk Reviews and Objective Reevaluation: Schedule periodic reviews of risks associated with each objective to identify and adapt to emerging risks. Update objectives as necessary based on these risk reviews.
  • Scenario Planning and Contingency Strategies: Develop contingency plans and flexible strategies for high-priority objectives to maintain progress if risks escalate.
  • Encourage Continuous Improvement: Make objective setting an iterative process that allows for adjustments based on lessons learned from risk events, near-misses, and changing conditions.

Example:

A retailer with an objective to increase in-store sales may need to pivot to online sales in response to pandemic-related risks, adapting objectives to meet the new market environment.

6. Promote a Risk-Aware Culture Across All Levels

Aligning objectives with risk management principles requires a culture where everyone understands and respects the importance of risk. A risk-aware culture ensures that employees at all levels are committed to achieving objectives in a way that is both ambitious and cautious.

Key Actions:

  • Risk Awareness Training: Provide regular training on the organization’s risk management framework, risk appetite, and how it applies to individual and team objectives.
  • Open Communication Channels for Risk Reporting: Foster open communication where employees feel comfortable reporting risks or near-misses that could affect objectives, without fear of reprisal.
  • Recognize Risk-Conscious Achievements: Encourage risk-conscious behavior by recognizing and rewarding achievements that demonstrate effective risk management alongside objective success.

Example:

A manufacturing company could hold regular safety training sessions and reward teams who meet production goals while also maintaining exemplary safety records.

7. Implement Continuous Monitoring and Feedback Mechanisms

Effective risk management requires continuous monitoring and feedback. By actively monitoring objectives and associated risks, the organization can respond quickly to emerging threats or issues that could impede success.

Key Actions:

  • Use Real-Time Monitoring Tools: Implement technology solutions that allow real-time monitoring of risk indicators related to high-priority objectives.
  • Regular Feedback Loops: Schedule frequent feedback sessions for departments to report on progress, share challenges, and discuss any risks impacting their objectives.
  • Adjust Objectives Based on Feedback: Use feedback to make real-time adjustments to objectives or resource allocation if risks evolve or if new opportunities arise.

Example:

An IT department might continuously monitor system uptime and cybersecurity incidents as part of its objective to ensure system reliability, adjusting its objectives if threats increase.

8. Evaluate and Learn from Risk Management Outcomes

Finally, evaluating risk management efforts and learning from outcomes is essential for improving the alignment between objectives and risk principles. Post-objective reviews provide insights into how well risk management supported achievement and where improvements can be made.

Key Actions:

  • Conduct Post-Objective Reviews: After completing key objectives, conduct a review of risk management performance, analyzing both successful outcomes and areas for improvement.
  • Identify Lessons Learned: Capture lessons from both positive and negative risk events and use these insights to refine future objectives and risk management approaches.
  • Integrate Feedback into Future Planning: Use feedback from past objectives to improve alignment between objectives and risk management principles in future planning cycles.

Example:

After completing a major IT project, the team could review risk management outcomes to identify any unexpected risks, then apply lessons learned to improve future project planning and risk controls.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply