Tag Archives: enterprise

Effective ERM Reporting

Agile, Audit, Best Practices, Coaching, Controls, ERM, Governance Risk & Compliance, Methodology, , , , , , , ,

In a world recovering from the pandemic aftermath, Ukrainian and Middle Eastern wars, risks in one sector of business can set off a chain reaction of effects across the entire supply chain, similar to falling dominos. 

This highlights that the focus of enterprise risk management (ERM) in today’s business environment is not solely about preventing negative incidents; but also about transforming potential risks into business opportunities. 

The key to this transformation lies in effective ERM reporting.

ERM enables organizations to identify possible event occurrences, but it’s through ERM reporting that they can assess their risk management strategies to discover what’s effective, what’s failing, and how to address any potential gaps in risk management.

Efficient ERM reporting can help organizations leverage their risks into a competitive edge. Therefore, it’s crucial for businesses to understand what’s required to generate a high-quality ERM risk report.

What Is an ERM Report? 

An ERM report provides crucial information for daily decision-making by assisting board members in recognizing the risks their organizations confront. Furthermore, it describes the risk management approaches implemented to address these risks.

High-quality ERM reports highlight gaps in the execution or coverage of risk management methods and potential non-compliance scenarios. While this is critical from a strategic point of view, it also has a legal aspect. Boards have legal obligations to comprehend and manage the organization’s risks effectively.

Some key audiences for risk reporting

Risk reporting serves various key audiences within an organization. Here are some key audiences for risk reporting:

A. Board of Directors and Executive Management: The board of directors and executive management team play a crucial role in governing and overseeing the organization. They need comprehensive risk reports to understand the organization’s overall risk landscape, make informed decisions, and fulfill their fiduciary responsibilities.

B. Risk Management Committee: In organizations that have a specific risk management committee, risk reporting is vital. This committee is responsible for reviewing and monitoring the organization’s risk management activities, and risk reports provide them with the necessary information to assess and steer risk management efforts.

C. Senior Management: Senior management includes executives and the CEO, all needing more detail than the board. A risk report for senior management often involves reporting up; they want a list of risks and accompanying mediation plans from their ERM staff. This helps senior management ensure that the proper management strategies are in place for the risks in the report, which can feature as many as 15 possible issues.

D. Risk Owners: Risk owners are the ERM staff on the front line, including middle managers. These individuals act on the mitigation recommendations from senior management and the board. Reports for risk owners require a high level of detail on each risk, including performance metrics and assessments.

E. Operational and Business Unit Managers: Operational and business unit managers are directly responsible for managing specific areas of the organization. Risk reports tailored to their respective areas provide them with visibility into the risks affecting their operations, enabling them to make risk-informed decisions and take appropriate mitigating actions.

F. Compliance and Legal Teams: Risk reporting is essential for compliance and legal teams to ensure that the organization operates within the boundaries of laws, regulations, and industry standards. They rely on risk reports to identify compliance gaps and potential legal risks.

G. Regulators: Regulatory agencies are the primary external audience for risk reports. ERM reporting for regulators requires a careful balance; they must help the regulator understand the risks and assure that the organization meets regulatory requirements without providing so much detail that it will attract further review. 

H. Internal and External Auditors: Internal and external auditors need risk reports to understand the organization’s risk profile and assess the effectiveness of internal controls and risk management processes. Risk reports help them prioritize audit activities and identify areas requiring further scrutiny.

I. Investors and Shareholders: Investors and shareholders are interested in understanding the organization’s risk exposures and management strategies. Risk reporting creates transparency and reassures them that risk-related matters are identified, monitored, and appropriately managed.

J. Employees: While not the primary audience, employees benefit from risk reporting as it provides insights into the organization’s risk culture, potential impacts on their roles, and actions being taken to address risks. It helps foster awareness and accountability throughout the organization.

Each audience may have specific requirements and preferences, so producing tailored risk reports for these stakeholders strengthens risk communication and fosters a risk-aware culture.

Good Practices of an ERM Report

Creating an ERM report that adheres to best practices ensures its effectiveness and usefulness. Here are some key best practices to consider when developing an ERM reporting framework:

A. Clear and Concise Format: Present information in a clear, concise, and logical manner. Use headings, subheadings, and bullet points to enhance readability and facilitate easy navigation within the report.

B. Alignment with Objectives: Ensure that the ERM report directly aligns with the organization’s objectives and risk appetite. The content should focus on the most important risks that can impact the achievement of these objectives.

C. Set Measurable Objectives: The report should be tailored to the organization’s objectives. What are the risks that might prevent the organization from achieving those objectives? This is the basis for a good ERM report. 

D. Comprehensive Risk Coverage: Provide a comprehensive overview of risks, including both internal and external risks. Consider strategic, operational, financial, compliance, and emerging risks to present a holistic view of the organization’s risk landscape.

E. Quantitative and Qualitative Analysis: Combine quantitative data (e.g., risk events, financial impacts) with qualitative analysis (e.g., risk descriptions, likelihood, and impact assessments). This approach provides a balanced perspective on risks and their potential effects.

F. Risk Interdependencies: Highlight interconnections between different risks, demonstrating how a risk in one area can impact other parts of the organization. This understanding helps identify systemic risks and potential cascading effects.

G. Actionable Insights: Provide actionable insights to drive risk management activities. Include risk response strategies, control assessments, and recommendations for risk mitigation or avoidance.

H. Historical Trends and Future Forecasts: Discuss historical trends and patterns to identify areas of concern or improvement. Also, provide forecasts or scenarios to help stakeholders anticipate future risks and plan accordingly.

I. Regular Update Frequency: Develop a schedule for regular reporting updates that suits the organization’s needs and risk dynamics. Ensure that stakeholders receive timely and up-to-date information to support decision-making.

J. Clearly Define the Report: Establish a report structure that defines everything from the recipients to the names of input fields and the calculations required to evaluate each risk. Defining the structure of the report should always come before design. 

K. Continuously Evaluate Report Structures: Risks are constantly evolving, so the report should, too. Organizations should always consider whether they must include more risks in the report or additional fields to deliver the correct information about each risk’s management. 

L. Create a Consistent ERM Language: The board of directors may understand and communicate risk differently than the rest of the ERM team. Ensure employees use the same ERM language to reduce miscommunication surrounding the report. 

M. Use Visual Aids: Incorporate visual elements such as charts, graphs, and visuals to support data interpretation and enhance understanding. Visual representations can communicate complex information more effectively.

N. Ensure Data Is Reliable: For ERM reporting to create a competitive edge, the data must be high quality. Validate all risk sources to ensure reporting is based on high-quality, reliable information. Organizations that integrate ERM enterprise-wide are more likely to have access to trustworthy data. 

O. Outline Key Takeaways: Reports can be long, but senior management and the board of directors don’t always have time to read every page. Highlight critical takeaways so they can easily find and review the action items that matter most.

P. Deliver Reports On Time: Whether organizations deliver reports once a month or once a year, the report should always be on-time according to that timetable. ERM teams should also prepare the information immediately before they deliver it since a report that’s six months old will no longer be helpful to the board.

Q. Show Trends Over Time: Presenting trends over time can provide stakeholders with a better understanding of whether the organization’s risk profile is improving or deteriorating. 

R. Make Reports Actionable: Good ERM reports should empower senior management and the board to take action. Recommended actions and strategies should accompany each risk, giving the board the information they need to move forward.

S. Facilitate Effective Decision-Making: All ERM reports should do one thing: allow the board to make better decisions. These reports should clarify the organization’s potential risks and make it easy for the CEO and the board to take revenue-saving and even revenue-driving action. 

T. Continuous Improvement: Regularly seek feedback from report recipients and stakeholders to improve the clarity, relevance, and value of the ERM report. Adapt and refine the reporting framework based on the evolving needs of the organization.

By employing these best practices, organizations can produce ERM reports that provide valuable insights, support informed decision-making, and drive effective risk management processes.

Benefits of effective ERM reporting:

A. Improved risk management: Effective ERM reporting helps organizations to improve their risk management by:

    o Identifying and assessing risks more effectively

    o Developing and implementing more effective risk management strategies

    o Monitoring and improving the effectiveness of risk management activities

B. Increased stakeholder confidence: Effective ERM reporting helps to increase stakeholder confidence by:

    o Demonstrating that the organization is taking steps to manage its risks

    o Providing stakeholders with the information they need to make informed decisions

C. Reduced costs: Effective ERM reporting can help to reduce costs by:

    o Identifying and mitigating risks before they cause damage

    o Improving the efficiency of risk management activities.

ERM Maturity

The landscape of risk today is constantly shifting, influenced by factors such as digitization, remote work, and the unstable nature of today’s economy. 

To develop an ERM reporting system that bolsters organizational performance, organizations must initially focus on elevating their ERM maturity. 

Though each step towards maturity calls for careful planning, the reward is the creation of an ERM framework that cannot just intercept risks before they affect the business, but also convert those risks into potential opportunities.

By adhering to these recommendations, organizations can build efficient ERM reports that effectively articulate both the potential risks encountered by the organization and the measures being implemented for their management.

https://erpminsights.com/qualities-of-a-good-enterprise-risk-management-report/

The 7 strategic KPIs for enterprise service management

Best Practices, Uncategorized, , ,
The 7 strategic KPIs for enterprise service

Enterprise service management (ESM) is changing the landscape of corporations worldwide. The concept is pretty straightforward. Much as IT services are managed according to the 50-year-old discipline of IT service management (ITSM), you can manage non-IT enterprise services such as HR, facilities, and security by using a similar set of principles and frameworks.

By adopting an ITSM framework, your enterprise services can bypass 50 years of incremental, trial-and-error improvement and achieve process maturity in a matter of months, not years or decades. You can achieve the goal of ESM: to deliver higher-quality enterprise services at a lower cost, within a framework of industry best practices.

I’ve written about the eight most important KPIs for ITSM, and these are just as effective for measuring and monitoring the effectiveness of ESM. Here, however, I focus not on those eight tactical metrics, but on the strategic metrics of ESM. So, what’s the difference?

  • Tactical metrics are what you use to manage day-to-day operations. They fall into three broad categories: cost, quality, and speed. Cost per ticket, customer satisfaction, and mean time to resolution are among the most common tactical measures for both ITSM and ESM.
  • Strategic metrics, by contrast, measure the business effectiveness of a function and include ROI, channel mix, tickets prevented, and process maturity.

Remarkably, very few ESM groups track strategic metrics. Instead, they focus almost exclusively on the tactical metrics of ESM: cost, quality, and speed. 

Here are the top strategic KPIs of ESM that your team should consider.

The strategic KPIs of ESM

Tactical metrics measure the effectiveness of day-to-day execution, while strategic metrics ensure that you are executing against the right objectives. 

Customer satisfaction and cost per ticket, both tactical measures, are illustrated on the x- and y-axes respectively in Figure 1 above. These are also called foundation metrics because everything you do in service and support boils down to cost and quality: minimizing cost while maximizing quality.

The other two metrics on the diagram—ROI and process maturity—are strategic KPIs. The three-dimensional surface has been color-coded to show good outcomes (green) and poor ones (red). Good outcomes correspond to high customer satisfaction, low cost per ticket, and high ROI. The thermometer image on the right shows that process maturity is key to achieving the most desirable outcomes. As processes mature, you get better outcomes, both strategically and tactically.

Return on investment

If ESM is a viable business proposition it should yield a positive, compelling ROI. The ROI is a simple ratio. The numerator is return, or the business value created by ESM, and the denominator is the investment, or the annual operating cost of ESM.

The return in our ROI ratio has two components. One is the savings in ESM operating costs that results from the transformation to ESM. The second is the monetized value of the productivity returned by ESM. So, for example, if ESM saves every person in your enterprise 48 hours per year (a fairly typical outcome), you can monetize that cost savings.

The first component of return comes from the savings in the ESM operating cost itself and can be estimated as follows:

  • The average G2000 company will spend about 50% of its operating budget on enterprise services.
  • A successful ESM transformation will reduce that number to around 30% while simultaneously improving the quality of ESM services.
  • This produces a savings of 40% on ESM costs, which contributes to the return in ROI.

The second component of ROI is the productive hours returned to enterprise customers who rely on enterprise services. The average employee in the Global 2000 costs about $110,000 per year, including salary, benefits, and overhead. A typical work year is about 1,800 hours. So, the average hourly cost of a Global 2000 employee is about $61 ($110,000 per year ÷ 1,800 hours of work per year). The productivity savings from ESM are therefore about $2,928 per full-time equivalent (FTE) job in the Global 2000 ($61 per hour x 48 hours saved per year).

Now, let’s assume that we are calculating the ROI from ESM in a company with 10,000 employees. The “average” G2000 company with 10,000 employees will have about $1.5 billion per year in operating expense. We can estimate that before ESM the company would spend about $750 million per year on enterprise services (50% of annual operating expenses), whereas after ESM it would spend approximately $450 million on enterprise services (30% of annual operating expense). This is the denominator of the ROI calculation.

The numerator of the ROI calculation will be the sum of the ESM savings due to transformation, estimated to be $300 million ($750 million pre-ESM, $450 million post-ESM), plus the annual productivity savings due to ESM, which we can estimate to be about $29.3 million ($2,928 in returned productivity per employee X 10,000 employees). The ROI is therefore ($300 million saved in operating cost + $29 million in returned productivity) ÷ ($450 million in post ESM operating cost per year) = 73%.

A 73% ROI for an ESM transformation is not atypical. Moreover, this is not a one-time benefit. The cost savings and productivity improvement that result from a successful ESM transformation will be recurring, year after year.

For anyone who is hesitant to begin the ESM journey, the expected ROI of an ESM transformation should be central to your business case for proceeding.

Channel mix

Channel mix is the percentage of incoming tickets that arrive at the enterprise service desk through various channels. The most common channels include walk-up, voice, email, web, chat, and self-help. Channel mix in ESM is rapidly evolving (see Figure 2 below) and is considered one of the industry’s mega trends. In 2007, voice calls represented almost 80% of all ticket volume. Today, they represent less than 50% of the volume.

There are both economic and demographic key drivers behind this trend. The key economic driver is that voice, which has dominated the industry for decades, is one of the most expensive channels, while chat, email, web, and self-help all cost less.

Customers like channel choice, and as ESM customers adopt and adapt to lower-cost channels, the average cost per ticket 

What about the demographic drivers behind channel mix? If you look at a spectrum of IT users, from those who are newest to the workforce, to those nearing retirement, younger users tend to prefer self-help or the indirect channels of chat and email, while those who have been in the workforce for some time lean much more heavily toward live voice as their go-to channel for support. This trend will continue as newer workers continue to enter the workforce.

Tickets prevented

“The best ticket is the ticket that never happens!” I first heard this truism nearly 30 years ago, and today it’s truer than ever. Preventing a ticket in the first place is always better than handling one triggered by an incident or a service request. But can you prevent tickets from happening, and is there a way to measure tickets prevented? The answer to both questions is yes. 

To measure tickets prevented you must start by measuring another, baseline metric: tickets per user per month (the number of tickets handled divided by the number of users supported). For example, if you handle 10,000 tickets per month, and support 8,000 users, the number of tickets per user per month is 1.25 (10,000 tickets ÷ 8,000 users).

Now assume that you measure tickets per user per month one year later at the same service desk and find that you are handling 9,000 tickets from 8,500 users. Your tickets per user per month is now 1.06 (9,000 tickets ÷ 8,500 users). The number has been reduced by 0.19 (1.25 – 1.06). Finally, to estimate how many tickets you’re preventing each month, multiply the reduction in tickets per user per month by the number of users supported (0.19 tickets per user per month prevented x 8,500 users). That comes to 1,615 tickets prevented per month versus the baseline from one year earlier.

The ITIL discipline devoted to preventing tickets, called problem management, also applies to ESM. I have seen large enterprises cut ticket volumes in half by maturing problem management, saving millions of dollars per year in the process.

Some people have argued that an effective self-help portal can also reduce ticket volumes. But while self-help can reduce the number of agent-assisted tickets, whether or not it returns productive time to the end user is debatable. As a general rule of thumb, users should not be spending more than 10 minutes at a time in the self-help portal. Any more than that, even if the user eventually finds a workable solution, costs the enterprise more in lost productivity than it saves in direct support costs.

Process maturity

Process maturity is the final strategic metric in ESM. It involves measuring the maturity of the service delivery processes that incorporate industry best practices. One globally recognized assessment that’s used frequently to measure process maturity is the SDI Global Best Practices Standard. It addresses leadership, policy and strategy, people management, resources, processes and procedures, managing employee satisfaction, managing the customer experience, and management information and performance results.

The assessment measures maturity on a scale of 1 to 5 for 130 documented industry best practices. Figure 3 below shows one output from the SDI process maturity assessment.

Process drives performance, so as your ESM processes mature you’ll see better outcomes in both your strategic and tactical ESM metrics. In addition, the results of your process maturity assessment will provide a road map for continuous improvement. By focusing on and improving process areas that are weak, your enterprise service desk can improve its process maturity over time and achieve continuous improvement in the tactical metrics of ESM as a result.

Get tactical—and strategic

Process drives performance, so as your ESM processes mature you’ll see better outcomes in both your strategic and tactical ESM metrics. In addition, the results of your process maturity assessment will provide a road map for continuous improvement. By focusing on and improving process areas that are weak, your enterprise service desk can improve its process maturity over time and achieve continuous improvement in the tactical metrics of ESM as a result.

Get tactical—and strategic

Effective management of ESM requires both tactical and strategic metrics. The tactical metrics tell you how well you are executing, while your strategic metrics indicate whether you are executing against the right objectives, such as maximizing ROI, optimizing your channel mix, preventing tickets, and maturing your industry best practices. For any ESM organization that’s interested in doing the right thing, in addition to doing things right, the strategic metrics of ESM are critical to success.

https://techbeacon.com/enterprise-it/7-strategic-kpis-enterprise-service-management?utm_source=newsletter&utm_medium=email&utm_campaign=tbnewsletter274&utm_content=featured

http://www.consultia.co/solutions/it-services/