Training objective
The objective of this practical and simplified mini-training video is to demonstrate how you can structure your organization’s enterprise risk management system using the three-tier approach to managing and reporting risks and issues.
What you’ll learn
Understand the powerful way for structuring your organization’s enterprise risk management system using the three-tier approach to managing and reporting risks and issues and learn about the various elements that make up this three-tier approach.
Transcript
[Slide 3] Three-tier approach to managing risk and issues
Risk and issues can be actively managed across three tiers in the organization, as conceptually shown in the diagram.
You can have more than three tiers. But it will complicate your enterprise risk management system.
For practical reasons, it is advisable to limit your enterprise risk management system to three tiers. Use the information in this training to customize it for your organization.
The three tiers are:
Tier 1 is organization-wide
Tier 2 is division-wide
And Tier 3 is branch, project, and operations.
At each tier, there will be objectives that have been cascaded from the tier above. Risks and issues that may affect the organization’s ability to achieve your objectives are identified and managed as part of the risk management process.
These risks and issues are reported to and oversight by the relevant committees, teams, or working groups. These governance arrangements at each tier will ensure that mitigations are developed and implemented to strengthen the controls and reduce the level of risk to an acceptable level.
Accountability for Tier 1 risk and issue is assigned to the Managing Director, someone who is best placed to lead the management of the risk and issue on behalf of the Executive Board and organization. In our example, the Managing Directors report to the Chief Executive Officer.
Strategic or organization-wide objectives are cascaded from Tier 1 to Tier 2 as divisional Tier 2 objectives as part of the strategic and business planning processes.
Link to the achievement of these cascaded Tier 2 divisional objectives are those Tier 2 risks and issues that may have an impact on the entire division.
Directors are accountable for the management of Tier 2 risks and issues. In our example, the Directors report to the Managing Director.
Divisional executives have oversight over the management of these Tier 2 divisional risks and issues. They will decide whether any significant Tier 2 divisional risk or issue needs to be escalated to a Managing Director or the Executive Board for information or decision. This process occurs as part of the organization’s governance arrangements.
Divisional objectives are cascaded from Tier 2 to Tier 3 as branch, project, or operational objectives.
Link to the achievement of these cascaded Tier 3 objectives are those Tier 3 risks and issues that may have an impact on a branch, a project, or operations.
Managers and team leaders are accountable for the management of Tier 3 risks and issues.
Branch executives, managers, and team leaders have oversight over the management of these Tier 3 risks and issues. They will decide whether any significant Tier 3 risk or issue needs to be escalated to a Managing Director or divisional executives for information or decision.
Project performance, risks, and issues will be reported to the relevant area that has accountability over the delivery of the outcomes and objectives including its non-performance.
[Slide 4] Escalation, cascading, and reporting processes
Following on from the previous slide, this slide gives details of the escalation, cascading, and reporting processes as part of the three-tier approach to managing and reporting risks and issues in the organization.
In essence, on the left-hand side of the triangle, escalation and cascading pathways are based on pre-defined escalation triggers for escalating information and business rules for cascading information.
Escalation triggers for escalating information define the conditions under which escalation actions occur along an escalation pathway. The escalation pathway clarifies the boundaries and channels of decision-making. For example, if a risk is rated as critical, that risk information is escalated to the tier above within an agreed timeframe. The risk rating acts as the escalation trigger for the escalation.
Additionally, a risk or an issue can be cascaded when it is longer considered critical and the accountability for the management of that risk can be delegated downwards to a lower tier. The business rule for cascading the information is clearly defined.
On the right-hand side of the triangle, monitoring and reporting pathways reflect the organization’s governance arrangements. Performance can be actively managed at all organizational tiers using this approach.
The business rules for escalating relevant or critical information to higher tiers, including performance and risk information, are also known. This includes knowing what to report, the reporting frequency, and who reviews, prepares, and receives the information.