A Few Words About Us

Australian GovLink is published bi-annually with a purpose to promote and review major initiatives in local, state and commonwealth government departments and to encourage the principles of progress through partnerships between the private sector and government.

A+ R A-

Ensuring Effective Risk Management
Rate this item
(0 votes)

Ensuring Effective Risk Management

Best practice: Enterprise Risk Management

Historically, risk management has tended to focus on the negative – how do we identify what might go wrong? How bad will things get if it does? How can we stop it?

Another feature of old-fashioned risk management has been the tendency for it to be “siloed”, with each functional area within the organisation having its own approach to managing risk.

Modern, best practice Enterprise Risk Management (ERM) has moved contemporary risk management programs beyond these limitations.

ERM has a range of benefits for modern organisations:

  • ERM achieves efficiencies across the whole of the organisation by integrating a common approach throughout all functional areas.
  • ERM avoids the pitfall of concentrating on minor risks (such as slip hazards) at the expense of big picture risks (such as failure of critical infrastructure).
  • ERM captures the positive side of risk management, by also considering opportunities for new services, process efficiencies, improved methods of service delivery etc.


 iStock 000019156549Small


Obstacles to successful ERM

QRMC frequently assists organisations to develop or expand their risk management programs to embrace ERM. Our experience has outlined potential obstacles to successful ERM. Awareness of these issues can assist your organisation to maximise the effectiveness of the enterprise risk management program. They include:

1.Management culture – there are two components to this important issue: firstly, without active and communicated support and cooperation from senior management, the ERM program is unlikely to receive the required buy-in and daily participation from all personnel; and secondly, if the management culture does not support frank discussion and truthful reporting, so that those who observe potential risks can openly raise them, the ERM program will likely mislead rather than inform management of the organisation’s actual risk profile. 

2.Purpose – the raison d'être of risk management is to govern the risks and opportunities potentially impacting on the organisation’s business objectives. Losing sight of this big picture and getting lost in the morass of low-level risks and procedural issues is all too easy and will detract from the program’s effectiveness. 

3.Active monitoring – going through the exercise of identifying and documenting the organisation’s risks is only the start of the ERM process, not the end. Many organisations produce a risk register and fail to regularly monitor and update it. In combination with also failing to track the implementation and impact of risk controls, this means the ERM program quickly becomes out of date which decreases its usefulness to the organisation. 

4.Attitude – some organisations go through the process of developing an ERM program solely as a compliance exercise, in response to either regulator requirements or the expectations of clients. This attitude to ERM can feed into the issues noted above, and will certainly result in an ineffective “tick and flick” program which is of limited use in promoting the organisation’s business objectives. Seeing the ERM program as a valid management tool is more likely to achieve value for money as regards the time put into developing and maintaining it.

5.Understanding risk management – it is important that all participants in the ERM program have a common understanding of the principles, goals and language of risk management. Without this, individuals may easily misunderstand or even work at cross-purposes to the intent of the program. It is especially critical that everyone understands what a risk actually is, versus a hazard or a consequence, and can articulate the risk in a well-formulated risk statement.

6.Strategic vs operational – many organisations throw all risks into one great grab-bag risk register. The result can be the listing of a risk that has the potential to derail core business objectives next to a minor operational hazard of little real organisation impact. A focus on risks that can impact on the objectives of the particular section of the organisation considering them will tend to result in a risk register that contains more of the critical risks, and fewer of the types of risks which should be managed by routine procedures.

7.Ratings and prioritisation – some ERM procedures detail a complex formula for determining the residual risk rating of identified risks, which can lead to a situation in which the focus is on arguing about differentiating risk levels rather than actually prioritising and treating the critical risks. Risk rating levels should not be too granular (making it too hard to prioritise the risks), but beyond this the rating process should be simple and easily understood by all users.

8.Failure to integrate – if the ERM program does not integrate with other management systems and processes, in all the pragmatic aspects such as reporting requirements and budget cycles, the ERM program may not only be compromised but become a source of frustration in itself.

9.Software suitability – another common problem is choosing a software solution to manage the ERM program on the basis of the product’s features, rather than on whether it meets your specific requirements or can be tailored to fit. Trying to shoe-horn a well-developed ERM program into a piece of software which is not designed to give you the outcomes you actually need is simply an exercise in futility and confusion.

Other tips to achieve results from your ERM

With years of experience in both developing and reviewing client Enterprise Risk Management programs, QRMC has been able to distil the essence of a successful program to provide the following checklist.

These tips can provide a series of prompts during the risk management process, or be used as an internal audit tool to see where your Enterprise Risk Management program or processes can be improved.

  1. Identify the context correctly – have you defined the applicable business objectives? Are you considering corporate, operational or activity/project level risks?
  2. Pay attention to business objectives – what is the impact of risks and opportunities on the business objectives: if it doesn't affect the business objectives, is it a risk?
  3. Get the risk statement right – ensure risks are tightly defined without mixing up causes and symptoms: if it's ambiguous and badly defined, the risk will be hard to effectively manage.
  4. Tailor consequence and likelihood tables – make sure the consequence and likelihood options are focused on the business objectives: if the consequence and likelihood tables don't reflect your business, you can't you accurately measure the impact of the risk.
  5. Plan for implementation and checking – plan for implementation and monitoring activities, not just risk identification: risk management doesn’t end with the production of a Risk Register!
  6. Honestly assess the effectiveness of controls – truthfully evaluate the effectiveness of current treatments and mitigation strategies: if it's not really working, admit it and devise something better.
  7. Really do something, don’t just document – strongly emphasise the actual treatment of risks and document treatment plans properly: identify who will do what by when.
  8. Scrutinise new treatments – monitor the implementation and effectiveness of new treatments: identify and check performance measures within the planned timeframe.
  9. Monitoring and reporting – make sure the monitoring process actually reviews the implementation and effectiveness of the program: just generating regular reports is not enough.
  10. Communication and consultation – communication and consultation must underlie the whole process: the program can't provide full value to the organisation unless personnel from point-of-risk workers all the way up to the Board understand and are committed to the risk management process.

QRMC can provide assistance with developing, reviewing, or training personnel in the use of your Enterprise Risk Management Program. Please contact QRMC for more information.

Last modified on Friday, 10 October 2014 14:30

Add comment

Security code Refresh


About Us

BGP Publishing
PO Box 159,
Newport Beach,
NSW 2106

Ph. 1800 720 585