Just implementing Enterprise Risk Management (ERM) doesn’t mean that all your organisation’s risks will magically disappear.
That’s not how ERM works. It works when you keep working at it. But what does this mean, especially for companies which are convinced that ERM is the way to go, but lack the funds and expertise? First, you take a long hard look at what your company actually needs. Then you inventory your resources. These two steps will help you understand your organisation’s needs within the context of its industry and environment. They will also help you understand details about your organisation which may not have been obvious before.
Your organisation will have changed in structure and character over the years. It may not even resemble the original business. Things change; people change. Because of this, ERM has to be a dynamic, ongoing activity that needs constant updating to be effective. ERM frameworks, systems, processes and procedures cannot run themselves. They need constant input to generate the kind of information that supports effective decision-making. Organisations which implement it cannot limit themselves to ticking boxes and considering their job done. Establishing ERM practices is the first of many steps on the company’s journey towards sustainability, agility, resilience and growth.
It is intended to support the decision-making processes and long-term strategy of the organisation. To be able to accomplish this, it has to be comprehensively understood. Some people in the organisation will, of course, understand it better than others. But everybody has to want to make it happen because it is good for them. ERM’s systems, processes and procedures should therefore be constantly reviewed to ensure they are performing as expected. It’s like making an investment: you track and tweak it so that it gives better returns. Within the context of an organisation, this is a major challenge because it involves staff at all levels.
But the value of ERM lies in its ability to help people identify where possible hotspots are, and mitigate these. As their understanding grows, they become aware of how it helps increase their productivity and value. For instance, they may be paying too much attention to areas which don’t need it. Realising this could result in redeploying their always-limited resources more effectively. Attaining this level of buy-in is time- and resource-consuming but the firm can customise ERM to its needs. ERM is scalable; it can be expanded as the firm grows. It can also be scaled back as the firm recognises that some areas don’t need as much attention as others.
This is where the information gathered plays a crucial role. It will point out where resources need to be deployed to mitigate possible problems; it helps firm prioritise. In the process, the firm will be developing its own guidance systems – i.e., its strategy – to navigate its challenges. These challenges will change as the business progresses, so strategies and mitigative measures must evolve in tandem. The business environment is dynamic; ERM is therefore never static. It responds to the conditions around it, and becomes more supportive as it incorporates more information from its surroundings. What develops from this flow of information is an organisational risk culture.
How then should companies respond to ERM, to fully benefit from it? They should communicate clearly, comprehensively and concisely; organisations should dismantle their silo mentalities. They should be honest with themselves and their stakeholders about their shortcomings. These should be concertedly and transparently addressed if the firm wants to increase its competitiveness and sustainability. Data integrity should be assured, to appropriately support decision-making; this could really make or break the organisation. Ultimately, ERM moves organisations forward, and keeps them on the path to achieving their goals.
