In the RIMS-CRMP core competency model, “designing organizational risk strategies” refers to how a risk management professional uses the collective research from the stage of analyzing the business model to design a “fit-for-purpose” risk management strategy based on the needs of the organization. In this session at RIMS 2021, Dr. Joseph Milan, Principal at JA Milan and Associates, discusses the seven main components of designing organizational risk strategies in preparation for the RIMS-CRMP certification.
What is the RIMS-CRMP Certification?
The RIMS-CRMP is a certification that defines extremely high achievement of risk management competencies for the risk management professional. This certification is obtained through a one-time exam and maintained through continuing education and recertification. It is also ISO 17024 certified, meaning that it is a globally recognized certification. This certification is fundamentally about enterprise risk management, even though much of the material simply utilizes the “traditional” term of risk management.
Designing Organizational Risk Strategies
“Designing organizational risk strategies” makes up the second of five domains that fit inside the RIMS-CRMP certification exam. Roughly 17% of the RIMS-CRMP certification exam questions fall into this category. To best develop your overall strategy, you will need to consider each of the following:
Developing a risk strategy approach.
Before even beginning your strategy, considerations such as budgeting and reporting requirement should be taken into account. Preliminary considerations also include management style, organizational structure, and qualitative and quantitative measures.
Risk competency capabilities.
Simply put, competence is about applying your knowledge to achieve your desired results. Before starting risk management implementation, competence involves making sure you have the right people and resources in place to accommodate organizational needs.
Define success measures.
Align your risk strategy with organizational goals. While key performance indicators (KPIs) measure an organization’s progress toward achieving its objectives, key risk indicators (KRIs) measure risk and volatility related to achieving those objectives.
Design risk governance.
Align your standards and frameworks. Common global frameworks include the International Standards Organization (ISO), Open Compliance and Ethics Group (OCEG) and Committee of Sponsoring Organizations (COSO). The alignment will depend on the preferences of your organization and leaders, including the use of analytics, methodology and reporting. Decisions will also depend on your risk profile and strategic objectives.
This allows the risk professional to line up their specific needs before the implementation of a risk strategy. Questions that address resources, the role of the risk manager, current risks of the organization, and monitoring and reporting will lay the groundwork for success.
Create a risk communication strategy.
Audience analysis is the critical first step that will allow you to identify the needs of different target audiences within your organization. Consideration of items like the expectation for the risk appetite, key messaging, media resources, delivery schedule and documentation will ensure you have the necessary components ahead of time and allow you to educate your risk champions. They will then know how to support your strategy and what they can expect in return based on the process.
Develop a business case.
Key components of a business case involve developing an executive summary, the program scope and priority, schedules and resources needed, and program roles and responsibilities. This is used to clearly communicate that there is an expected benefit that is greater than the cost and resources needed.
Ready to expand your professional profile? Find the study guide for the RIMS-CRMP here.