There are many reasons why companies “sign on” for ERM. One reason may hinge on compliance; they need to show industry regulators that they are indeed doing what they are constrained to do by law. Financial institutions and insurance companies, for instance, are required by the central Bank or other regulators to demonstrate that they have all their risk bases covered, and one way of achieving this is to apply the discipline and practice of ERM to the whole business. Because of these regulatory requirements, many ERM practices may become embedded in the business over the long term, and may have even gone through several iterations before reaching their present levels of application.
While Finance and Insurance appear to have a head start on ERM, it needs to be understood that what these two industries have laboured over many decades to develop, is peculiar to their respective industries. Financial institutions and insurance firms have very different risks from each other and other industries as well, even though on the surface, they may appear to have many elements in common. This is one of the main reasons why ERM is bespoke; it needs to be customised to the requirements of the organisation which is using it.
Understanding and acceptance of ERM will also occur at different levels, within the different units of a business. The finance function will view risk very differently from the HR function, and even among individual employees, knowledge and awareness of ERM will vary greatly. The process of developing a viable ERM framework for the organisation will depend on how much the firm actually wants to commit to it in terms of resources as well as the level of support and tone from the top. Will it be reasonable to expect staff to go for training and implement ERM, in addition to managing their own jobs? How much training can the company afford to give, and how much is staff expected to give in return?
Even though ERM is ultimately for the overall well-being and long-term sustainability of the company, there will always be resistance to its implementation because it is difficult to see its tangible advantages, initially. Also, the scope – or rather, the magnitude – of ERM can be quite overwhelming for staff who are only just beginning to immerse themselves in its concepts. Staff should feel engaged enough to give feedback unencumbered by protocol. Channels of communication should be clearly designated, and staff should be encouraged to be frank and open in order to arrive at consensus for and of the well-being of the organisation.
So what does it take for an ERM programme to gain traction and be effective? In a nutshell, it takes the people in the organisation to recognise a need for it, and for this to happen, there will have to be consciousness-raising about what it is, and what it can do. There will have to be education and training. Most of all, there will need to be realisation of its true value, and how much it will be worth to companies which learn to apply it properly.