ERM: Time To Take The Profession Seriously
Enterprise Risk Management has become an absolute necessity. Companies have been managing risk for years but traditional risk management is becoming increasingly ineffective because of the dynamics of the business environment. What is required today is a more holistic view of the risks which confront the organisation, which is what ERM provides. No less important are the ERM professionals who make ERM work. The driving force behind this all-encompassing management tool, they are the ones pivotal to increasing awareness of the risks which face businesses, and enabling organisations to rise to their challenges in an effective and timely manner.
Awareness of risk is crucial
ERM is not just for big players with an extensive set-up, multiple departments, numerous lines of business and subsidiaries abroad either. It can deliver many benefits to SMEs as well because of its all-encompassing principles, and its scale-up/scale-down nature. Smaller firms which apply ERM appropriately may see increased efficiency and effectiveness of operations. The ERM process creates awareness of risks which could affect the business. Identifying and addressing such risks helps the business strategise better. Key performance indicators have shown that organisations which have applied ERM principles have achieved higher operating efficiency and saved on costs as well.
Insights about risks that emerge from the ERM process are important strategic input for the firm. Being proactive about the organisation’s risk goes a long way towards reducing it and minimising negative impact. ERM is particularly good at dismantling silos and getting people to work together, which is imperative to developing the right organisational culture. Despite its proven efficacy, however, many companies are still wary when it comes to ERM, often because of the resources which they think need to be allocated for its deployment. But one of ERM’s advantages is that it is scalable. It can be applied in one department or subsidiary first, then extended to other units as required.
Support at the highest levels
What it needs is buy-in from all levels of the organisation, beginning with the Board. Board, management and staff need to be convinced that ERM’s contribution to firm’s vision, mission and strategies is completely in alignment with the firm’s objectives. The ERM team, headed by the Chief Risk Officer (CRO), has the responsibility of putting best practices in place throughout the organisation. This is a critical position as the CRO has to be adept at facilitating in identifying, assessing, analysing and mitigating risks that confront the whole organisation. The CRO and the Risk Management team supports the business line in this process.
Together, this team crafts a comprehensive picture of the whole organisation and its risks. ERM frameworks, systems, processes and procedures already exist; some have been effective enough to have even become industrial game-changers, as regulatory requirements. But amid the identification, assessments, measuring, monitoring and feedback, it has become evident that the cornerstone is the human component. For ERM to be successfully implemented, the people who will benefit from it have to understand it and take responsibility for it. But for them to be able to do this, they need heightened awareness of ERM’s benefits, which implies the appropriate training.
People at the core of ERM
ERM practices have to be integrated into systems and processes; they cannot work decoupled from other aspects of the business – which means they cannot function effectively where organisational silos exist, and the free flow of information is impeded. One of ERM’s biggest challenges is the lack of communication caused by silos. Ideally, staff should be engaged enough with their jobs to be able to identify where threats lie, but this doesn’t always happen, very often due to miscommunication or non-communication. Open communication that provides diverse perspectives and feedback from different sectors of the organisation is therefore imperative.
Risks are unique and may not always be obvious, and what may constitute a risk for one department, may not be viewed as such by another. The important thing is to identify all the issues that confront the organisation, and assess them accordingly so that awareness can be raised across the firm. The idea that “we’re all in this together” is crucial to ERM. People who feel that what they are doing in the course of their jobs affects them directly – perhaps even beyond the workplace – will be more invested and engaged with their work. ERM helps them to see that what they do matters, especially when they give feedback on systems which they deal with on a daily basis, that successfully identifies risk or mitigates it.
But the team is only one part of the entire ERM effort; risk management really starts at the top, and is ultimately the responsibility of the Board. The CRO, as senior management, is answerable to the Board, as all C-Suite executives are. Responsibilities of the CRO are onerous; input about risk management is integral to guiding organisational policy and strategy, and can determine the firm’s objectives. But this has to be high-quality, verifiable information with integrity as it is expected to provide support on the Board’s decision-making. The CRO, therefore, has to juggle risk management functional requirements, while having an eye on alignment with strategy and objectives.
In the past few years, various disruptive incidents – natural disasters and human-made – have turned the business environment into an increasingly uncertain one. Organisations are beginning to realise that waiting for risk events to occur, and only then trying to mitigate the damage, is not a sustainable way to do business. The alternative is to anticipate what could happen, and put measures in place that minimise the negative impacts. In addition to the focus on opportunities and improving the quality of decision-making, ERM focuses on the risks that challenge organisations, helps them build on their abilities and optimise their resources so that they can identify and mitigate the risks which prevent them from reaching their goals.