Sleep-at-Night Assurance: Integrating Enterprise Risk Management and Project Management
The management of multiple construction projects illustrates the power of integrating Enterprise Risk Management (ERM) into project management. If a developer is considering a big risk in a small project and a small risk in a big project, which one is the priority?
Choosing the most suitable elements from the various ERM standards available, you can provide your enterprise with a custom framework that assures risk is identified, measured and able to be managed.
Comparability of Risk
Measuring likelihood and impact make it possible to compare these risks. If the project managers throughout the company have a common method for categorizing and measuring risk, then reliable comparisons of risks can be made. ERM overlays two important ways of ensuring and enhancing comparability.
- ERM can provide a common set of risk categories to apply to all projects. The Committee of Sponsoring Organizations (COSO) called for developing a “portfolio view” of risk and the use of risk categories in its first standard (Enterprise Risk Management – Integrated Framework) and reaffirmed these concepts in its 2016 Exposure Draft of its revised standard. (This Exposure Draft was closed for public viewing on September 30th.) A company may adopt as categories such items as asset risk, concentration risk, legal and regulatory risk, EHS (environment, health and safety) risk, etc. Within those categories, a strong ERM program will provide a common set of defined risk items. For example, if it is important to draw a distinction between mechanical breakdown and unavailability of replacement parts, a catalogue of defined risk items ensures that this distinction is made in all projects.
- ERM also ensures that, for all projects, there are common metrics for measuring the impact and likelihood of risks. All ERM standards advocate using common criteria for measuring impact and likelihood. To reinforce a common understanding of a rating system, the measures of impact and likelihood are often presented in matrix form. For example, the U.S. Federal Guide (Playbook: Enterprise Risk Management for the U.S. Federal Government), authored by the Chief Financial Officers Council and the Performance Improvement Council presents its rating system this way:
Categorizing and measuring risk using a common methodology solves the problem of comparing “the big risk in a small project and the small risk in a big project.”
Prioritization of Risks
Rendering risks in a way that makes them easily compared unlocks another advantage of ERM for project management. Once risks have been similarly categorized and measured, they can be aggregated for prioritization. The above mentioned Federal Playbook is one of the standards that advocate the use of a Risk Register. Having a single Risk Register for the entire enterprise allows management to sort risks, identify the highest priority ones and allocate resources effectively. Using a Risk Register this way enables management and the board of directors to speak with authority about the total risk of the enterprise to various stakeholders: shareholders, regulators, lenders, etc.
Sleep At Night Assurance
The aggregation of risk makes it possible for management to not only state how much risk is in the enterprise, it also allows management to consider in a meaningful way how much risk it wants to have in the enterprise. The COSO standard, a governance-oriented framework, expresses this as the “Risk Appetite” of the enterprise. COSO defines Risk Appetite as “the types and amount of risk, on a broad level, an organization is willing to absorb in the pursuit of strategic business objectives.” With a defined Risk Appetite in hand, management can then speak to the stakeholders about its ability and intention to manage risk to an acceptable level, which is the essence of the “sleep at night assurance” of ERM.
Contact us for help structuring your Enterprise Risk Management program.
