Sign In  |  Register    
News > In The News > The Evolution of Enterprise Risk Intelligence (ERI) An article by Andrew Howarth, CEO

The Evolution of Enterprise Risk Intelligence (ERI) An article by Andrew Howarth, CEO

Date: 15.02.19 - Friday
Enterprise Risk Intelligence (ERI) integrates the previously disparate functions of compliance, event/incident and risk management. This integration delivers much more power than the individual value of the three functions, even if they are being managed effectively in isolation.

The diagram below examines the evolution of ERI and the value that full collaboration and analysis of risk, events and compliance management processes can add to an organisation.

Step 1 – Notify of or Record Events

Step one involves notifying of or recording of events. The event categories may include any of the following: injury; fraud; security; property; complaints; environment etc.  During this step, the information from each event is recorded in detail including the area of the organisation involved, the specific parties involved, any equipment and exactly how the event occurred.


Step Two – Investigate Events

Step two in the evolution involves investigating events. The organisation has recorded the events that have taken place, the next step is to look further into why these events occurred. This may involve answering questions such as how the event happened, what factors caused the event and who was involved. Following the investigation, recommendations are put in place on how to move forward and prevent the event from happening again. The organisation is becoming more preventative.


Step Three – Corrective actions to prevent further events from occurring

Step three in the evolution involves implementing corrective actions to prevent further events from occurring including the same event s or events that are similar in nature. These actions include specific risk controls.


Step Four – Compliance process to audit/test control frameworks/corrective actions

Step four in the evolution involves implementing a compliance process to audit and test control frameworks and corrective actions. Compliance is the process by which organisations identify and meet their strategic obligations whether arising in law, standards, codes of practice or from stakeholder expectations. The step requires the testing of the controls/actions put in place in step three to make sure they are really in place and to analyse how well they are working. 


Step Five – Introduction of risk, risks identified from investigations and auditing of control framework

The organisation has now introduced the concept of a risk management process – start to say what are the links from the corrective actions, the causations of the risk and the breaches/testing that we did in our compliance framework and here comes the capability to automate step 5.


Step Six – Manage significant risks in the organisation

During this step, organisations begin to manage significant risks in the organisation through the following IACM process:

  • Identify – Identify the hazards within the organisation;
  • Assess – Assess the ‘level’ of risk;
  • Control – Eliminate or control the risk;
  • Monitor – Review controls for continuous improvement and ensure that new hazards have not been introduced into the workplace.

This process is carried out in line with AS NZS ISO 31000 standard codified by the International Organization for Standardisation. The purpose of the standard is to provide principles and generic guidelines on risk management. AS NZS ISO 31000 seeks to provide a universally recognised paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differed between industries, subject matters and regions.


Step 7 – Integration of all risk categories – permeation of the compliance process across all obligations (internal/external)

The organisation must have a common, enterprise wide risk culture so that all employees share the same understanding of the risk management process. One part of this includes identifying risks that are similar across a variety of work functions or areas. For example in a school based environment this may include using whiteboard cleaner in various classrooms. In some cases, a single generic assessment of a representative work situation may suffice and be used in a few areas. When the organisation reaches step seven, these risk categories are integrated across the organisation to create and enterprise wide strategic risk register across the spectrum of all the functions.


Step 8 – Enterprise Risk Intelligence (ERI)

Step eight in the evolution is an organisation that is Enterprise Risk Intelligent. ERI is defined as the full collaboration and analysis of event, risk and compliance management processes. This collaboration delivers much more power than the individual value of the three functions, even if they are being managed effectively in isolation.

Close examination of the word ‘Enterprise’ reveals that it incorporates every aspect of the organisation, rather than simply a strategic focus on senior management or board reports. Other terms that use the word ‘Enterprise’ commonly make the assumption that it represents only the larger inherent risks, major loss events or significant compliance breaches summarised in a high level and conceptual manner.

However, simply producing an unchanged risk register of twelve or fifteen issues month after month does not provide a true picture of an organisation’s position. In true Enterprise Risk Intelligence, ‘Enterprise’ is inclusive of all strategic and operational risks, events and compliance obligations of an entire organisation.

To truly understand the term Enterprise Risk Intelligence, ‘Risk’ and ‘Intelligence’ are best examined together. An isolated examination of ‘Risk’ may lead to the common misconception that this practice it is simply about Risk Management. The recognition of risk intelligence as a business process is central to understanding what Enterprise Risk Intelligence really means.

'Risk Intelligence’ is:

  • how an event/incident (a risk that eventuated) informs us about how effective our organisation’s risk management actually is;
  • the method of identifying breaches in compliance obligations as a risk;
  • the approach of risk assessing compliance obligations in order to prioritise the breach and the corrective actions;
  • the technique of escalating events on the basis of risk (potential outcome) not just severity (actual outcome).

Integrating this critical ‘Intelligence’ from the three disciplines makes each function significantly more effective and valuable to the business than operating them in isolation.


Copyright and Disclaimer

Copyright© 2011 Risk Management and Safety Systems Pty Ltd, all rights reserved. The contents of this article may not be reproduced or transmitted in any form or by any means without the express written consent of Risk Management and Safety Systems Pty Ltd. The riskmanager, eventmanager, compliancemanager, claimsmanager, chemicalmanager, competencymanager, contentmanager, healthmanager, permitmanager, actionmanager are trademarks or registered trademarks of RMSS. All other trademarks acknowledged. Elements of the Risk Management and Safety Systems Pty Ltd applications described in this document are protected by Australian Registered Patent 2006100476 and other Australian and International Patents pending.