I recently had dinner with friends who all work in the environmental, health and safety (EH&S) area, and we’ve all reached the same conclusion: Instead of breaking down risk management silos, many companies going up the risk maturity curve build new walls.
This seems to originate from a battle that, to my mind, has no real grounds: enterprise risk management (ERM) vs operational risk management (ORM). And here, I’m not referring to the ORM for financial institutions framework that addresses Basel II-III or Solvency II type regulations, but the act of managing risks associated to an operation or an asset. Many companies have decided on separate approaches on ERM and ORM based on the thought that these require different methods.
I hope I’m not going to alienate the GRC community by saying this, but personally I strongly disagree with this conclusion.
Yes, it’s true that some EH&S-type risks require a very specific analysis technique (such as HAZOP, for instance) and that an executive will most likely not be interested in all the details of every EH&S recorded incident. But this same executive will be very interested in understanding the risk level his company faces on this risk category. Why? Because an environmental type risk can trigger a non-compliance issue, a legal action, a reputational crisis, etc.
Separating the two risk worlds means that this executive will not benefit from a global view for a risk profile that’s the final intent of any ERM program. But this doesn’t just stop at EH&S type risks. I’m seeing many companies having separate risk registers for legal risks, IT risks, quality risks, and many other typologies.
I understand that most of the time they do so to comply with specific frameworks: ISO27xxx for Information Security, ISO14xxx or ISO26xxx for EH&S and sustainability, ISO31xxx for risk management, etc. But all these contribute to one objective: providing a realistic risk profile of the business and the obstacles it has to overcome, or at least keeping an eye on it for steady growth.
Can you imagine a plane where you would have the fuel indicator, the altimeter, and the speedometer on three different parts of the plane? Well, I would say that it has to be the same for ERM. If an executive doesn’t have this combined risk information, his decision-making process will be impaired. That being said, you may think that I’m stating the obvious and not helping much, but I actually believe there is a simple solution: consolidation.
If your company requires these separate silos – and it may have very valid reasons to do so – make sure that the risk categories managed in these silos are consolidated and reported in your overarching ERM program.
If you have detailed environmental risks in an EH&S risk register, use them to feed an “EH&S” risk category in your ERM framework. If more than x number of environmental incidents are reported in the quarter, then use key risk indicators in ERM to notify the appropriate stakeholder of a negative trend.
Similarly, if you have IT risks in a separate register, then aggregate them to a high-level risk category (i.e., IT disruptions) and notify the CIO only if the aggregation of all underlying risks reaches a certain threshold.
This way, you still keep your very detailed risks registers, but you’re able to report on a global risk profile. And this will help executives steer the business with more confidence.
Does your company have separate risk registers per topic? If so, would you agree with my suggestions above?
Is simplification part of your organization’s long-term strategy? See Business Simplification 2015: The Unmet Strategic Imperative.