Enterprise Risk Management

11^th Hour Service’s Enterprise Risk Management (ERM) offering includes services that focus specifically on enhancing the Chief Operating Officer, or Secretary/Agency Head, community within our clients – regardless of if your ERM function resides within the COO, CFO, or other office. The intent behind this approach is that we feel the ERM function should reside in the office who has the best ERM Champion. However, where the program resides does not change the intent of the ERM program. Our goal is to design the ERM program to serve the greater agency, thereby serving the Agency Head. This includes, but is not limited to:

Analysis and Alignment;
Foundational and Framework Development;
Capability and Tool Development, Implementation and Evaluation;
Capability Advancement and Enrichment; and
Technology Enablement.

We have developed a modular approach to ERM that is specifically designed for the Public Sector. While it leverages best practices from both Public and Private sectors, it was designed with the Government in mind. It accomplishes this by being a capability based model that focuses on what an Agency’s ERM program is able to accomplish, such as how well the agency was able to manage risks within their tolerance. The model is not merely a check-the box approach that focuses on what an Agency’s ERM program has, such as “we have a CRO”, “we have a risk profile”, or “we have a Risk Appetite Statement.”

RELATED SERVICES

Analysis and Alignment

Foundational and Framework Development

Capability and Tool Development, Implementation and Evaluation

Capability Advancement and Enrichment

Technology Enablement

Analysis and Alignment

Every organization is unique, and an effective risk management program must be tailored to the specific needs, internal processes, existing practices, culture of the organization, and interest of internal and external stakeholders. Analyzing and understanding the context in which the risk management program functions is critical to expanding current risk management practices across the enterprise.

11^th Hour Service strives to understand your organization’s risk management practices to align them with best practices. This alignment process prevents duplication or reinvention and ultimately reduces the cost and burden of ERM program implementation. Unless an overhaul is what is desired, we do not change every aspect of the enterprise risk management function. Instead, we align areas such as vernacular, taxonomy, roles and responsibilities, communication channels, data points, and functional capabilities. This is accomplished through a series of activities including, but not limited to:

Stakeholder analyses;
Organizational culture assessments;
Maturity assessment and development;
Program mapping; and
Functional staffing and resource analysis.

The analysis and alignment process provides the understanding needed to begin the foundational development of an effective and capability-rich ERM program.

Foundational and Framework Development

11^th Hour Service understands that establishing a solid foundation and developing a framework is what will set up an ERM program for heightened success. Our activities focus on establishing or strengthening risk management governance by clarifying and documenting roles, authorities, responsibilities, competencies, functional relationships, and practices for risk management across the organization. This includes, but is not limited to identifying, developing, and/or documenting:

Chief Risk Officer, or ERM champion;
ERM policy and guidance;
Risk policy statement;
Risk taxonomy;
Enterprise Risk Council (ERC);
Risk practitioner position descriptions;
Risk appetite statement and risk tolerances;
Risk register;
Risk profile;
Risk reporting mechanism(s);
Risk response documentation;
Risk monitoring, evaluation, and escalation methodologies; and
Link to annual Statement of Assurance (SoA);

Capability and Tool Development, Implementation, and Evaluation

An effective ERM program is dependent upon the quality of the outcomes of the program. How well your respective program “checks the box” around the what your program has, is not necessarily indicative of what your program can do. Our process focuses on developing or enhancing what your program can do.

While implementing an ERM process is not as challenging as many perceive, there is much more than the technical work that goes into implementation. Cultural barriers can present a challenge, as well as communication and education around purpose and implementation. Programs should also be constantly evaluating their performance, specifically the capabilities and, ultimately, the effectiveness of the program’s ability to identify and manage risks within designated tolerances. Our process includes, but is not limited to:

Change management plan;
Communications plan;
Program integration strategy;
Capabilities baseline and performance plan;
Key risk identification and prioritization methodology;
Risk evaluation and alternative analyses;
Community of practice and interested establishment; and
Training, development, and facilitation.

Capability Advancement and Enrichment

Once an ERM program has been implemented and has begun to become part of the threads of an organization, the focus should shift how to continually improve upon the capabilities of the program. Ultimately, this is what most people will refer to as program maturity. At 11^th Hour Service we leverage certain aspects of OMB’s maturity model, however, our focus is on the capabilities and outputs that your program is able to achieve. The five levels or the maturity model include:

Level 1 – Ad-Hoc/Nascent;
Level 2 – Basic/Emerging;
Level 3 – Integrated/Defined;
Level 4 – Managed/Predictive; and
Level 5 – Strategic/Advanced.

Many maturity models use linear displays that include elements such as “policies are defined” or “program has an executive sponsor”. Our approach is modular, defining capabilities as “policies are understood, adhered to, and effective in meeting the objectives of the ERM program” and “program has an executive sponsor who is an ERM champion and has the desire, the influence, and the ability to enable and promote change within the organization”.

Technology Enablement

An Enterprise Risk Management software or technology package will not take a new ERM program and provide an organization with an out of the box compliant, fully enabled ERM program. However, technology can do two majors things:

Enable an existing program to perform at a higher level by being more innovative, collaborative, and efficient; and
Inform and facilitate a program in its infancy stages on what needs to be done to get the program off the ground, including templates, framework compliance, reporting functionality, etc.

11^th Hour Service is a technology agnostic firm when it comes to ERM solutions, meaning we can and will implement whatever makes the most sense for your organization. To determine the best solution, we will:

Perform a capabilities needs assessment;
Develop a benchmarked COTS ERM/GRC software offering comparison;
Develop ERM/GRC system functional and capabilities requirements;
Evaluate capabilities needs assessment and functional requirements against software offering comparison;
Provide recommendation of solution based on the capabilities and requirements comparison results, including pricing; and
Develop an ERM/GRC software implementation strategy.

While we are a technology agnostic firm, we have a strategic partnership with ACL (now “Galvanize”) and have seen noted advantages to their GRC platform in delivering a functionality-rich software platform.

Enterprise Risk Management

RELATED SERVICES

ABOUT US

ABOUT US

MESSAGE US