According to Briers, one reason why companies’ risk management systems are incomplete is a lack of knowledge or experience of how to bring about this form of integration. Compliance, corporate governance, assurance, risk financing and so on need to converge, but the managers in these siloes are not confident enough to oversee the entire portfolio. A single executive is needed who understands the broader issues of governance, risk management and compliance. “We helped a utility company to combine six risk-related departments into one division,” enabling the company to standardize risk-related functions and achieve good synergies, he says. A general risk management standard that he recommends is ISO 31000* to make sure risk is continually under the microscope.
“It comes down to a question of what skills and resources have been dedicated to the enterprise risk management program,” says Wilson. “I’m not sure ENR companies have done a good job of understanding the expectations of internal and external stakeholders with regard to risk management and building the process and skills to meet those expectations.”
*ISO 31000: 2009, Risk management – Principles and guidelines, provides principles, framework and a process for managing risk. It can be used by any organization regardless of its size, activity or sector. Using ISO 31000 can help organizations increase the likelihood of achieving objectives, improve the identification of opportunities and threats and effectively allocate and use resources for risk treatment.