Enterprise Risk Management is not about Risk Management
As obvious as it may appear, it’s the word “Enterprise” that makes all the difference. Experts and analysts have various definitions of Risk Management (RM) but the most widely-accepted one describes it as a bottom-up process that focuses primarily on losses, costs and the negative side of risk; heavy on compliance and specification; and reactive. Enterprise Risk Management (ERM), on the other hand, has a much broader scope as it considers all the risk factors faced by the enterprise, and helps the Board and management make informed decisions according to its acknowledged risk appetite. While ERM, like RM, does look at compliance and the disadvantages of risk, it is a top-down (and bottom-up) process that can prevent and mitigate loss, and find opportunities in adversity for the firm, thereby creating value.
ERM is big-picture risk management; it adopts a holistic approach to managing risk, placing it within a portfolio of things that need to be managed in order that the organisation achieves its objective. While individual departments or business units usually deal with their own risks, ERM needs everyone to be involved, from frontline staff to Board level, to make it truly effective. RM is ostensibly undertaken with the objective of preventing loss while ERM has other, more far-reaching reasons, like lowering the organisation’s risk and increasing sustainability as this has the effect of gaining savings and increasing value for the firm in the long run.
Experts see RM as localised whereas ERM is usually instituted by everyone in the Organisation, overseen by the Board, and encompasses a set of solutions or frameworks that are part of the organisation’s strategy. Because RM is localised, resolving issues are fairly simple and may extend to obtaining adequate insurance to ensure that the loss can be covered. But ERM will consider all risks faced by the business, analyse them and track possible trends that may develop into full-blown threats; it goes deeper and beyond traditional risk management assessments and treatments, and takes a macro, enterprise-wide view of known and unknown risks to the organisation.
RM kicks in usually as a result of an event or incident; not so ERM – it takes a proactive rather than a reactive approach. This means it scopes out possible problem areas and develops treatment methods before an incident occurs. Instead of waiting for the incident to happen, and only then dealing with the fallout, ERM posits what could happen, and works out the measures that should be taken, taking into consideration the firm’s resources and capabilities. This serves to decrease its vulnerability and increase its resilience, which will in turn shore up its competitiveness and sustainability.
While RM is targetted in that it addresses risk locally, it does not adequately deal with the knock-on effects of such risks. In today’s business environment, it is rare that a risk incident does not have an impact on other areas as well. But if RM is only addressing local risks, who “owns” or is responsible for the risks that come about as a result of the first incident? These risks may slip under the radar, and compound, creating more issues for the organisation. ERM, on the other hand, connects the risks because it looks at the whole picture; risks are owned from the outset, and all organisational risks are managed strategically.
What this does is put the organisation in a pre-emptive mode; it is ready to deal with issues and challenges, and can take them in its stride while it gets on with the business. This proactive approach has two advantages: it secures the business by identifying possible threats, and it identifies where measures may be lacking in the face of future threats. It also raises awareness of possible risks to the business among staff who will be the first responders to any incident. ERM tries to cover as many bases as possible because on any given day, the range of risks confronting any business can be absolutely terrifying. It is better to prepare for the worst and hope for the best, than to be complacent.
Where RM looks exclusively at risk, ERM takes it a step further by understanding what underpins it, and in doing so, can assess and define the organisation’s risk appetite, i.e., how much risk it is willing to consider in the pursuit of its strategy and objectives. Every organisation must deal with risk but not all risk is bad; higher risk means higher returns. Therefore, companies which know how to balance their risks could take advantage of opportunities more effectvely than companies which are risk-ignorant. Implementing ERM means integrating risk, strategy and performance in a sustainable way, and corporate governance becomes more transparent with the increased oversight that ERM entails.
Again, this may not be obvious from the outset, but as the processes of ERM gain traction and its frameworks and systems fall into place, the organisation will see its risks being holistically managed one by one. What it will also see is the development of an appropriate risk culture throughout the organisation. The organisation may be managing its risk, but each department or business unit may be doing so independently or in silos. This may cause the enterprise as a whole, to miss out on opportunities it would otherwise have been able to capitalise on.
Ultimately, what ERM does is support the organisation in its efforts to “get ahead of the curve” and take advantage of opportunities. Properly applied, ERM becomes a decision-making tool that has the ability to become embedded in the culture of the organisation, integrate with its strategies and objectives, and leverage on its resources to improve performance, spur growth, give it a competitive edge, and maintain its sustainability.