In our first article, we introduced the concept of risk silos and what you can do about them. In this article, we will take a closer look at the steps you can take to help break down risk silos at your organisation by asking a few key questions.
Enterprise means ‘whole of enterprise’ and also ‘enterprise level’ oversight.
Enterprise risk management is implemented in response to the need to ensure that a consistent approach to risk management is applied to all areas of the organisation and can be viewed and accessed at all levels. For example, just as there are managers and executives that manage and have a view of the whole enterprise, enterprise risk management means that there should be a whole of enterprise view of risks.
To explore this concept further, Ideagen provides a table showing the differences between the traditional approach to risk management (TRM) and the enterprise-wide approach to risk management (ERM) .
| Traditional risk management (TRM) | Enterprise risk management (ERM) |
| Focuses solely on risks that can be insured, for instance, if a member of staff has a fall at work that causes injury, or a flood damages part of an office | Accounts for insurable hazards along with any other risk an organisation faces that no amount of money can remedy, such as a cyber breach that causes the loss of highly sensitive data and possible damage to brand reputation |
| Reactive and sporadic risk management that takes place only after an incident has happened to prevent it from reoccurring | Proactive and consistent risk management that attempts to predict potential events before they happen, whilst considering impact and probability |
| Risk-averse mindset, viewing risks only as something that can cause the organisation to lose money | Risk-taking mindset, where the downsides and upsides of risks are considered to determine which pose an opportunity for growth and expansion |
| Fragmented or siloed approach where each department manages risk independently with no communication outside of their respective business units | Integrated and holistic approach where risk management is coordinated throughout the business with senior-level oversight to help better allocate resources and prioritise risks |
| Risks are mitigated based on each silo’s expertise and decision-making skills with a one-dimensional assessment | Risks are mitigated in line with an ironclad multi-dimensional strategy on an enterprise-wide level |
| Disjointed activity with no connection to strategic objectives and little awareness of risk across the organisation | Risk is embedded as a culture and ingrained as a valuable decision-making tool to ensure business success |
| Follows basic and limited standards that may stall operations and provide minimal value to an organisation | Follows modern standards such as the COSO framework and ISO 31000 which complement the technical and soft skills required to extend risk management beyond a compliance-oriented exercise |
There are three main sources of risks related to the organisation’s profile:
Risks related to an organisation’s operational profile
These are risks that arise due to the nature of an organisation’s operations – its operational profile. For example:
Risks related to an organisation’s mandatory compliance obligations
The organisation’s operational profile also results in specific compliance risks that arise from the particular operations being undertaken. Failure to manage compliance obligations is a key risk for any organisation that will affect long term viability and ongoing success.
Risks related to an organisation’s non-mandatory compliance obligations
Risks can also arise from obligations that the organisation chooses to comply with, for example, voluntary codes of conduct for an industry or obligations arising from contracts with key stakeholders.
This diagram illustrates the above:
“Won’t there be too many risks for my board or executive team to have visibility over given all of the departments, activities and sometimes different locations of the business?”
The answer is “yes, there are going to be a large number of risks”! Therefore, to make sense of all the risks and ensure that boards and executive teams are only focusing on items of importance to them, it is necessary to apply a methodology to enable risks to be filtered and sorted.
Two suggested methodologies to filter and sort risks are to:
This will help organisations to only focus on risks that are important at each level of the organisation, preventing them becoming overwhelmed with the rest.
Applying the principle of risk granularity
Risk granularity means organising risks according to whether they are macro or micro or, putting it another way, big picture or little picture.
An example of a macro level risk might be a health and safety risk. For example:
Failure to effectively implement systems and process to manage legal compliance with health and safety laws and to develop a positive and safe workplace culture.
This is a single ‘macro’ overarching risk related to the organisation’s health and safety activities and risks.
Underneath this at a more granular or micro level might be a large number of risks associated with workplace hazards. For example:
Failure to provide first aid kits and other first aid requirements that comply with the First Aid in the Workplace Code of Practice.
This is a much more granular or micro health and safety risk, but still important.
Using the principle of risk granularity helps identify the risks that should be reported and managed by the organisation’s leaders and those that can managed by others with specific operational responsibilities.
The advantages of applying the principle of risk granularity to a set of risks includes:
Separating operational and strategic risks
Some risks relate to an organisation’s operations and other risks relate to strategy. Separating these risks helps to identify and provide a common language for discussing these risks and assists in risk reporting. It would be expected that most strategic risks would be reported to and sometimes overseen by the board, whereas operational risks are more frequently managed by the organisation’s leaders and managers.
Ideagen describes strategic risks as:
“referring to the events or decisions that could potentially stop an organisation from achieving its goals. It also refers to the danger of an organisation’s strategic choices being incorrect, or not responding effectively to changing environments”.
Strategic risks include:
Strategic risks will change over time as strategy changes and as internal and external operating environments change.
Operational risks are risks that are associated with business operations, systems, processes, and products. They affect daily activities and are a ‘ground level’ look at risks. These risks will vary depending on the nature and scope of operations (the organisation’s “operational profile”). They also arise from the compliance obligations that are associated with operations – again based on the operational profile.