Reviewing Risk – A Framework Idea 

The Institute of Risk Management describes Enterprise Risk Management (ERM) as “the overall philosophy that consolidates the management of individual risks into a unified and consistent approach across the whole enterprise.” While there is no one-size-fits-all approach to Risk Management (RM), and its application varies by industry, robust frameworks can be applied universally to enhance effectiveness.  

One of the most recognized approaches to ERM is Plan, Implement, Measure, Learn (PIML). This approach is recommended because it promotes a holistic, continuous improvement cycle mentality. Reviewing risk is not a start-stop process; it must be integrated into both, the strategy and operations of the organization. 

Plan  

Risk management begins at the board or senior management level, where it aligns with the organization’s objectives and core values. This phase involves identifying the total risk exposure across the organization and highlighting the interconnected nature of risks within different business areas and functions. It is also the stage where the organization’s risk appetite—the willingness to undertake risk activities over the short and long term—is set. 

 Suggested Activities: 

Align RM with organisations objectives – Ensure that risk management strategies support the organization’s goals and values. 

Identify total risk exposure – Evaluate risks across all areas of the business to understand their interdependencies. 

Set risk appetite – Define the level of risk the organization is willing to accept in pursuit of its objectives. 

Implement 

During the implementation phase, the focus is on establishing a risk register and categorising risks in a way that aligns not only with the organisation’s objectives but its internal reporting structures. This involves assessing what is at stake and the potential consequences and likelihood of risks materializing. 

Suggested Activities: 

Create/Update the Risk Register – Document all identified risks, including their potential impacts and the measures in place to mitigate them. 

Risk Categorization -Ensure that risk categories are meaningful and aligned with the organization’s functions and objectives. Clearly outline what is at stake, the extent of potential consequences, and the likelihood of risks occurring. 

Communication- Ensure that risk management practices are not only communicated effectively across all levels of the organization, from top management to operational staff but also understood. By understanding what part of risk management each person is involved with in their own role, it is better appreciated and applied day to day.  

Measure

Effective risk management requires continuous monitoring and testing of controls. This ensures that the controls in place are functioning as intended and are effective in mitigating risks. 

Suggested Activities: 

Monitor what matters – Focus monitoring efforts on critical controls and ensure they are operating as documented in the risk register. 

The ‘All and Always Test’ – Regularly test your controls to ensure they are always effective and consistently applied by everyone. Controls that fail this test need to be re-evaluated and adjusted. 

Accurate Reporting- Maintain accurate and timely reporting of risk management activities to ensure transparency and facilitate informed decision-making. Make the reports interesting and interactive, useful and concise to engage your audience. Risk reporting should be accessible for all to enable transparency across the organisation.   

Learn 

The learning phase involves using insights gained from monitoring and testing to improve the risk management process. This includes planning audits and risk assurance activities to ensure that risk management is not siloed and is considered within the broader context of the organization’s environment. Following on from risk reporting being available to all, these activities should also be clearly communicated and explain why they are important. Clear and consistent communication will enable a ‘no blame culture’ and help with the tacit learning with organisation.  

Suggested Activities: 

Audit Planning – Develop audit plans to provide risk assurance and ensure that risk management practices are effective and comprehensive. Be mindful of different busy periods within each function and plan around these to acknowledge the importance of the work that function produces.  

Continuous Improvement – Use feedback from audits and monitoring to refine risk management strategies and controls. Communicate the lessons learned to all so everyone understands their part in the larger picture. 

Holistic Approach – Manage risk appetite in the context of the organization’s operating environment. This means considering risks in relation to compliance, operations, risk aversion, and tactics as part of the decision-making process.  

Identify Opportunities – By considering both positive and negative aspects of risk, management can identify new opportunities and address challenges associated with current opportunities.  

By integrating these elements into a continuous cycle, organizations can ensure that risk management is a dynamic and integral part of their strategic and operational processes. This approach not only helps mitigate potential risks but also enables organizations to leverage risk management as a tool for identifying opportunities and driving sustainable growth.