Systematic enterprise risk management is a never-ending process in a company that ensures that the risks are appropriately managed.

Risk management process is in its simplest form divided into 4 main phases:

1) Identification
2) Assessment
3) Treat
4) Control

While many ERM books make it sound complicated really is not.

First, we must identify the existence of a risk; evaluate how serious risk we are dealing with, doing something about it, and finally ensure that what we did helped.

Then over time we repeat the steps 2, 3 and 4 to ensure that situation hasn’t changed and that our mitigation efforts are still suitable.

silver bullet risk - blog - risk management process

All this being said, there are number of fine details in each of the steps that one should be carefully. And in our article series we’ll bring additional insights into each step.

-Create a collection of all the risks that the company faces → Risk register
-How to know which risk exists? Use out of the box thinking & imagination
-Avoid identifying difficulties as risk; avoiding double counting the same risks; start with the major risk and don’t think that large number of risks means that identification was done well
-“Deciding how serious risk is”
-Quantify in monetary units based on cash flow, profitability, and firm value impact
-Advanced: Take into account the interdependencies → risk aggregation
-Strategies to reduce risk: Assume; mitigate; hedge; transfer
-Cost benefit analysis: Does it pay off to mitigate risk (requires monetary risk quantification!!!)
-Assign risk owners and organize risk treatment tasks
-Track risk realization and near misses → Data
-Keep track and record underlying risk drivers, such as price fluctuations and interest rates (KRI – Key Risk Indicators)
-Control that risk treatment is functioning well


Contact our team if you want to manage risks systematically.

For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.

The role of ROI in managing organisational risks

When something happens within an organisation, it is easy to quickly evaluate the effect of said event and determine the responsible department or person. It is more complicated, however, to do the opposite: if nothing earth-shattering happens within an organisation, it is almost impossible to prove that a responsible, conscientious risk manager (RM) is to thank for this. What is more, the management usually takes the credit. (Truth be told, this is not so far-fetched either, since it was the management who brought a good RM on board!)

According to the above, we can conclude that the key issue in risk management is to be able to prove that the system is working. The role of a good RM is to help an organisation attain its objectives by reducing the possibility of derogation or by preventively reducing the consequences of potential derogations of the company on its way to attain its objectives. This means that the RM is playing an extremely important role in his workplace, making him the scapegoat for most of the issues, but receiving little praise for the preventive measures undertaken.

However, the RM’s duty is to help the organisation. His contribution or the value of the entire ERM process can therefore only be measured if we know the company objectives, thus measuring how the ERM system functions in relation to the objectives set.

Here are a couple of questions to help with that:

Compliance: Are we complying with our own directives and policies in our risk management system?
Maturity: How does our risk management system compare to best practices and to our competitors?
Added value: Does our system contribute to achieving the objectives and results of the organisation and, if so, to what extent?

You might be surprised to hear that usually, the hardest part of measuring the effectiveness of a risk management system is to prove that it is contributing added value to the company. In other words: you’ll be able to answer the first two of the above questions relatively quickly and confirm whether you are complying with the standards you commit to in your company, and if your risk management culture or maturity is improving. However, it is a little harder to comply if the management requires proof that the risk management investment is actually paying off in the form of better results. Harder, yes, but not impossible!

We measure the achievement of business objectives through key performance indicators (KPIs) and performance criteria. In other words: when we manage risks in an efficient manner, we are also familiar with all uncertainties that can affect our business objectives, which makes us better equipped for managing all the risks that appear. This also means that the key performance indicators need to be improved on in order to measure the effectiveness of the ERM system!

Silver Bullet Risk - BLOG - ERM - Enterprise risk management - ROI Vision

The benefits of an ERM system are two-fold:

Limiting surprises
Adding value

Of course, we must also realise that the ERM process is not a magic trick. In spite of a well-established system, bad and unpredictable things will keep on happening in companies. However, the system will help you to be better prepared when they do, react faster and in an organised manner, and have all the resources ready to pull the right strings, thus significantly improving the decision-making process within an organisation.

The ERM system also adds other benefits, becoming an indispensable part of business plans as management discussions regularly include risks and uncertainties.

Transparency: even though in many organisations, this value is not (yet) a priority, it represents an enormous advantage for owners and employees alike.
Discipline: when employees, business processes and departments familiarise themselves with risks and suitable measures, the robustness of the organisation increases, thus raising the level of the internal risk management culture.
Clearly defined objectives: For an ERM system to work well, the objectives of the organisation must be clearly defined for all interested parties, which is a task often not implemented in a suitable manner. Clearly defined common objectives and potential obstacles leading to them provide for significantly better results. An organisation must actively react to changes in the environment and the business processes, thus further decreasing the possibility of wrong decisions or missed business opportunities.
Simpler allocation of capital or allocation of funds: Comprehensive information, including risk-related data, allows for a simpler allocation of funds and an easier segmentation, regardless of whether we’re preparing the pricing policy for individual products, markets, clients, and competitors, or comparing risks and income.
Increased trademark reputation: A good ERM system allows us to protect the trademark and the reputation of a company or an organisation. It not “only” affects the value of shares but also contributes to the value of the entire organisation, which is the most important piece of information for the supervisory board and the owner.

Next time, we’ll tell you all about how to deal with each individual KPI!


For more information about risk management follow our LinkedIn & Twitter account. You can join the debate in Linkedin group ERM – ENTERPRISE RISK MANAGEMENT.