Agilent can help organisations with the process of enterprise risk management (ERM). Agilient focuses on the process of planning, organising, leading, and controlling the activities of an organisation to minimise the effects of risk to an organisation’s capital and earnings.
Agilent’s approach to enterprise risk management not only includes risks associated with accidental losses, but also financial, strategic, operational, and other risks.
In summary, our enterprise risk management process is designed to:
- Identify potential events that may affect the organisation.
- Manage risk to be within the organisation’s risk appetite.
- Provide reasonable assurance regarding the achievement of the organisation’s objectives.
Agilent’s approach follows:
ISO 31000:2009, Risk management – Principles and guidelines, this informs our key principles. In simple terms, this involves the following:
- Setting the objectives – The internal environment encompasses the tone of an organisation, and sets the basis for how risk is viewed and addressed by an organisation’s staff and stakeholders, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objectives must exist before management can identify potential events affecting their achievement. ERM ensures that management has in place a process to set objectives and that the chosen objectives support and align with the organisation’s mission and are consistent with its risk appetite.
- Risk and opportunity identification – Internal and external events affecting the achievement of an organisation’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channelled back to management’s strategy or objective-setting processes.
- Risk analysis – Risks are analysed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.
- Mitigation strategies – Management selects risk responses – avoiding, accepting, reducing or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite.
- Controls and documentation – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out.
- Awareness and communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the organisation.
- Monitor and review – The entirety of enterprise risk management is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.
In practice, enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multi-directional, iterative process in which almost any component can and will influence another.
In undertaking this work Agilient uses the following standards.
- ISO 31000, Risk management – Principles and guidelines;
- ISO/TR 31004: Risk management – Guidance for the implementation of ISO 31000;
- ISO Guide 73: Risk management – Vocabulary;
- IEC 31010: Risk management – Risk assessment techniques; and
- ISO/AWI 31022: Guidelines for Implementation of Enterprise Legal Risk Management.