1- Internal Audit (IA) or ERM group needs to formally update its risk assessment at least annually. Risks areas should include at least the following areas: Strategic & Marketing, Fraud, Financial, Treasury & Credit, Operational, Legal & Regulatory and External & Environmental.
2- ERM needs to be integrated into the budget and business planning processes. Its metrics needs to be used for reward analysis.
3- Only involve the stakeholders and locations that need to be part of the risk assessment process depending on the current risk tolerance, company position and attitudes.
4- I recommend both the top-down and bottom-up risk assessments to identify, understand, share, and value emerging risks. Both approaches should be balanced to cover both concrete risk details and abstract mindsets. A common risk language needs to be shared through the organization. Risks identified in previous audit reviews and other external sources (eg. industry information or publications from the Corporate Executive Board) also need to be included.
5- Select a proper information channel within your company to indentify and follow up risks (eg. Questionnaires, web forms, focus groups, interviews). Efficient communication throughout this process is a must. Lead the risk identification process by relating information from different areas, indicating detected weaknesses and questioning about your suspicions. Look for any “snowball effects”.
6- Include not only risk likelihood and impact, but also risk velocity and control environment in the assessments.
7- Risk inventories needs to be frequently updated to include the new emerging risks.
8- Executive Management and the Audit Committee need to be presented of those assessments by prioritizing and consolidating risk areas (based on the internal risk-ranking methodology and shown in a heat map)
9- The IA or ERM group formally monitors risks and reviews the organization's top risks with the Board on a quarterly basis
10- Establish ownership for each risk and action plans. Define objectives and expected outcomes for risks for both the short and long terms. Indentify strategies to deal with key risk and apply them consistently. Also, include contingency plans at this stage.
11- Follow up the risk status and the owner responses on periodic basis.
12- Internal audit efforts (if feasible as well as SOX audits) should be linked to key risk to ensure efficient coverage.
13- Effectiveness of the taken actions needs to be reviewed (cost-benefits analysis).
