“A right ERM risk profile should be holistic and reflect all risks to the organization’s business objectives”
Preparing and sharing corporate risk profile as one of the key building block of ERM process should be regarded as a helping tool in communicating with the board. How a profile is prepared, how frequently it is prepared, and with whom it is shared are all subject to different treatments in each organization. A corporate risk profile should be prepared for use by the management of an organization as part of the ERM process.
There are 3 different types of commonly used corporate risk profile: the top 10 list, the risk map, and the heat map.
- The “Top 10” List. This type is the simplest method of identifying, ranking, and sharing top risks in organization due to its simplicity, familiarity, easily understood, and denotes a short yet important list of risks.
- The Risk Map. This type is one of the most widely described ways to present the largest risks facing an organization. It consists of two axis: the vertical axis showing the potential impact of the risk and the horizontal axis showing the estimated likelihood of the risk occurring. Risk map are ideally best prepared during risk workshop using voting technology.
- The Heat Map. This type can list the organizational entities such as departments, locations, or product lines in the first column while, next to each entities are color-coded squares identifying the level of each risk. A heat map is usually color-coded to show the levels and risks and mitigations in a matrix format. dc | 2011