Enterprise Compliance Today

How to Identify Corporate Risks in ERM

Posted by Greg Carroll on Fri, Jun 26, 2015 @ 03:16 PM

An effective Corporate Risk management system (or ERM) requires developing a detailed inventory of all the drivers and influences and how they affect the organisation.  It requires a methodical and introspective commitment to fully understand what makes things tick, but as with most things, a bit of effort upfront produces a lifetime of benefits.


Identifying Corporate Risks

Spreadsheets are good to collect and rate contribution of risks, but you will be requiring intelligent tools to manage aggregate (butterfly) effects and contagion, in real-time.


FastTrack Risk Management Data Sheet
How Fast Track provides risk management integrated as part of the day-to-day operational management method of work and decision making.

I believe there is a growing awareness that simply applying the OHS risk approach (risk matrix & heat maps) to managing Corporate Risk and ERM has proven ineffective.  OHS Risk is as similar to Corporate Risk as Social Engineering is to Mechanical Engineering.  Where OHS risk is defensive and based on regulatory compliance (don’t risk it), corporate risk is strategic with an expectation on driving results (risk-reward trade-off).  Knowing most things are ‘medium risk’ is of little benefit in Strategic Management.  Knowing where things are headed and selecting the best alternative strategy is the reason for managing corporate risk.


To achieve board expectations, Corporate Risk Management needs to monitor the drivers and influences affecting an organisation, suggest prognosis and offer alternate strategies.  More than just having a Risk Register of 50,000 items, these items need to be made relevant and active by networking them together along with their contributing effect.  This is generally not difficult if done at the point of identification by operational staff.


To ease the burden for those new to this approach, I have put down my methodology for developing an effective ERM or Corporate Risk Management system.  For the ease of understanding I have used a very high level example, but in a real case the Area of Risk for the Risk Profile would be more specific than just Export Revenue.


Risk Identification

  1.        Select an Area of Risk (Risk Profile)

Individual Risk Profiles would be created for each Revenue source within the Product/Service Mix.

e.g. Export Revenue

  1.        Value Area of Risk contribution to business in measureable terms

Contribution is bottom-line effect not head-line. This is a high level estimate of the entire Risk Profile area’s contribution to the organisation. 

e.g $$, tonnes, hours/days

  1.        List all objectives for that area of risk and then estimate Value at Risk

Estimating Value at Risk prior to identifying risk gives a good “gut feel” without assessment bias

e.g. Market share, price, volume, lead times

  1.        Set acceptable Limits that can be tolerated around each objective (Risk Appetite)

Upper limits of objectives cause stress on organisations.  Set upper limits based on current capabilities. (See previous article Why is it so hard to integrate risk appetite in an organisation?)

e.g. Surveys of operational management find they tend to set appetites more conservatively than actually accepted, so test thresholds against actual case history.

  1.        Identify contributing factors (Risk Events) on which the objective depends and their variability

From historic analysis ascertain the effect of market/environment changes on objectives.

e.g. Exchange rates affect domestic prices by increasing import competition. Increased competition decreases market share.

  1.        Estimate the contributing effects of each factor that affect each Objective

Test assumptions against known historical events to validate estimates.  This is where risk modelling can make life much easier.

e.g. 20% exchange rate, 30% competitor price spread, 15% image, 10% volume, 20% customer mix,5% shrinkage/yield

  1.        Identify direct drivers and indirect influences on which Risk Events depend and their variability

Direct means a change in a driver will cause a change in the objective where an influence only has a possibility of affecting objective.  Influence will invariably have direct affects when they experience major movements.

e.g. Balance of trade drives exchange rate which changes value of price in export markets.  Image contributes to premium/discount to standard pricing overall 

  1.        Identify what risks can affect drivers and influences

Get front line staff to list what events can alter each driver and influence, both threats and opportunities. Brainstorm to get most possibilities then select a practical subset.

e.g. Competitor pricing - drivers: head-to-head competitors prices and market demand/supply; indirect influence: number of competitors and consumer confidence

  1.        Estimate worst case, best case, and most likely, as well as less likely and more likely cases

List not only outcomes but also their causal factors

e.g. head-to-head competitors prices: Best case +30% to us , Worst -10% to us, Most Likely +10%,   more likely, +5%, less likely Even Pricing.  Causal factors: competitor sales figures, competitor costing.

Risk Rating

  1.    Rate the likelihood of each case under current circumstances

Rating 1-5 is only useful if they are the number of standard deviations.  Easier have front line staff just estimate the likelihood in Percentage terms.

e.g. Likelihoods: Most Likely 66%, better 15%, worsening 15%, Best Case 2%, Worst 2%,

  1.    List assumptions and conditions of each rating

It is surprising what was obvious initially is lost when circumstances turn south.  Although not directly used in risk assessment, it will be useful in future reviews.

e.g. List current competitors, their pricing, market share, and cost base (from causal factors) 

  1.    Link interrelated risks, drivers, influences, etc

Most things have side effects.  This is where spreadsheets fail and you need an intelligent systems tool.   Any business is a “complex system” requiring complex systems’ management tools.

e.g. Have drivers automatically “driver” reassessment on substantial change in a leading indicator and notify management of both the area of volatility and direction of movement.  Management still need to managed but awareness of trends beats firefighting.


Although it may seem a little onerous in identification, the payoff of taking a structured methodology to identification and assessment of corporate risk will pay dividends in meeting board expectations and supporting operational management tactically. 


Spreadsheets are good to collect and rate contribution of risks, as they are easy to disseminate and practical but to achieve the resilience and adaptability benefits the Boards are expecting, you will require intelligent tools to identify aggregate (butterfly) effects and contagion, in real-time.



reduce compliance costs  reduce non-compliance  reduce compliance costs
Risk Management Data Sheet
How Fast Track provides true ERM
Webinar Videos
See recorded webinar on 21st century Risk Management
Product Guide
Technical specifications, pricing, and more.

Tags: corporate governance, risk identification