Can you describe the differences among these four types of risks?
Strategic risks are high-level risks describing threats to the organization’s overarching goals. Strategic risks do not, for example, include risks associated with the manner in which a strategy is executed. Instead, they relate to risks associated with the strategy itself. Operational risks describe risks associated with the design of processes tasked with carrying out strategic goals; they do not relate to the execution of processes. This latter element is the domain of process risks. While we have explicitly defined each of the abovementioned risks, they are all highly related to one another and must be jointly assessed to ensure organizational objectives are successfully achieved.
Compliance risks pervade virtually all levels of an organization and thus are a foundational element of an organization’s strategy, operations and processes. However, due to their importance, the Dodd-Frank law has explicitly stated that organizations should place an intense focus on compliance risk and that compliance risks should be integrated with other areas of risk in the assessment process.
For a sample of selected strategic, operational, process and compliance risks, I would invite readers to review Step 3 of Cendrowski Corporate Advisors’ full-page handout included with this month’s magazine.
How should risks be identified and evaluated?
Risks should be identified and evaluated through the use of ERM workshops. These workshops bring together numerous subject matter experts, allowing them to collectively brainstorm risks faced by the organization in an open environment. Once identified, the impact and likelihood of risks should be estimated by subject matter experts. Those risks with both high impact and high likelihood should be prioritized for oversight and monitoring, as they can have the greatest potential effect on the organization’s objectives.
What types of individuals should participate in ERM workshops?
As described in this month’s insert, an ideal workshop participant is an open and honest communicator who embraces change rather than impedes it. Even though numerous individuals within an organization may have excellent ideas regarding organizational risk and how risk readiness can be improved, many may fail to share them due to their personality or because the organization has created obstacles to communication.
Additional characteristics of an ideal workshop participant will differ by the type of workshop being conducted. For instance, in conducting an operations-focused ERM workshop, an ideal participant is a creative thinker and a process visionary. With these traits, operational processes can be devised that maximize the organization’s rewards associated with its strategy while minimizing risk. In contrast, an ideal participant in a process-focused ERM workshop need not possess these traits but should have a profound understanding of the work flow within an organization. This knowledge will help ensure processes are implemented according to their operational design.
James P. Martin, CMA, CIA, CFE, is managing director for Cendrowski Corporate Advisors LLC. Reach him at (866) 717-1607 or [email protected].
