“ the secret lies in keeping risk profile simple and easy to communicate”
This second part will describe how to prepare a risk profile based on The Top 10 Risk Profile. In the preparation, consolidation, and documentation the top 10 risk profile there are 8 steps need to be taken in sequential order illustrated below.
the approach in preparing top 10 risk profile
It’s critical to develop a plan of action before getting on the actual interviews in terms of duration, resource requirement, and detail level of information want to be achieved. Several questions could be taken as references as follows:
- How often should a Top 10 Risk Profile be prepared?
- Who should be interviewed?
- How should interviews be scheduled?
- What to consider when interviewing the CEO?
- What background information needs to be gathered?
In preparing the interview tools, there’re several things needs to be considered:
- Obtaining identified clearly articulated documented corporate business objectives
- Having an environmental scan by compiling papers, report, or articles depicting events that have happened and could impact the organization or its stakeholders
- Providing a prior list of past and potential risks for interviewees.
risk profile interview sheet
Once all the interviews have been completed it is time to summarize the findings and become a summary of the key facts and description, thus providing the basis for compiling or updating the risk profile. When summarizing for each major risk, we need to prepare individual sheets with 2 columns: 1) risk sources and cause for any increase in identified risk; 2} mitigation efforts and cause for any decreases in risks.
In the process, interviewees sometimes give new ratings and/or trends for a risk and the ERM group should explore and validate all findings from the interviews and other evidence before make a decision whether the overall ratings or trends should indeed be changed.
Subsequent phase after the result summarized, the risk manager is challenged on how to create a communicative document and any related presentations. Some helpful principles are given as follows:
- Keep it simple, written in plain language, combine descriptions, and easy to understand chart
- The draft consist of 3 key fundamental elements: 1) basic information such as the process followed, the number of interviews completed, the time frame for the assessment (e.g., three years forward), and the risks that have been removed from or added to the profile since the previous one; 2) top risks matrix show the current ratings, trends, and previous rating for comparison, references the risk descriptions on subsequent pages; 3) half-page narrative for each 10 risks describes the sources of the risk, the business objectives impacted, and the mitigations in place or planned.
Once the draft risk profile has been updated by the ERM group, then it is presented to a management committee lead by the CEO, takes as the ownership of risk profile by accepting or approving it.
The primary purpose of the corporate risk profile is to share the risks facing the organization with the board and provide an important base for strategic planning “how the existing risks might then be affected by new strategic directions”.
As part of good corporate governance, the board should insist on viewing updated profiles on a periodic basis or requesting interim updates during a crisis.
In assuring the accuracy and usefulness of the corporate risk profile, the board also need to monitor how money and resources are allocate relative to the top 10 risk identified.
The corporate risk profile plays a vital role in overall ERM process. Having a simple and communicative risk profile is essential for ERM as a practical management and governance tool that :
- Helps to align the understanding of business objectives and related risks between the board, senior management, and line management
- Helps to ensure significant risks are understood in a structured and consistent framework
- Plays an integral part in strategic planning and resource allocation
- Assists in marketing the value of ERM by demonstrating how the process works and how it adds value.