Enterprise Risk Management [ERM] has come a long way. Since the mid-1990s, ERM has emerged as a concept and as a management function within organisations.
Its emergence can be traced to two main causes. First, following a number of high-profile company failures and avertible large losses, the latitude of corporate governance has widened to clasp the risks that a company takes. Second, shareholder value modeis playing a greater role in
strategic development. Early strategic planning models paid inadequate attention to risk.
As business risks continue to surge, organizations are finding it essential to implement some sort of formal risk management system. An effective enterprise risk management (ERM) program can help organizations manage their risks and maximize opportunities.
Organisations in all types of industries, public and private, have observed a variety of benefits from enhancing their risk management agendas.
A committee of five organizations dedicated to thought leadership around risk management provided a definition of ERM in 2004. The Committee of Sponsoring Organisations (COSO) defined it as:
“… a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.”
Enterprise risk management (ERM) is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization’s operations and objectives.
In simple terms, ERM is a way to effectively manage risks across the entire organization through the use of a common risk management framework. This framework can vary widely among organizations but characteristically involves people, rules, process and tools. This means individuals with distinct responsibilities use well-known, repeatable processes, and the applicable level of technology to mitigate risk.
According to Thomas Stanton of Johns Hopkins University, the argument for enterprise risk management is not to create more bureaucracy, but to expedite discussion on what the really big risks are.
The fundamental components of ERM are the assessment of weighty risks and the implementation of appropriate risk responses. Risk responses include: acceptance or tolerance of a risk; avoidance or termination of a risk; risk transfer or sharing via insurance, a joint venture or other arrangement; and reduction or mitigation of risks via internal control procedures or other risk prevention activities.
The discipline not only calls for organizations to identify all the risks they face and to decide which risks to manage actively, but it also involves making that plan of action available to all stakeholders as part of their annual reports.
Countless organizations melee with implementing ERM and identifying how, and at what level, to incorporate it into their organization. Managers often say they are already aware of the risks for their respective areas of the business. In these situations, what value does ERM provide, and how does it enable better perspectives and management of risks and risk data?
Organisations often find that ERM programs provide a combination of both qualitative and quantitative benefits. Organizations that have implemented ERM note that increasing the focus on risk at the senior levels results in more discussion of risk at all levels. The resulting cultural transferal allows risk to be considered more acquiescently and breaks down silos with respect to how risk is managed.
As risk discussions develop into a standard part of the overall strategic business processes, operational units often find that addressing risk in a more formal way helps manage their part of the organization as well.
Communication and discussion of risk is recognized as not only a process to provide information to senior management, but a way to share risk information within and across operations of the company and allow better insights and decision making concerning risk at all levels.
Studying how organizations manage the exceptionally assorted number of risks they face can play an extremely significant role in investment decision-making. Knowledge of individual corporate “risk profiles” can lead investors to identify up-and-coming companies, investing with the confidence that they could meet corporate objectives and investor expectations.
ERM can facilitate better cost management and risk visibility related to operational activities. It also enables better management of market, competitive, and economic conditions, and increases leverage and consolidation of disparate risk management functions.
Executives struggle with business pressures that may be partly or completely beyond their immediate control, such as distressed financial markets; mergers, acquisitions and restructurings; disruptive technology change; geopolitical instabilities; and the rising price of energy.
Old-fashioned risk management slants tend to be scrappy, cataloguing risks into silos. These approaches often limit the focus to managing uncertainties around physical and financial assets.
Because they focus largely on loss prevention, rather than enhancing enterprise value, traditional approaches do not provide the framework most organizations need to redefine the risk management value proposition in a rapidly changing world.
ERM, on the other hand, provides an organization with the process it needs to become more anticipatory and effective at evaluating and managing the uncertainties it faces as it creates sustainable value for stakeholders.
Then came Covid-19 and many people are asking questions as to what went wrong with ERM. Was ERM on holidays? Was it so blind that it could not see the Covid-19 storm coming?
To be sure, the Coronavirus (COVID-19) is impacting businesses globally by unsettling supply chains, travel, production and consumption, threatening operations and financial markets. Companies find themselves circumnavigating a new reality, addressing issues from crisis response and cyber threats to valuations and financial stress.
As the coronavirus spread afar China, some organizations reacted speedily to news of even one or two cases among employees, suppliers or clients; others took a more wait-and-see approach. The disparity likely stems, at least in part, from unalike approaches to ERM — and regurgitates the business case for methods, processes, response thresholds and actions to defend enterprise goals, earnings and capital.
Many organizations failed to consider the COVID-19 outbreak an enterprise risk and continued their business-as-usual operations.
Around mid-February 2020, many in the telecoms merely expressed their concerns about how their projects would be impacted if the factories in China that produce the electronics needed for their work shut down. They wondered if that would break an important link in their supply chain and if it would endanger the final delivery of their projects. No action taken. All talk; no action.
For many companies, ERM has become a check-the-box activity during the decade-long period of economic growth, but the coronavirus pandemic clearly shows the need for thoughtfulness and rigor.
According to Matt Shinkman, Practice Vice President, Gartner, “The biggest problems with a pared-down, formulaic approach to ERM often don’t emerge until it’s too late,” Complicated flowcharts and in-depth policy manuals intended to guide escalation decisions during a crisis are often difficult and time-consuming to follow; they aren’t a substitute for an effective ERM function.”
Gartner research shows that the most effective ERM programs require:
• An agile “impacts-based” approach to create crisis escalation procedures; and
• A business leader responsible for monitoring for a specific type of risk who gives clear, simple guidance about when it is appropriate to escalate risk information to the crisis management team.
Coronavirus is exactly the type of fast-emerging risk with uncertain consequences that can be ignored until it’s too late for traditional escalation procedures to be effective.
When reports of lockdown came from China, most organizations in the West, African and around the world had weeks to act on this information but chose to wait and see.
In this scenario, the threshold for escalation is too high because it relies on a trigger where operations have already been badly affected. Better-prepared companies responded to news of minimal spread and rapidly drafted contingencies before the situation deteriorated much further.
Gartner research shows that an agile retort occurred far more often when clear processes already existed to report and escalate absences or issues due to infectious diseases.
In other words, a proactive ERM team had already set the threshold for escalation quite low to account for the potentially extensive consequences of the risk if no action occurred. Line management also felt empowered to raise the issue and this led to swift and effective mitigation.
Coronavirus may have drawn executive attention on ERM, but it’s critical they understand that the business benefits extend far beyond avoiding a crisis,
The key to delivering effective ERM is to ensure that business executives contribute to estimating and defining the enterprise risk appetite. This also ensures that ERM can assign risk ownership at the highest level of organizational decision making.
This view clarifies and formalizes the enterprise position that certain risks, such as a pandemic, are threats to strategic objectives like business growth. Leaders can then agree in advance that however remote a risk might seem, its emergence will trigger decisive and quick action to mitigate the effects — driven by a preset team of owners and actions.
Aligning ERM with strategy also positions an organization to take certain risks to seize opportunities that might otherwise be missed.
“Risk is like cholesterol; there are good and bad kinds,” says Shinkman. “The bad kind manifests in wrongdoing or poor decisions, but the good kind helps an organization to take bigger, riskier growth bets — which is the single biggest differentiator of profitable growth.”