Operational Risk, which includes IT, cyber, human capital and business processes.
Reputational Risk. That is anything that would put the agency in a “negative light”
Strategic Risk. Managing events that block the agency from reaching its goals.
Compliance and Legal Risk
‘It really is not a so much a matter of identifying one risk that is more important than the other. What we do is we identify all of the risks that we think are significant. We look at likelihood. We look at impact. And then we really work hard to focus our decision-making to recognize and take into account the most significant risk are across our organization,” she said. “The Office of Enterprise Risk Management works closely and directly with the assistant commissioners, the leaders of different business lines across our organization. Where we take targeted evaluations, targeted assessments of risks.”
For example, a new product launch.
“What is the risk associated with that? What are some of the issues that they should be mindful about, in terms of standing up such an initiative?” she said.
Yakimov said the important step after those assessments and evaluations is that they are shared with leaders across the organization, not just those leading a specific program area.
“The ultimate benefit of any organization’s ERM (Enterprise Risk Management) function is awareness. It’s data-driven awareness. It’s data-driven insight that leverages the organization to achieve its priorities,” she said.
Yakimov said it also important to identify best practices. It lets agency leaders have “cutting-edge thinking” that allows to reach program goals in a risk-aware manner.
“The key benefit to any organization’s Office of Enterprise Risk Management is to facilitate a culture where, from the journey man or woman, all the way to the leadership. When we see a potential issue, we raise our hand, we think about it strategically. We make sure we have the resources, brought to bear to make sure we are managing risk effectively,” she said.
Yakimov said that one of her key priorities for 2015 and 2016 is to mature the agency’s reporting capabilities to help paint a better picture of risk.
‘Imagine…a mosaic. Right now, there are any number of different data points around different risks that we are facing. It gets more complicated than that. It’s not just reputational risks, it’s operational, IT, cyber, business process. Right now, the mosaic is out of focus,” she said.
Yakimov said the key is to organize all of those data points and allow risk concerns to be prioritized.
“Preferably in red, yellow and green. So people can easily wrap their minds around what is the most significant, what is moderate and where we are doing fine here,” she said.