We are often asked for insight on business measures or KPIs for ERM programs to track overall progress and effectiveness. The key question for risk managers is: how do I measure the value ERM is delivering to my organization? The following are examples of measures that will quantify and measure the value your ERM program is providing
1. Number of systemic risks identified Systemic risk identification will detect areas of upstream and downstream dependencies throughout your organization, such as when one area of the organization is unknowingly causing strain on other areas. Additionally, this method could also identify areas that would benefit from centralized controls so the extra work of maintaining separate activity level controls is eliminated, increasing organizational efficiency.
2. Percentage of process areas involved in risk assessments ERM is cross-functional in nature and cannot be done in silos. A business is the sum of its parts. The same is true of risk. A risk event in one functional area also affects other functional areas within the business. Process owners own the risk; risk managers own the completeness, timeliness, and accuracy of the risk information. The more process owners involved in risk assessments, the more accurate and forward-looking the information collected will be, both of which are hugely valuable to the organization.
3. Percentage of key risks mitigated Having a sense of your overall risk coverage is important; however, it is not nearly as valuable as knowing the coverage of your organization's key risks. Because all risk assessments should be conducted on standardized criteria, you can determine a uniform tolerance, or cut level, throughout the organization based on the resulting assessment indexes.
What are your thoughts?