This chapter provides orientation on the ERM solution, an on-demand solution where enterprise risks, objectives, and loss events can be managed.
Enterprise risk management is an on-going process to identify risks to the business and its objectives, to formalize the decisions made as to what will be done about them, as well as to ensure controls are in place and having the intended effects. Through this process, stakeholders are provided with a valuable perspective on the risks the organization is facing and the actions being taken to mitigate them.
In the system, a top-down approach is used in the risks that are catalogued in the risk register. Risk owners can be assigned, and risks can be classified into categories and types. An inherent probability and inherent impact is provided for each risk, which is used to calculate the Inherent Risk Score and used to generate the risk matrix. The risk matrix plots each risk in the register according to its inherent probability level, its inherent impact level, and the Qualitative Risk Score, allowing the most critical risks to be easily identified.
When registering a risk in the system, values can also be entered for the residual impact and the residual probability. These values represent the impact that the risk would have on the organization and the probability of it occurring assuming the associated controls are in effect, and they will be used to calculate the Residual Risk Score.
In addition to assembling a risk register, a catalogue of controls can be created that details procedures and practices to be adopted to minimize the impact a risk may have on the organization, should it materialize, and reduce the chances of it occurring. Controls can be associated with one or more risks in the register, and should be actively monitored to ensure not only that they are implemented and kept up-to-date but also that they are effective.
Losses arising from any incidents can be registered in a loss database. In addition, here you can manage the objectives of your business, which allows more control over the actions taken to ensure that theses objectives are fulfilled.
It is important to understand that the ERM solution is not linked to the Risk module. In the Risk module, it is assumed that the controls are known and the risks unknown, and projects are created to determine risk levels assuming those levels would be lower if the associated controls were implemented. The Risk module also uses a more granular, bottom-up approach, analyzing risks at the asset level and aggregating the results upwards towards the associated business components.
In the ERM solution, both the risks and controls are broader in nature and generally have business component- or organization-wide effects, which indicates that there will be considerably fewer of them. Projects are not used in the ERM solution, and instead both risks and their controls are continuously monitored. In addition, enterprise risks can be sent for treatment in the Workflow module where they can be monitored and queried.