ERM has been gaining traction in recent years. Many organisations, non-profits included, have been using their frameworks to develop systems, processes and procedures to manage risks, and have reaped the benefits. However, uptake could be even faster and more widespread if more people were convinced of its efficacy. While ERM does have a lot going for it, the perceived work involved in getting it up and running may be one of the reasons why firms steer clear. Implementing it is a simple process which, under the wrong guidance, can quickly become complicated. Bearing this misguided belief in mind, firms are just not ready to commit the resources they believe are required to make ERM happen.
While the structured processes of ERM undoubtedly translate into more efficient management of a company’s risks, this same complexity may make it difficult for some people to understand its principles and application. Very often, the deeper they delve into ERM, the more complex it may appear if they do not understand the final destination. This can be quite time-consuming to begin with, particularly if they are looking for quick solutions. Many firms are guilty of this; the pressures of today’s business environment leave them with hardly any time to breathe. Time has become a luxury, and the details of ERM require more than just one sitting. The lack of time therefore severely curtails the thorough thinking and planning required for effective ERM.
However, it is well worth the time and resources invested in understanding ERM, as the knowledge derived through its processes may provide more robust information to the Board and Management. Make no mistake; ERM requires a proper understanding for effective and the process can require proper documentation. Again, it becomes a matter of not being able to spare the resources to accomplish this. Additionally, a failure to understand the holistic scope of ERM may cause a lack of focus in the organisation trying to apply it, which can be a challenge.
ERM is simple, the complexity arises from the fact that culture, buy-in and support is critical. Firms may be unable to determine what to measure, or find – after expending limited resources – that they have been measuring the wrong thing. This may frustrate the implementation of ERM, and demotivate the people involved. It may also give rise to a fear of failure, and people becoming reluctant to share information. As a result, people may retreat further into the silos and compartmentalisation inherent in most organisations. However, those who want to implement ERM in their respective organisations should not be discouraged; even experts in the field agree that this is not the easiest thing to do.
Observers and analysts who have tracked the development of ERM over the past decades point to a few major issues, such as the lack of universal acceptance of an easy-to-understand/implement framework such as ISO 31000:2018. Current alternative frameworks such as COSO and not internationally recognised, do not really address the tenets of ERM and may lack sufficient clarity. Also, there are those who do not understand ERM who opine that ERM tends to be reactive when it should be proactive. If there is no proper understanding of ERM at the outset, it cannot be applied effectively.
ERM practitioners should consistently preach the mantra of “planning for the worst while hoping for the best!” ERM training sessions include, accordingly, imagine worst-case scenarios as part of risk strategy. Organisations wanting to implement ERM sometimes try quick-fix methods, including buying apps off the shelf. But these almost always fall short because there is no one-size-fits-all solution. ERM systems, processes and procedures need to be customised to the individual organisation because each organisation has its own peculiar characteristics, values and norms that make up its own culture.
Another challenge with ERM is that, if implemented wrongly, it will not be able to showcase its value creating function. This may lead to the misinformed conclusion that it consumes resources but does not produce commensurate results; its costs are not justifiable. One way to overcome this and get buy-in is to implement a less comprehensive or limited ERM programme on a trial or pilot project basis in one department or business unit. This could be effective in demonstrating to management and the Board that it should be applied organisation-wide. For organisations yet to adopt ERM but want to, convincing the Board that it is necessary may well be the most difficult step. Those championing ERM could perhaps find success stories in support of their efforts.
Understanding and implementing ERM is not easy, particularly when those advocating for it have to deal with sceptical management or an ambivalent Board. It needs people who can understand its complexities, have a grasp of its technical aspects, and a talent for deep-diving into details. ERM, properly implemented, creates value for the company. It also helps the Board and management see where potential pitfalls are, and helps them deal with these in a structured, systematic manner. When flashpoints and challenges become obvious, ERM manages them more effectively, lessens disruption and helps management and the Board make the right decisions.