How to Develop a Top Risk Approach

The board of directors always prefer a simple, concise summary of the organization's top risks over a voluminous risk report.

Firms often use a risk heatmap to scrutinize the completeness and relative position of risks. The key question when using such a tool is exactly which risks should be featured on the heatmap (see Figure 1).

Figure 1: A Top Risk Heatmap

Top risks vary by sector, department, process, portfolio, asset and time frame. But one's perspective on top risks may be influenced by their position within the organization. For example, staff may be more focused on internal operational risks, while management may think more about internal and external business and strategic risks. The board of directors, meanwhile, may be focused on reputational, political and strategic risks.

To capture each perspective accurately, organizations must define terms and have strong risk identification and assessment processes.

Relevant definitions include the following:

Current risks are potential failures that could manifest in the present period. They may be internal or external.

Internal risks are potential failures in internal business processes, assets and portfolios. Examples include higher than expected attrition and employee misconduct.

External risks are potential failures outside the organization with potential impacts within. Examples include regulatory changes, a global pandemic and weather events.

Emerging risks are potential failures in the one-to-two-year timeframe. They can be internal or external.

Strategic risks are changes in consumer behavior, technology, regulations and the business operating environment that impact an organization's ability to prosper. Emerging and strategic risks will typically be featured separately from the top current risks.

Figure 2: Top Emerging and Strategic Risks

Identification and Assessment of Top Risks

The first step in the identification and assessment process is to establish context for top risks. One might ask, though, top risks of what? Typically, the context could be an end-to-end business process, a data or system asset, or a portfolio of financial instruments.

Considering the top risks within a department or business unit is another option. But when more than one department is involved in the product or service delivery, this approach can be flawed.

Techniques for the identification and assessment of top risks include the following:

• Risk-control self-assessment (RCSA) - or the assessment of critical risks in a business process, an IT asset or a portfolio. Identified risks can be internal or external.
• Risk surveys.
• Risk workshops, which bring together the experts that understand best the business process, asset, or portfolio. The risk management team may facilitate brainstorming of potential failures and problems.

Supplementing these techniques, external experts can be brought in to discuss their views on the risks - e.g., to evaluate how a firm's risks compare to similar organizations. External publications on top risks, moreover, can provide critical insights that help ensure the completeness of your organization's risk identification and assessments.

The Storyteller Role of the CRO

While the risk management team can map the identified risks to your organization's risk taxonomy, and rate the risk impact and probability with a standard rating framework, the number of risks included in a top risk heatmap depends on the CRO's approach as a storyteller.

Risks can take different paths, but the CRO who can find common threads and root causes will always make a busy top-risk heatmap look simple.

Parting Thoughts

Great enterprise risk management provides the framework to distinguish top risks and make the complicated seem simple. But it is also true that effective CROs take career risks, every day, in their choices about where to focus and what to say.

Risks can be mitigated by mature techniques for risk identification and assessment, but they do not obviate the need for data-driven rationale and logical risk storytelling.

Top risks are often the focal point of risk reporting, which is designed to drive meaningful business decisions. When an organization understands its top risks, the CRO and his or her team of risk executives can agree on the investments they need to make and the actions that are required to achieve strategic objectives.

Brenda Boultwood is the Director of the Office of Risk Management at the International Monetary Fund. The views expressed in this article are her own and should not be attributed to IMF staff, Management or Executive Board.

She is the former senior vice president and chief risk officer at Constellation Energy, and has served as a board member at both the Committee of Chief Risk Officers (CCRO) and GARP. Currently, she serves on the board of directors at the Anne Arundel Workforce Development Corporation.

Earlier in her career, Boultwood was a senior vice president of industry solutions at MetricStream, where she was responsible for a portfolio of key industry verticals, including energy and utilities, federal agencies, strategic banking and financial services. She also previously worked as the global head of strategy, Alternative Investment Services, at JPMorgan Chase, where she developed the strategy for the company's hedge fund services, private equity fund services, leveraged loan services and global derivative services.