Organizational Risk Treatment Assessment (ORTA)
A series of mission-critical business processes support every strategic goal. The organization’s ability to effectively orchestrate people, processes, technology, facilities, & controls, while remaining within agreed-upon risk tolerances is challenging to achieve and maintain consistently. Identifying excessive operational, financial, and compliance risk as well as gaps between current capabilities and desired target states of residual risk is the objective of this analysis.
Cultural elements must also be considered to gain a more accurate understanding of the likelihood that an organization will achieve its strategic goals and objectives while remaining within approved risk tolerances. Less obvious and harder to document components of integrated risk management (IRM) are influenced by performance/rewards programs, cultural bias, and historical norms. Frequently these subtle characteristics are often more objectively evaluated and identified by an independent, external observer versus a seasoned internal employee.
Most organizations rely on a three-line of defense model to effectively achieve an agreed-upon target residual risk state. For the program to be effective, three core objectives must continually be met.
- The organization must establish an agreed-upon approach on how risk will be described and evaluated across the organization.
- A culture must be established that supports challenges to the risk management decisions made by the first line members.
- An ability to aggregate and accurately represents the organization’s continually changing risk posture in a way that is easy for senior leaders to understand.