Risk Triaging
External Risk Identification
Internal Risk Identification
ERM team work
Project Boards
Board / Exec
Process Change
PRA
Lloyd’s
Thought Leadership
“Soft” identification
RCSA
Risk Appetite breaches
Decision point: Current or Emerging?
Emerging
Current
ERM team manages
Opportunity or Threat?
Threat
Opportunity
Informal Exco discussion
Are our actions contained with the scope of our strategy?
ERCC discussion
Are our actions managed by the ORSA process?
Where risk is located within Emerging Risk Framework
What if question posed
Scenario analysis performed
What are our mitigation actions?
Who owns these and where are they within BAU?
How can we tell if these are effective?
What do we need to monitor before further action is taken
No
No
Recommendation to modify strategy
Owner
Plans and Milestones developed
Yes
ORSA recommendation to address mitigation gap
Owner
Timeline
Yes
Discussion logged
No further action at this time
Further investigation required?
Benchmarking
Yes
Process change
Further scenario analysis
White paper
Teaming with business
No
Questions:
- can we define stages, so as to track progress?
- What are the key output stages?
- What about comms?
- What about updates to the business?
- How can we better define emerging risk vs existing risk? Does it matter? Would we get to the same outcomes anyway if the Risk Int team is the one that picks up “teaming’ or further analysis?
- Is there also a place for special risk assessments?
- What are the objections going to be?
Purpose:
- This is partly to reduce the ad-hoc, reactive nature of our work
- Does it reduce the lee way of the CRO?
- Can we short-circuit some of these stages for things that RMT is concerned about, even in the face of pushback?