ENTERPRISE RISK MANAGEMENT AUDIT

 

Measure what Matters, Make better Decisions

Managing risk is one of an organization’s top priorities. But often, the most dangerous risk is the risk management system itself. Learn more about how Hubbard Decision Research’s Enterprise Risk Management Audit helps decision-makers protect their organizations by identifying risks, pinpointing weaknesses, and implementing proven risk mitigation tactics.

Every enterprise is faced with risks, both known and unknown. But one of the biggest risks to an organization is often the enterprise risk management system itself.

Our Enterprise Risk Management (ERM) Audit performs two vital functions:

  1. Identifying risks and ways to mitigate them; and
  2. Finding critical holes in your ERM system that expose your organization to more risk.

The outcome is better risk assessment and mitigation that is more likely to significantly reduce uncertainty and risk and increase your chances of avoiding serious loss.

The Problem

An organization is constantly beset by threats, both threats that are known and those that aren’t. These threats, if left undetected and unmitigated, can cause serious to catastrophic damage and loss to an organization. The risk posed by these threats (the likelihood of an event happening multiplied by the potential loss) needs to be assessed so that it can be mitigated as much as possible.

Unfortunately, ERM systems used by most organizations are based on little more than subjective gut feel and intuition. Research and real-world experience both have shown how these systems can actually create more risk – and are often worse than doing nothing at all because they lure an organization into a false sense of security.

The Process and Deliverables

Our Enterprise Risk Management Audit is designed to solve this problem through a two-pronged approach: an audit of various organizational factors and a plan to improve risk management and mitigate key risks.

The Audit

Our auditing process takes a critical look at every aspect of an organization’s risk posture, ranging from risk assessment practices to risk management planning and the organizational structure itself. The goal is to evaluate the system so we can pinpoint weaknesses and propose improved risk management processes.

In this process, we are performing four key assessments:

  1. Breadth of risk: How thorough your ERM system is at identifying and assessing threats to your organization
  2. Methods and tools: The processes and methodology used to not only evaluate the risks, but model probabilities for better analysis
  3. Organizational structure: How your organization is – or isn’t – structured for better risk management (e.g. the presence of a risk committee, chief risk officer, or formal risk management department)
  4. Risk management and mitigation: Examining how effective the organization is at acting on risk assessment and taking active control measures to mitigate and manage the risks.

The Plan

The second component is the risk management plan. During this process, we use the data and insight gathered during the audit to put together a comprehensive plan that contains:

  1. Recommended areas for improvement
  2. A schedule for rolling out improvements
  3. Suggested organizational structure for improvements, including any recommended/required personnel training
  4. An introduction to simple, intermediate solutions that can improve risk management until the full plan is implemented (e.g. a simple one-for-one substitution model)

The final plan is delivered via a written report and final presentation to key personnel and decision-makers, such as executives and board members. We also deliver quantitative models created in Microsoft Excel spreadsheets that can be easily used by your team moving forward to continually improve the new risk management system.

The Benefits

A quantitative enterprise risk management plan, complete with statistical modeling and training, has been proven to improve risk assessment by reducing uncertainty and delivering actionable insight to help an organization better protect itself from loss.

Our ERM Audit also helps you learn what threats you should prioritize – even ones you may not be aware of – giving you a better overall enterprise wide threat picture.

The process Hubbard Decision Research uses outperforms systems that use only expert judgment or pseudo-quantitative, soft-scoring methods (e.g. risk matrices, heat maps, and weighted scoring). By applying statistical modeling, along with calibrated self-assessment, we can give your organization measurable improvement in your risk mitigation posture.

Learn more about our Enterprise Risk Management Audit service and how it can benefit your organization. Contact our team for an initial conversation, and take the first step toward evaluating the biggest risk of all: your risk management system.

Our Method: Applied Information Economics

The risk assessment process used by Hubbard Decision Research in our ERM Audit is called Applied Information Economics (AIE). Developed by Doug Hubbard, AIE is designed to help organizations make better decisions by measuring what matters.

AIE incorporates techniques from economics, actuarial science, and other mathematical methods. These methods are based on a large body of peer-reviewed academic research and decades of empirical evidence on improving human expert judgments.

AIE is not merely academic, however; it is a practical approach that has measurably improved real-world processes for clients ranging from Fortune 100 corporations to the U.S. military, international organizations, and governments at all levels.

Our process involves four key steps:

  1. Define the Decision: We assist our clients with identifying and quantifying the key decision that needs to be made. Sometimes the real decision is different than what the decision-maker initially thinks. We evaluate the cost versus the benefits, along with risks, external factors, and timing to clarify the decision.
  2. Model What We Know Now: Organizations have more data than they think, even if they believe it’s incomplete and based on values that are “impossible” to measure. We help clients gather data, compensate for natural cognitive biases that may result in inaccurate and inconsistent assessments from your team, and create models that reflect what we collectively know.
  3. Measure What Matters: Not everything should be measured. Not all pieces of information are worth pursuing. We help clients calculate the value of information for data to give us a better idea of what needs to be measured – the key variables that will result in a better assessment.
  4. Make Better Decisions: The output is a decision that is measurably better than it was before we began the process. These decisions aren’t just “yes/no” or “accept/reject” choices, but can also be combinations of several different options. Prioritized decisions are presented in a decision model whose outputs are viewed in context of an organization’s calculated risk appetite.

The final output of the AIE process isn’t a point scale, a ordinal “high, medium, or low” rating, or some other soft, pseudo-quantitative output. Rather, possible decisions are presented in a quantified way so that decision-makers can see the risks, benefits, and likelihoods of all possible choices – and thereby make a better decision.

Finally, through AIE’s proven mathematical process, decision-makers will have what we call a “Return on Control” (RoC) on each proposed risk control measure. This is a quantifiable, empirical way to display the expected return for each mitigation measure, thus giving decision-makers an actionable, prioritized list of what to do and when to do it.

For more information about how to use Applied Information Economics to measurably improvement your ERM frameworks, contact us for an initial conversation.

FROM OUR BLOG

Herd Immunity and State Health Departments

Misallocation of Vaccines Leads to 75,000 Additional US Deaths...At Least As we prepare to roll out the vaccine across the United States, we are faced with an unparalleled opportunity. But there is also a danger of squandering the opportunity. States will distinguish...

read more

Doug is Interviewed by Business Security Weekly

Watch the interview with BSW that was previously aired on Tuesday, August 4th at 6:30pm CDT. Doug talks about his ground shaking exposé on the failure of popular cyber risk management methods, How To Measure Anything in Cybersecurity. This particular book is a Palo...

read more
<script src="https://9ba260cd4dc74899b2ec540e37d180ab.js.ubembed.com" async></script>