What we do
Risk function review
Do you need a risk function review? Some of these may sound familiar:
In our risk function reviews, we cater to two main scenarios (and a range of businesses operating somewhere in between).
In the first scenario, an organisation’s board and executive broadly know and accept that risk needs to improve, and they have a relatively good understanding of how. In these cases, a simple ‘light touch’ review may be appropriate, where the main objective is just to help prioritise and plan improvement works.
At the other end of the spectrum, ERM International will conduct a comprehensive review of risk across the business. This may incorporate multiple site visits, detailed documentation reviews, interviews of key personnel, and presentations to directors and management to detail findings and work towards achieving aligned priorities on where to go next.
Within these two main scenarios, we offer a number of different review frameworks, depending on the requests and circumstances of our clients.
Outcomes and outputs
Define and agree ‘what good looks like’
Current state assessment of risk management effectiveness
Prioritized recommendations and improvement roadmap (shifting from ‘current state’ to ‘desired state’)
Risk system transformation
Do you need to transform risk and risk systems within your business? Here are a few examples of where you might be at:
We understand that real-world businesses are not a blank slate. Organisations typically have a range of existing systems and processes, some of which overlap and contradict each other, while others may have been in place for many years without being revisited.
We know transformation doesn’t happen overnight and we appreciate the need for a pragmatic, customised approach.
That’s why we offer practical support, not just theory and instructions. Our team of experienced, senior experts will design solutions that meet your requirements. We will get in and do the work, and we will upskill your team at the same time, so the knowledge doesn’t walk out the door when we leave.
We also understand that successful risk management ultimately relies on people. That’s why we also provide risk culture and change management expertise to help effect transformation.
Outcomes and outputs
Risk policy, manual and templates created / updated
Methodical emerging risk planning and horizon scanning established
Risk taxonomy defined and risks categorised for your business, values and value chain
Risk appetite defined, quantified, aligned to strategy and embedded in the business
Sensible and proportionate risk governance model implemented, including three lines of defence as appropriate
Risk evaluation criteria developed
Do you need assistance with risk assessments? Here are a few considerations:
Our expertise in risk assessment has been
honed over decades of experience as practising risk professionals in a range of different industries.
Exceptional to ERM International is the variety of different assessment methodologies we offer. Our wide-ranging approach will help you to gain a deeper and wider understanding of risk across your organisation.
For example, in our strategic operational risk assessments, we focus on identifying and analysing key risks against your strategy to ensure we discover and prioritise the risks that could most materially impact delivery of your objectives. In our external and emerging risk assessments, we conduct detailed research and analysis of threats and opportunities, looking at external factors (geopolitical, economic), industry megatrends and relevant strategic risks.
In our country risk and supply chain risk assessments, we apply different lenses again, looking at political situations, security environments, relevant incidents and key vulnerabilities.
And we don’t just leave it there. Risk assessments are no use in isolation, they need to connect back into the rest of the business. That’s why our risk transformation work focuses on integrating risk ratings, controls and assessment content with appetite, escalation and assurance processes.
Outcomes and outputs
Completed, refreshed or extended risk registers
Risk workshops with directors, managers and the rest of the business
Strategic operational risk assessments – key causes, controls and consequences. Inherent and residual risk ratings
Country risk assessments – threats, political situation, security environment, relevant incidents, alert level and significant dates
Integrate assessment results and risk information into risk framework and broader business systems
External and emerging risk assessments – external factors, industry megatrends and relevant strategic risks.
Supply chain risk assessments – key vulnerabilities from a disruption perspective, as well as key integrity risks (e.g. modern slavery)
Do you need help integrating risk and resilience? Some common scenarios include:
Many organisations struggle to connect risk and resilience effectively and systematically. So ERM International has developed a unique risk and resilience review methodology.
We provide a detailed framework to properly integrate the two functions, and we have a clear understanding of how they should fit together. We have also developed our own maturity review tool to help organisations gauge where they are at and what they need to prioritise.
We have developed numerous improvement strategies and roadmaps, and delivered improvement projects across diverse industries. We have run many business impact analyses and worked with the domain experts to establish business continuity plans (BCPs) for their critical activities.
Focusing on how to deal with unplanned disruptions, our BCPs are simple and practical. They have been used in the heat of battle and we know they work. We align our BCPs with a straightforward crisis management approach that integrates corporate crisis and in-field emergency responses, all underpinned by and aligned to the organisation’s enterprise risk management approach.
We then run scenario exercises and training to uplift organisational capability and improve overall resilience, enabling your teams to ‘respond appropriately in the moment’, no matter what arises.
Outcomes and outputs
Business impact analyses – workshops and updating / creating documentation
Simple and practical business continuity plans (BCPs) to respond to unplanned disruptions
A documented crisis management approach, integrating corporate crisis response with in-field emergency response and BCPs
Scenario exercises and training to bring it all to life
Culture, capability and change
Do you need to build organisational capability and embed a strong risk culture? Some of these things might be on your mind:
World-class risk frameworks and systems will only ever be as good as the underlying organisational capability and culture. Getting these right is key to effective enterprise risk management.
Robust capability and strong culture can unlock broader assurance opportunities, including behavioural auditing (third line), and ultimately enable (first line) ownership and the prioritisation of practical action.
Our approach to capability development will match your specific requirements, considering your organisation’s unique approach to risk. From off-the-shelf training to custom-built modules designed for niche or mass audiences, our team have the first-hand experience to rapidly deploy programs that build the risk capability at your organisation.
Our risk culture methodology involves quantitative surveying and qualitative interviews, as well as other listening and analytics techniques. We also help you to identify relevant data (proxy metrics) that can mature your monitoring capability through a risk culture dashboard and/or integrating reporting.
Outcomes and outputs
Review or validation of your risk operating model, considering accountabilities, reporting lines and capability opportunities.
Capability assessment and learning needs analysis. Off-the-shelf and custom-built learning content and pathways.
Clearly articulated risk culture behavioural dimensions, aligned and integrated with your broader organisational culture and values.
Standardised, benchmarked or customised surveying (delivered as a service, or on your own platforms).
Comprehensive leadership report highlighting thematic trends around how your organisation manages risk and ‘hotpots’ that require attention.
‘Always on’ risk culture monitoring, ad-hoc or programmatic capability development. Metrics, dashboards, and integrated report.