Mass participation in risk management

The typical mental picture of an enterprise risk management (ERM) activity is usually that of an austere-looking group of men and women in suits, huddled together in a board room, intently discussing the strategies and policies that have to be implemented to address their grocery list of risks. While ERM is initiated by the board, risk management is not an isolated process that is managed through padded conference halls. In fact, risk management is a dynamic activity that affects all levels in an organization.

According to the Committee on Sponsoring Organizations (COSO),

“ERM is a process, effected by an entity’s board of directors, management and personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of the entity’s objectives.”

From COSO’s definition, ERM is an activity that spans an enterprise and involves the 360-degree participation of personnel. Risk, after all, is the responsibility of everyone within an organization. If this mindset is not properly communicated, front-liners in business units may limit their participation to simply followingthe risk policies set by the board as implemented by the C-suite executives when they could be doing more: Apart from following risk policies, business units are also tasked with identifying and reporting all risk exposures to the Chief Risk Officer (CRO) and Chief Executive Officer (CEO), and assuring that risk information is reported to the CRO and CEO.

While people at the operational level may not have first-hand participation in setting risk policies, it is in this area where risks are managed on a day-to-day basis. Business unit personnel comprise the majority of an organization’s population and are oftentimes the first people to spot potential and actual risk exposures. Though the business units’ task checklist in ERM is not as comprehensive as management’s, your organization may be missing out on the “wisdom of the crowd” if you do not provide a platform for the majority of the people in the organization to participate in risk management.

Your “crowd” does not have to take part in all of the ERM processes, but venues should be made available so that their suggestions and identified risks and solutions, can be heard and evaluated for merit. The following are some technology-based channels that your organization can use to harness the power of mass participation in risk management:

Internal risk knowledge database

Leverage on your existing IT infrastructure to create a risk management database that can be accessed by or made available to employees. Submissions for new entries in your risk database can be managed or gathered at the front-end by providing a landing page on your existing intranet website for enrolling new risks/risk solutions. New risk submissions may be evaluated by your risk management unit under the CRO using set criteria — e.g., frequency of the same risk incident being reported, organizational levels where the risk has been reported, potential impact, if they are for assimilation in your existing risk matrix. Risk solutions may also be gathered through the same landing page.

Collaborative communication tools

If you have existing collaboration tools such as Microsoft SharePoint or other wiki tools, you may consider customizing them to allow for collaborative work in gathering data for risk identification and mitigation. Defining who to provide access to, as well as the specific activities that can be performed through collaboration, has to be defined at the onset to ensure that the information gathered can be properly evaluated and considered for integration or implementation in risk management processes.

Social media

Facebook, Twitter, and other social networking sites may provide you with another venue for opening up your risk management activity to a broader audience. It may be challenging to gather meaningful inputs from these sources, but if objectives and methods on using these sites are properly defined, social media can be an effective tool in facilitating discussions and harnessing rich inputs from employees to identify and address risks. Discussion boards, polls, quick surveys, and other data gathering techniques may also be deployed using social media.

The above listing is not exhaustive as there are other means by which you can engage employees in the risk management activity. As with any strategic decision, benefits and costs have to be weighed before technology-based channels for ERM can be implemented in your organization. Traditional methods such as defined escalation policies, face to face consultations, integrated risk reporting in process workflows, are other mechanisms for employee participation. Regardless of the tools or methods, a culture of encouraging dialogue and providing employees with open channels for discussing risks are essential for ERM to succeed in your organization.

Jahleel-AN A. Burao CPA is a Lead Consultant with the Advisory Services Division of Punongbayan & Araullo.

Executive Brief – November 2012

Punongbayan and Araullo