Updated on February 14, 2024
Risk management is key to an organization’s success. Because they are exposed to all types of threats, organizations must implement a rigorous process to counter these threats and strategies for dealing with and reducing them.
An effective risk management strategy not only avoids pitfalls and provides a means to react before it is too late, but it also builds trust and confidence that reassures your customers, business partners and investors.
In the case of a publicly listed, high-growth international company with offices on several continents, such as one of our clients, you can see why such a strategy is essential.
The client, with current sales of more than US$1B, wanted a solid base on which to build its expansion by reinforcing its risk management and internal audit procedures.
The client called on our experts for support in developing and implementing an enterprise risk management framework (ERM framework) and improving the related audit controls and reports.
A rigorous process
During this extensive three-year assignment, we worked closely with the directors, officers and various department managers in several countries.
The assignment consisted in defining the company’s main business risks and risk tolerance, then setting procedures to monitor and identify them. All major risks, whether technological, financial, political or other, were taken into consideration.
At the start, our experts undertook numerous consultations within the organization to gain a clear understanding of its operations, industry and issues. These discussions provided an inventory of the company’s risk exposure and helped determine the top twenty.
This was followed by a workshop during which directors and officers discussed the risks and existing controls and ranked the top twenty by importance (i.e. their impact on the organization and the probability of their occurrence).
Using our proposed methodology, these discussions provided the means to set the tolerance level for the main risks and a framework to monitor the situation and notify the directors and officers of any problem.
Determining the tolerance level for the various risks is a complex exercise that requires careful consideration. For example, it was decided that the ten main risks would be discussed by the Board of Directors (BD) every three months and that for the others, the BD would only be notified when the risk exceeded a certain threshold.
For an e-commerce company, for example, the threshold could be the number of minutes the site experienced downtime in a month.