Enterprise risk management (ERM or E.R.M.) at Leading2Lean includes the methods and processes used to manage risks and seize opportunities related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, we protect and create value for our stakeholders, including owners, employees, customers, regulators, and society overall.
The Leading2Lean ERM framework describes an approach for identifying, analyzing, responding to, and monitoring risks and opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:
- Avoidance: exiting the activities giving rise to risk
- Reduction: taking action to reduce the likelihood or impact related to the risk
- Alternative Actions: deciding and considering other feasible steps to minimize risks.
- Share or Insure: transferring or sharing a portion of the risk, to finance it
- Accept: no action is taken, due to a cost/benefit decision
Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.
The risk management process involves:
- Establishing Context: This includes an understanding of the current conditions in which the organization operates on an internal, external and risk management context.
- Identifying Risks: This includes the documentation of the material threats to the organization’s achievement of its objectives and the representation of areas that the organization may exploit for competitive advantage.
- Analyzing/Quantifying Risks: This includes the calibration and, if possible, creation of probability distributions of outcomes for each material risk.
- Integrating Risks: This includes the aggregation of all risk distributions, reflecting correlations and portfolio effects, and the formulation of the results in terms of impact on the organization’s key performance metrics.
- Assessing/Prioritizing Risks: This includes the determination of the contribution of each risk to the aggregate risk profile, and appropriate prioritization.
- Treating/Exploiting Risks: This includes the development of strategies for controlling and exploiting the various risks.
- Monitoring and Reviewing: This includes the continual measurement and monitoring of the risk environment and the performance of the risk management strategies.
All employees are expected to implement and participate in the risk management process in both company wide and team level projects. The most important first step is Identifying Risks. All employees are expected to identify and report all risks they encounter. Reporting risks should be immediate to either your supervisor or a company executive.
Risk Tracking / Reporting:
Team, Department, and Company wide tracking of risks should be done with the goal of risk reduction both quickly and in the most effective/efficient manner at each level of the organization. Below is an example risk register format for managing open risk items:
|Risk ID||Description||Category||Probability||Impact||Score||Risk Response||Status||Owner|
|Number||“Cause, Event, Effect” statement||Technical,
|1 - Unlikely
2 – May or may not occur
3 – Likely to occur
|1 - Minimal
2 - Moderate
3 - Significant
|Product of Probability x
7-9 - Red
Each level of the organization is expected to manage their known risks and provide visibility to next higher level of the organization on a timely basis. Visibility and action are the guiding principles that should be maintained.