Top Challenges in Enterprise Risk Management

As I close out my client inquiry records for the quarter, it’s interesting to review some of the common challenges risk management professionals are currently facing. I was impressed to see how closely the issues I deal with were covered in the month’s edition of Risk Management Magazine. In an article entitled, “10 Common ERM Challenges,” KPMG’s Jim Negus called out the following issues:

  • Assessing ERM’s value
  • Privilege (of access to risk information)
  • Defining risk
  • (Selecting a) risk assessment method
  • Qualitative versus quantitative (assessment metrics)
  • Time horizon (for risk assessments)
  • Multiple possible scenarios
  • ERM ownership
  • Risk reporting
  • Simulations and stress tests

 

Negus provides good perspective on these challenges as well as some ideas for solutions. The list is fairly comprehensive, but there are several other challenges that I would have included based on the inquiries I get. First and foremost, the role of technology in risk management – whether for assessments, aggregation, or analytics – comes up very frequently, and vendor selection initiatives have been plentiful since mid-Q4 of last year.

Defining risk management’s role within the business (and vice versa) is also an extremely common topic of conversation. As rules and standards keep changing, this will remain a top challenge. Other frequent issues include event/loss management, building a risk taxonomy, and evaluating vendor/partner risk. 

I realize this list could ultimately cover several pages... risk management is a very challenging aspect of business. But if nothing else, I think it’s important to show that your peers in other companies – and often your colleagues in other departments – are going through challenges very similar to yours. Keep that in mind, and look for avenues to share information, best practices, and lessons learned. And as always, we welcome any comments or feedback you have on this site.

Posted by Chris McClean

Comments

A few items I would add to

A few items I would add to this list:
1. Alignment of all risk assessment programs within the enterprise (ERM, Internal Audits, various Compliance Groups, Information Risk Management, Legal / Privacy, etc…).
2. Risk Aggregation. Taking all of the risk the various groups are managing and representing in a single view.
3. Risk Repository Consolidation.
Understanding how to achieve the above can contribute to addressing some of the challenges that Negus and yourself have listed.