Identifying, assessing and managing risk are becoming more pertinent to today's business which means that the executive level and Board of Directors have to develop a plan. Their former method of reaction to single events as they happened is being replaced by an enterprise wide proactive approach.
The flow of an ERM model from setting a strategy or objectives leads to identifying, assessing, treating and controlling the risks that may be involved in distracting the business from its goals. Communicating and monitoring the potential risks then flows back to the setting of strategy/objectives in a continuous flow cycle. Each function has its own means to deciphering the who, what, where, why, when and how of a risk. By identifying risks that could prevent the achieving of corporate goals, the risks can be assessed for their inherent nature. Once the inherent risk has been discussed and a plan put in place, the residual risk is what the company could face. The risks identified here should be a complete and accurate list of all the risks faced by the company. Any risk identified has a probability of occuring and so would affect the company. There are many ways to identify risk which can include the techniques of; brainstorming (perhaps with some “seeding” with a generic inventory of risks), interviews and self-assessment, facilitated workshops, SWOT analysis, risk questionnaires and risk surveys as well as a few others. An important note to some of these techniques is that the information collected should be anonymous and/or without reprisal from superiors. Analysis of the risk is completed to more fully understand the probable causes and allows the ERM team to decide what the potential risk drivers are for each risk. Quantifying a risk at too high of a level can lead to the risk being defined too broad or unactionable. Once the risk driver of each risk is identified, then estimates can be determined to see the impact of the risk and relate back to the business strategy. Different risk rankings and risk maps ( impact vs likelihood of occurence) can be developed from the surveys. The company response to the different associated levels of risk on the risk map can be recorded on the risk map. Also, the definitions and parameters used in the risk map must be disclosed to understand the map correctly. The