In case you missed it, we’ve rounded up 5 takeaways from this week’s ISA SKILLS LAB on Risk Assessment and Management, as shared by the Institute of Internal Auditors – Philippines’ (IIA-P) Michael Gallego.
1. Risk management can be successful through a strong support system
Like the PGS, the Enterprise Risk Management (ERM) framework also endorses accountability within the organization. It is important that leaders see the value in planning for risks, no matter how minor. A group dedicated to monitoring and assessing these risks is also essential, as they can identify which ones are best left alone or taken in serious consideration.
2. Risk management needs an established common language within the organization
In the first module of his lecture, Gallego explained that risk has a formal and a working definition. Initially defined as “taking a chance where one can succeed or fail”, its definition may be edited according to the organization’s standards. Gallego then emphasized the importance of defining risks and developing a common language within an organization. With a clear working definition, its members can work together to prioritize risks and respond accordingly. Even with changes in leadership and teams, new members can easily adopt the established language.
3. Risk management calls for risk prioritization to determine suitable responses
Risk prioritization involves assessing how to handle the different types of risks the organization may encounter. A risk profile is an important component that allows members to plot priorities and their corresponding risks.
4. Risk management is continuous
ERM does not stop after a certain period; it is an ongoing process that an organization should sustain, even with changes in leaders and members. Despite such turnovers, an organization should look at the big picture, determine its method of profiling risks, and consistently use it to avoid compromising the overall vision and objectives.
5. Risk management is not a standalone process
Gallego pointed out that ERM is not a standalone process, and that it works well with PGS since risk, strategy, and performance go hand in hand. Knowing risks and how to assess and respond to them, pushes an organization to exercise its risk oversight (especially at the leadership level) and accountability, shows the variety of acceptable performance levels that are within the organization’s capabilities or risk appetite, or inclines the organization to consider risks in terms of executing plans.