The term “Enterprise Risk Management” – ERM – was first used in the late 1990s. While its common definition as an enterprise-wide strategy for identifying and preparing for the most impactful risks faced by organisations is as relevant today as it was then, ERM is now widely used for identifying new opportunities and building organisational resilience as well. Companies are faced with managing risks every day; one of the main challenges of ERM is how to integrate risk management across the organisation. ERM concepts must be properly communicated and understood so that they align with overall strategy, become part of the culture, and accepted by employees at all levels.
Many companies still manage risk at individual business unit level, but more benefits may be realised by integrating risk management into strategy setting, business planning and performance management. ERM concepts and the initiatives that are developed from them are essentially efforts to build up the organisation’s risk intelligence. Risk intelligence can be built up by creating a structure or process that facilitates risk conversations across the business. This will allow employees to connect with and appreciate the concept of risk intelligence, thereby supporting the implementation of ERM across the organisation.
ERM is a strategic tool for the measurement, mitigation and management of uncertainties. It identifies, assesses and manages risk in order to improve an organisation’s decision-making so that it maintains competitiveness, growth and sustainability. ERM also helps organisations develop flexibility and agility, and the ability to pivot quickly in the face of uncertainty, and in rapidly changing business environments. ERM objectives focus on developing a strong risk culture, aligning strategy across the organisation, establishing robust corporate governance, ensuring legal compliance and maintaining its good reputation overall. In doing so, ERM supports the firm’s value creation efforts.
Some believe that ERM initiatives may require massive commitments of time and other resources, or create an unsettled working environment, or resistance to change. But even small improvements to the way things are done can be meaningful, and over time, may become the foundation of a strong risk management culture and organisational resilience. Sometimes ERM initiatives or activities may already be in place through the implementation of certain internal controls, without employees recognising them as such. The company may then be able to build on this or refine them further, intensifying or increasing training and awareness, and making ERM more acceptable throughout the organisation.
ERM concepts entail taking a holistic approach to identifying, assessing and managing the various risks encountered by the organisation in the pursuit of its objectives. These concepts consider risks across all parts of the organisation, and recognise the interconnectedness of its various functions, policies, procedures and processes. This is unlike traditional risk management, which tends to focus on specific areas, departments, or individual business units. The integrated approach of ERM not only identifies, mitigates and monitors risks but contributes to strategic planning as well. Ultimately, this supports the organisation in its decision-making processes, and continuity/sustainability efforts.
Critical success factors of ERM are policy and framework; culture and environment; accountability and authority; performance measurement; monitoring and management oversight; communications; and the appropriate technical platform. Many companies which set out to implement ERM may view it as a one-size-fits-all solution but ERM should be customised to fit the individual company’s requirements. A thorough understanding of all aspects of the company is necessary for the implementation of ERM, so that the company’s specific needs and objectives are identified, and ERM may be correctly scaled up or down, accordingly.
An appropriate framework can be developed, preferably in collaboration with the different sections, units, departments, and subsidiaries of the organisation, that will be acceptable to all of them. It should be noted that ERM is an iterative process. This means that once the identifying, assessing, responding to or mitigating of risks has been done, a process of monitoring is set in place, and the process resumes. Thus, an ERM framework appropriate to the organisation’s needs is imperative. Based on ERM concepts, such a framework should take into consideration objectives like embedding long-term risk management into policies, strategies, processes and procedures.
It should also promote a strong risk culture and compliance with laws and regulations in the jurisdictions where the company operates; and develop a robust governance structure. The effective application of ERM also necessitates the appointment of a Chief Risk Officer (CRO). The CRO is a C-suite position that reports directly to the board; the CRO helps to develop the organisation’s ERM framework. Having an ERM framework is particularly advantageous as it puts into perspective the various common issues and challenges that confront organisations which want to establish the necessary checks and balances.
These issues often include identifying, assessing, mitigating and monitoring risks, the need for clear communication, implementing or developing a viable risk culture to support the organisation, dealing with technological or legacy matters, managing stakeholders and their expectations, and managing employees’ resistance to change. What ERM concepts encompass are the aligning of the organisation’s risk appetite; enhancing its risk response decisions; improving the deployment of its capital; identifying and managing multiple and cross-enterprise risks; reducing operational surprises and losses; and preparing the enterprise to seize opportunities.
Essentially, applying ERM will help an entity to get where it wants to go, and avoid pitfalls along the way. It will build a good understanding of risk and risk appetite, review and build risk assessment into corporate systems, processes and decision points, and encourage ‘smart’ thinking about risk.