SBS - Enterprise Risk Management

Enterprise Risk Management [CRAB]

Management encounters various risks at different timelines and thus establishes mitigating control & systems. In the throes of development & growth, organisations are often constrained with the resource & talent crunch to revisit & evaluate its controls for their relevance & continuing suitability in present times. Sustenance precedes Sustainability in order of priority and results in resource burn-out.

Organisations are often daunted with the uncertainty of their present status and most importantly their risks and controls. Though some risks could have been (in)formally known, but not systematically analysed. Some could be even with a bias of reference or comfort. Identifying the underlying business risks and planning the mitigation measures helps organisations to forge their focus & attention

CRAB is a sophisticated tool to identify, assign, evaluate and analyse enterprise-wide risks to set the direction & gain control over them. This is a unique product developed through years of research and practice. References to the basic concept could be found in several International Standards and literatures. Risk is nothing but the uncertainty of an event or outcome caused or influenced by internal or external factors that directly or indirectly affect the entity. Unlike existing models that work on 2 dimensions, it is the combination of 3 vectors – Probability, Severity & Controls and thus this relationship determines the magnitude of the Risk. To make it action oriented, additional management elements of interaction are also included to identify the loci of issues. Ideally this assessment is done by key people who perform work, verify work and manage work (all 3 levels).

Risks are identified irrespective of their significance or category and evaluated in a holistic manner. The resultant output is expressed using graphs for easy interpretation and understanding, forming the baseline report facilitating its growth and direction to the organisation, leading them towards business excellence Resultant, a new Vision & Mission is statement made, that could be well refined from the earlier ones and warrant changes in the way the business is conducted.


Risk Level	Tool	Model	Description
Enterprise	CRAB	Assessment	Comprehensive Business Risk Assessment Service to determine the organisation Risk Profile and to prioritise Top Risks for action.
Operational	IMRA	Assessment	Web based Integrated Management System Risk Assessment & Register services to administer Risk Assessment that complies with the requirements of all International standards and to demonstrate performance improvement over successive cycles.

CRAB - Enterprise Risk Assessment Tool

Identify & populate risks and their association. Evaluate them for their probability, severity & controls. Input evaluation into the software to compute the Enterprise Risk Profile. The out-put of such an exercise is in the form of graphs easy for interpretation& understanding. Top 10 & Top 20 risks are thoroughly analysed and validated. Risk tolerance levels are defined for various functions with due cognizance to existing controls & risk profile. Risk Mitigation Strategy is evolved integrating with operational policies & procedures.

Top 10 Risk

What is much revealing to the management is the discovery of Top 10 Risks that batters its performance. These risks are computed based on the information collected / polled against each risk. For sake of convenience extraneous risks could be exempted to avoid a skew in the data and results. Thus automatically levitates the importance to attention & control of the identified risks.

Risk Vs Control

This is a display of Top 20 Risks compared against the controls exercised. The difference between the risks & controls reveals the process maturity. In any normal instance the top few risks would be much higher than the controls and thus the difference is leading (negative). Whereas the later part of the risks are well managed through acceptable level of controls commensurate the risks and eventually the difference will be lagging (positive). This helps the enterprise to identify & validate key action areas.

Business Risk Matrix

Business Risk Matrix is the correlation of the probability of risks versus their consequence. The importance of this relationship is to visualise the risks in a holistic manner. Size of the bubble indicates the magnitude. Both the probability & consequence are graded as Lo & Hi. Derivative of this information would be used to caution the processes where the magnitude of risks are in consonance with either probability or consequence or both.

Organisation Risk Profile

This graph reveals the function-wise risk profile of the organisation, mapped based on the individual function’s contribution to handling risks be it the origin function or the control function. This definitely gives a new dimension to risk management and sets the baseline to identify resource & establish requisite controls.

Risk Responsiveness

Risk Responsiveness graph indicates the responsiveness of the organisation. This should be viewed in conjunction to the earlier graphs. This may be a surprise to few how come organisations still survive with high risks. The secret is the responsiveness – Reactive Response & Proactive Response. Higher the risks away from the ‘0’ line, better the planning is. Proactive response is a resultant of scientific planning and diligent implementation.

Priority Matrix

Risks are prioritised based on their urgency and importance to the organisation and its customers. Lesser number of Urgent issues mean better they are managed. More the number of important issues indicate criticality of the process. This means if the risks are managed proactively and mitigated in time, they don’t become urgent and consume productive time of the executives. Even distribution of all risks indicate the organisational planning and control over its activities.

Integrated Management System Risk Assessment (IMRA)

Almost all businesses today have established some form of a system (validated or not) to identify and manage risks. International Organisation for Standardisation (ISO) also has adopted the risk based approach to standardisation and effective 2013 all new standards released and those revised adopt the risk based approach to management. With multiple domain expertise managing different risks viz. Quality, HSSE, IT, Customer Loyalty, Corporate Governance, etc. the probability of adopting a non-cohesive approach by implementing multiple ways of risk assessment has a great potential of risk in itself.

IMRA is a web based Risk Assessment Tool that provides a host of features in customising the risk assessment as applicable to the organisation bases on their risk appetite, maturity and business needs. It is built with the capability of assessing the organisation’s risks across all domains of expertise as applicable to the task level for control & mitigation. Threshold levels for risk significance are computed automatically with provision for organisation to determine its own level for control and management. This multi user system enables simultaneous population and risk assessment by user departments with centralised administration control by the executive management.

Intuitive Dashboard provides with interactive reporting features and a historic comparison of risks & trends for choosing the control mechanisms. This aids organisations with articulated data to demonstrate continual improvement in reducing the number of risks, progressive reduction in the magnitude of risks, etc. both internally to the management and externally to the stakeholders, underwrites and conformity assessment bodies. This can also be integrated with eGavel for implementing the risk control & mitigation strategies.

ERM Consultancy Services

Determining the baseline through Enterprise Risk Profiling

Comprehensive Business Risk Assessment & reporting
Validation of T10 & T20 Risks for Enterprise Risk Profile

Note: It is a baseline assessment of the organisation’s risks and its management profile. Knowing this is the beginning in determining the direction and quantum of progression. This may even require a relook in to the business analogy and policies adopted.

Developing Risk Mitigation Strategies through rational approach & brainstorming and milestones are determined and corresponding actions planned.
Support in conducting Risk Assessment, Business Continuity & Contingency Planning, Evaluation & Management Review
Measurable milestones set up in order to realise the Vision set by the management. These often come out as a measure of Critical Success Factors (CSF) or Key Result Areas (KRA). These Objectives are broken down in to measurable Key Performance Indicators (KPI).
Legal Compliance Management can also be integrated as part of this project thus ensuring Zero Deviation to legal & regulatory requirements.

ERM Implementation Roadmap

Form a Core Group to steer this project to complete well within time schedule.
Provide awareness on Enterprise Risk Management.
CRAB Assessment to determine the datum line and validate the T-10 & T-20 Risks to ascertain the Enterprise Risk Profile.
Determine risk tolerance levels and define a corporate policy on dealing with this.
Steer the Risk Mitigation Strategy and validate the action plan.
Identifying common linkages for integration with existing operational framework.
Implement Legal Compliance Management System.
Evaluate effectiveness of risk mitigation and impact of residual risks.
Implement Business Continuity Planning and even claim certification to ISO 22301