Benefits of Linking Incident Tracking and Enterprise Risk Management
Incident Tracking and Enterprise Risk Management (ERM) are both important disciplines and key priorities for many high performing management teams.
This article discusses why organizations should consider linking ERM and incident tracking programs together, in order to improve the effectiveness of both practices. A follow-up companion article outlines 8 best practices for incident tracking programs.NEXT ARTICLE: Top 8 Tips for Incident Tracking
Background - What are Enterprise Risks and Business Incidents?
Risks are uncertain events that may or may not happen in the future. They are assessed based on the likelihood they will occur and the impact they would have if realized.
“Enterprise” risks are simply risk events that, because of their nature or their magnitude, would have a meaningful impact on an organization’s strategic objectives. In many cases, organizations take steps to lower risk levels by identifying the root causes of risks and taking preventative steps to reduce risk likelihood and impact.
This is an uncertain exercise that requires judgement. Fortunately, it can be improved with structured qualitative analysis methods (e.g. risk bow tie diagrams) and by leveraging data from past experiences.
Figure 1. Example risk analysis using a Risk Bow Tie diagram in Essential ERM®
Improved decision making and better ERM risk assessments
Linking and analyzing data from past incidents (quantitative analysis) within current enterprise risk assessments (qualitative analysis) can improve assessment quality and subsequent decision making. Business users often find enterprise risk assessments to be an abstract exercise, especially when attempting to predict the likelihood of future potential risk events. This task gets even trickier when trying to assess the effectiveness of controls designed to reduce likelihood and impact (e.g. assessing inherent risk versus residual risk).
This is where data and past experience can help. Drawing upon quantitative data from related incidents creates a closed loop process that can reduce the guesswork and subjectivity of qualitative likelihood and impact assessments when assessing future potential risk events.
While it is true that most individual incidents will not directly affect an organization’s strategic objectives, they may have a material impact when grouped together through proper analysis and when effectively linked with risks in the ERM program. At the very least, incidents often serve as early indicators of brewing problems or emerging opportunities.
Improved buy-in and adoption for ERM programs
Business managers and front-line users typically understand and accept their responsibility for preventing and managing incidents. Creating a linkage between incident programs and ERM can help extend that sense of responsibility to the ERM program as well. After all, enterprise risks are just potential future incidents that are also owned by the business. In this way, linking incidents and ERM can help improve organizational buy-in for ERM.
Improved executive support for incident management activities
Finally, linking incidents with enterprise risks can help to elevate the visibility and demonstrate the business value of incident management programs. Instead of being seen as merely an operational activity, an incident program can be recognized for what it really is - a valuable source of quantifiable data that can improve decision making, strategy execution and ERM.
The challenge, however, in effectively linking incident management with ERM is dealing with high numbers of incidents and separating the “signal from the noise” to draw meaningful insights.