Risk oversight and risk management are high priorities on the agenda of most organizations. The first step to defining risk management goals and risk management objectives is to define your organization's shared vision. Once the shared vision is articulated, overall risk management goals and objectives must be defined.
While a vision statement is often aspirational, the goals and objectives should ordinarily describe in simple terms what is to be accomplished. They should be actionable by the organization. They should be defined in the context of the organization’s business strategy.
For example, some common risk management objectives chosen by companies to frame their ERM approach include the following:
- Develop a common understanding of risk across multiple functions and business units so we can manage risk cost-effectively on an enterprise-wide basis.
- Achieve a better understanding of risk for competitive advantage.
- Build safeguards against earnings-related surprises.
- Build and improve capabilities to respond effectively to low probability, critical, catastrophic risks.
- Achieve cost savings through better management of internal resources.
- Allocate capital more efficiently.
Risk management goals and objectives should be consistent with and supportive of the enterprise’s business objectives and strategies. Therefore, the organization’s business model provides an important context for risk management.
- It targets the markets and geographies in which the firm does business.
- It specifies the products and services it provides to those markets, the channels it uses to access those markets and the characteristics by which it differentiates its products and services in the eyes of the customer.
- It is built on many important elements: on the processes through which the entity converts materials and labor into products and services; on the employees the entity hires, trains and retains; on the suppliers and customers with which the organization does business; and on the shareholders and lenders that supply it capital.
Business risks are inherent in all of these elements. As the enterprise executes its strategy, it creates and increases its exposures to uncertainty. Therefore, business objectives and strategies provide the context for understanding the risks the enterprise desires to take. COSO affirmed this point by establishing “objective setting” as a component of the ERM framework.
When defining risk management goals and objectives, management should ask “tough questions.” An example of these questions can be found in the Risk Oversight and Risk Management Questionnaire sample available for download on this page. These questions provide a powerful context for defining risk management goals and objectives.
Following is an example of a statement of risk management vision, mission, goals and objectives:
Contribute to the creation, optimization and protection of enterprise value by managing our business risks as we create value in the marketplace.
Create a comprehensive approach to anticipate, identify, prioritize, manage and monitor the portfolio of business risks impacting our organization. Put in place the policies, common processes, competencies, accountabilities, reporting and enabling technology to execute that approach successfully.
Goals and Objectives
(1) Design and execute a global business risk management process integrated with our strategic management process:
- Integrate business risk management with our strategy formulation and business planning processes;
- Articulate our strategies so that they are understood throughout our organization;
- Establish KPIs designed to drive behaviors consistent with our strategy; and
- Reward effective articulation and management of key risks.
(2) Ensure that process ownership questions are addressed with clarity so that roles, responsibilities and authorities are properly understood.
(3) Design and execute a global process to monitor and reassess the top quartile risk profile and identify gaps in the management of those risks, based upon changes in business objectives and in the external and internal operating environment.
(4) Define risk management strategies and clear accountabilities and action steps for building and executing risk management capabilities and improving them continuously.
(5) Continuously monitor the information provided to decision-makers in order to assist them as they manage key risks and protect the interests of shareholders.
Here are popular KnowledgeLeader tools that focus on risk management: