In all areas of risk, there can be enormous uncertainty surrounding the data. However, it is important to remember that you don’t always need to quantify risk in order to manage it – but you do need to measure risks in relation to one another in order to appropriately prioritise, and this can be done qualitatively.
Essentially, our De-RISK ERM model is a simplification of the total ERM framework, with the financial element removed.
This is not to suggest that financial risk should be ignored – far from it -but it is meant to imply that that financial risks should continue to be identified, quantified and managed (separately) using established processes and tools.
All other risks should be evaluated qualitatively and only quantified where this can be justified by the quality of the available data and there is a clear need to have a quantified result.
The De-RISK approach to ERM emphasises two ‘new’ areas:
Transformation risk management
Projects and programmes which result in significant change (such as new product development, mergers and acquisitions) will transform the current business. This is often when the business is exposed to the most risk, as the pressures of change increase the risk to both existing operations, and the projects designed to transform them.
Whilst contingency planning is not strictly “risk management” (contingency planning is reactive, where risk management is pro-active), it is still an essential part of any ERM system, as business continuity is paramount for any organisation.