Organizational Placement of ERM
Another topic that we explored was the organizational arrangement of where the risk management function or department should be placed. Our research showed that typically the function either was within the internal audit department, the internal supervision department, or the insurance department, or was a direct report to the CFO. The way it appeared was as though one was chasing people to get them to perform risk management (legal, internal control, insurance, etc.). Almost nobody wanted to be responsible for ERM, as it was treated as a new scope of responsibilities with compensation remaining at the same level.
The Influence of the Size of Organizations
We observed that the nature of risk management frameworks in medium-sized companies could be different than for larger companies. Board members of medium-sized companies told us that silo-based thinking was not an issue in many medium-sized companies as there are simply no silos. Executives also asked, "What is the business case for risk management in medium-sized companies?"
When we explored the matter in more detail, it was evident to us that integration was not the main issue; instead the lack of managerial information on margin or profitability of various projects and contracts was really the issue, as well as what to write in tender offers about how the company manages risk of customer demands (for example, investors expect it from vendors in the construction industry) and vendor credibility before making decisions. We have to be aware not to provide arguments on ERM benefits like integration of various risk treatment activities in medium-sized companies, as they may not be as applicable for those companies as for big companies.
Risk Management Process
Risk identification is one of the key steps of the risk management process. We explored how people describe risk and found that a lot are confusing threat with risk or mixing up other risk terminology. When we looked into how people describe risk, we found that the risk description being used in companies is not a real risk description at all. There are a lot of risk registers with no risk information but rather only threat or vulnerability descriptions that are understandable only to the person who wrote them (almost 95 percent of the cases we checked). People are rating risks without explaining why, or without justification of what supports making decisions and what does not. The Statement of Context is not present, which would help readers to understand why specific risk criteria have been set. Almost nobody is aware that the Statement of Context is one of the deliverables of the "establish the context" phase of the risk management process in ISO 31000.
The reason for this is that there is no proper guidance on how to describe risk properly in the absence of risk management implementation guidelines. Due to this lack of more detailed guidance, despite being interested in ISO 31000, corporate representatives have problems with understanding it, resulting in a poor opinion of the ISO 31000 standard in Poland. Unfortunately, ISO TR 31004, produced by the ISO/PC and the ISO/TC 262 Working Group in its final version, does not fulfill this requirement; therefore, we will have to elaborate on it on our own with the support of international experts who really know ISO 31000 and how it should be implemented.
If we have no good guidance on risk management and there are no volunteers to take responsibility for promoting ERM, we will have to create the right profession and professionals to deal with risk. When we looked into the formal professions registry of the Social Policy and Labor Ministry in Poland for job position lists that include risk in the name, we found only underwriter – being translated as a risk management specialist and an appraiser of a company's risk. That leads us to the conclusion that is the title of the next section – we have to build the chief risk officer (CRO) /risk manager profession from scratch.
-  The Statement of Context is an output from the "Establishing the context (5.3)" stage of the risk management process (Clause 5 Process in ISO 31000:2009 standard).