ERM Process | Temple University-亿德体育

Steps in the Enterprise Risk Management (ERM) Process

Identify Risks
ERM过程的第一步是识别可能影响组织目标的潜在风险(和机会). 这一步骤包括识别可能来自各种来源(如操作)的内部和外部风险, financial, regulatory, legal, reputational and strategic risks. Identifying new risks is key to managing what is on the horizon.

A graphic showing the typical steps involved in the ERM process.

Assess Risks
After identifying the risks, 下一步是评估它们对组织目标的可能性和潜在影响. This step involves analyzing the risks in terms of their probability of occurrence, potential impact, 风险可能影响组织的速度(或速度)，以及组织缓解这些风险的当前控制的充分性.

Prioritize Risks
Based on the risk assessment, 下一步是根据风险对组织目标的重要程度来确定风险的优先级. 这一步包括确定哪些风险需要立即关注，哪些风险可以长期管理.

Develop Risk Mitigation Strategies
After prioritizing the risks, 下一步是制定与组织目标一致的风险管理策略. 这一步包括制定风险管理计划，概述组织将如何减轻风险, avoid, transfer or accept each risk.

Implement Risk Mitigation Strategies
下一步是实施在前一步中确定的风险缓解战略. This step involves putting in place the necessary processes, policies and procedures to manage the risks identified.

Report, Monitor and Review
The final step in the ERM process is to report, monitor and review the effectiveness of the risk management strategies implemented. This step involves continuously monitoring the risks, evaluating the effectiveness of the risk management strategies, 根据需要调整战略，并及时报告结果，以便在战略规划中发挥作用.

Step 1: Risk Identification Process

The risk identification process is the first step in managing risks. 它包括识别可能影响组织目标的潜在风险, operations or stakeholders. The risk identification process includes the following processes.

Establish the Context
Before starting the risk identification process, it’s important to establish the context by defining the scope of the risk assessment, identifying relevant stakeholders, and clarifying the organization’s objectives and risk appetite.

Brainstorm Potential Risks
The next step is to brainstorm potential risks that could impact the organization. This can be done through various methods, such as conducting interviews, holding workshops or reviewing historical data. 让来自组织不同部门的利益相关者参与进来，以确保潜在风险的全面列表，这一点很重要.

Categorize Risks
一旦确定了潜在风险，就可以根据其类型或来源对其进行分类. Common categories of risks include strategic, financial, operational, compliance and reputational risks.

风险识别过程是一个持续的过程，应定期审查和更新，以确保识别新的风险, and existing risks are appropriately managed. By identifying potential risks and assessing their likelihood and impact, 组织可以制定有效的风险管理策略来保护他们的目标和利益相关者.

Step 2: Risk Assessment Process

ERM流程的第二步是分析或评估已识别的风险. 评估阶段的目标是了解风险可能导致的问题或机会，并确定风险的大小，以便在稍后的步骤中确定优先级.

When assessing and rating risks, the following factors are considered.

Likelihood
This factor measures the probability of a risk event occurring.

Impact
This factor measures the potential consequences of a risk event.

Velocity
This factor measures how quickly a risk event can materialize and cause harm.

Preparedness
This factor measures the organization’s level of preparedness to handle the risk.

Step 3: Risk Prioritization Process

After assessing the factors of each risk, the risks can be prioritized by assigning a risk rating score. By applying the risk prioritization process, 行政当局可以确保他们将资源分配给最重大的风险，并采取适当的措施来保护利益相关者和任务目标.

The following methodology is used for rating risks: Risk Rating = (Impact + Velocity) x Likelihood

The impact and likelihood factors are assessed on a scale of one to five, with higher numbers indicating a greater impact or probability of occurrence. The velocity and preparedness factors are assessed on a scale of one to four, 较高的数字表明发生速度加快，缺乏现有的控制措施. Though not included as part of the risk ranking formula, 准备因素在对风险进行优先级排序时使用，以便为风险讨论提供一个额外的成熟度和细节级别.

风险评级公式用于计算每个已识别风险的数值得分, 然后用哪个来确定风险的优先级并确定适当的风险管理策略. 风险等级得分较高的风险通常会得到优先关注，并为风险管理和缓解工作提供资源.

Step 4: Develop Risk Mitigation Strategies

Once risks are identified and prioritized, a range of strategies for mitigating risks can be utilized to treat the risks. Establishing policies, 程序和控制使组织能够将风险控制在可接受的范围内. 为每个风险制定风险管理计划，概述将采取的减轻风险的具体策略和行动. The plans define roles and responsibilities for risk mitigation, establish timelines for completion and identify resource requirements. Some common strategies for mitigating risks in ERM include the following.

Acceptance
Accepting the risk and its consequences, either because the risk is too difficult or too expensive to mitigate, or because the potential benefits outweigh the potential consequences.

Avoidance
通过不参与可能导致风险的活动来完全避免风险.

Reduction
通过实施风险管理控制或保障措施来降低风险发生的可能性或影响. This could involve implementing security measures, redundancy systems or establishing procedures and guidelines.

Transfer
Transferring or sharing the risk to another party, such as through insurance or outsourcing to a third-party provider.

Exploitation
Actively seeking opportunities to take advantage of the positive aspects of a risk, such as a new market opportunity or emerging technology.

Each of these strategies has its advantages and disadvantages, and the appropriate strategy will depend on the nature and context of the risk. A combination of strategies may be used to mitigate the risks effectively. Additionally, 必须定期审查和更新风险缓解战略，以确保其保持有效性和相关性.

Step 5: Implement Risk Mitigation Strategies

实施风险缓解战略涉及采取行动，降低可能对组织目标产生负面影响的已识别风险的可能性或影响. 这可能涉及实现新的程序、指导方针或控制，或修改现有的. 沟通和培训对于有效执行选定的减轻风险战略至关重要.

利益相关者应了解战略及其在实施过程中的作用和责任. 还可能需要进行培训，以确保利益攸关方具备有效执行缓解战略所需的技能和知识.

Step 6: Report, Monitor and Review

ERM是一个从内部和外部来源收集和评估信息的持续过程, across all parts of an organization. 定期监测和审查实施的缓解战略的有效性，确保这些战略保持有效性和相关性. Adjustments should be made based on changes in the risk environment, organizational priorities or other factors. ERM报告通过帮助董事会识别其组织面临的风险，为日常决策提供信息.

Steps in the Enterprise Risk Management (ERM) Process

Go back to AboutMore in Enterprise Risk Management

Go back to About More in Enterprise Risk Management