Explaining that although there was a lot of misunderstanding about the relationship between ERM and ORM, Friday Concepts Group MD Ramesh Pillai said that risks still need to be managed efficiently. Risk management involves the ability to identify, assess and mitigate potential threats and uncertainties that could disrupt business operations and the achievement of business objectives. These risks could range from natural disasters and supply chain disruptions, to cybersecurity breaches and regulatory changes. Organisations must be able to anticipate and respond to these challenges.
In addition to an effective response, any strategy would need to help organisations reduce negative impacts and ensure organisational sustainability, agility, resilience and business continuity as well. Regardless of whether the thrust was just managing risk or driving outcomes for the business, seven items needed to be addressed: the definition of ERM vs definition of ORM; the aim/intent of ERM vs ORM; main tools: ERM vs ORM; efficiency vs resilience; risk mitigation; continuous improvement; and data-driven decision-making.
In ERM, risk is defined as anything that stops you from achieving your objectives, whereas in ORM it is the risk of loss arising from inadequate or failed people, processes, systems and other external events. “Because in ORM, risk is bad, the idea in ORM is to minimise or eliminate the risk because there is no risk-return trade off,” Ramesh explained. “In ERM, risk is about achieving organisational objectives. In order to achieve organisational objectives, there is always going to be a risk-return trade off. The higher the risk, the higher the returns.”
On the aim/intent of ERM vs ORM, he said that with ERM, it was the optimisation of risk because of the need to strike a balance between risk and returns. “You are not trying to minimise the risk,” he said. “You are trying to optimise it.” Organisations may decide to increase the risk because they want higher returns, while other organisations may want to decrease risks, and some may increase or decrease in some parts. In ORM, on the other hand, the intention will always be the reduction or elimination of risk, regardless of which part of the organisation one is in.
The main tool of ERM is the Risk Register, while the main tool of ORM is the RCSA. “Bear in mind that the Risk Register and RCSA are different tools which do not even look the same,” Ramesh cautioned. “You cannot use one for the other. The RCSA document is designed to push you towards minimising or eliminating the risk. When you are looking at ERM, you need to look at objective-centric best practice approach as opposed to taxonomy.” Describing the taxonomy approach as old-fashioned, out-dated and not best practice, he said that many companies had not yet made the leap to best practice.
With the taxonomy approach, the risk is identified using pre-defined definitions and sometimes an effort is made to link these back to the objective. In contrast, the objective-centric approach means starting with the objective and then identifying the risk. “This pushes us towards considering whether we want efficiency or resilience,” he said. “The tension between efficiency and resilience actually is at the core of the relationship between ERM and ORM.” Efficient operations drive profitability; resilience ensures the organisation can withstand shocks and recover quickly from disruption. Both contribute to sustainability.
ORM is all about making organisations better in terms of efficiency; operational excellence and efficiency can contribute towards risk mitigation by identifying vulnerabilities and efficiencies in processes. Streamlining operations and reducing complexities can reduce the risk of errors and disruptions. This is where ERM and ORM can work together. “This brings up the question of continuous improvement,” Ramesh said. “A culture of continuous improvement is a key aspect of operational excellence.”
Continuous improvement allows organisations to adapt to changing operational or other risks, or any external shocks. Regularly reviewing and enhancing processes helps identify potential weaknesses and reinforces resilience. Operational excellence and risk management both rely on data analytics to drive decision making. “The risk manager of tomorrow is not going to be someone who does ‘donkey work’ – the administrative/clerical work that does not add value,” he said. “Risk managers of tomorrow are likely to be more analytical.”
They are also more likely to sit with management and other teams, trying to guide them within their risk appetite, or in such a way so as to induce a risk appetite exclusion, extension or exemption from the Board and management. Companies today cannot afford to be complacent; competition is gruelling and global. Businesses and industries are becoming increasingly concerned with both local and foreign competition; products and services from other markets or parts of the world are constantly emerging.
Information is everywhere and customers are connected 24/7 these days, they have access to information at their fingertips. It is important to capitalise on the speed of information flow, and not sit and watch it fly by. “If you don’t watch what is going on in the rest of the world, you will not be prepared to deal with it when it arrives,” Ramesh cautioned. Mobile apps, for example, are turning industries upside down. Online banks are offering alternatives to traditional banking, and online delivery is changing the way that even everyday products are being bought.
Businesses need to evolve to survive; realising and accepting new ways of doing business is exciting and can create many opportunities for individuals and organisations alike. “If you want to drive outcomes, pursue a blue ocean strategy, or do things slightly differently, you need to consider taking risks,” he said, adding that the alignment of an organisation’s risk management strategy and operating performance needs to be a key Board priority. Organisations must construct more resilient strategy; risk taking is fundamental to economic reward.
“The challenge is to recognise which risks offer the greatest potential, and understand how to manage those specific risks to enhance performance, drive value creation and enable long term viability,” he advised, stressing that effective risk informed strategy decision making must answer fundamental questions such as, are the right risks being taken to create value; what risks to accept and which to avoid; is sufficient investment being allocated to optimise finite resources; are we taking the right amount of risks; and are we giving appropriate returns?
Many organisations realise that their strategic planning efforts lack a risk vs opportunity discipline and an integrated performance management focus. Many conventional ERM programmes are disjointed from strategic planning. “This disconnect means that ERM is not well positioned to add value by informing business decision making and ensuring that limited resources are allocated properly to the most significant risks,” he said. Most ERM programmes do not align critical risk informed decisions with strategic goals and objectives.
Organisations must shift from focusing on protection to a grow-and-protect business mindset. This shift will enable business leaders to focus on seizing the upside risks that can be realised, from mergers and acquisitions to launching new products and services, to expanding new geographies. Firstly, organisations should consider risks they know well and are capable of preventing or effectively mitigating. Secondly, they should recognise risks that are inherent to strategy and demand more focus. Thirdly are risks that are not fully recognised which may be unpreventable.
To enable a proper effective risk management framework, organisations must understand what kind of risks they will face. “There are three key lay categories of risk: upside, outside and downside,” Ramesh said, adding that these were simplistic terms usually used to explain to those less technically minded. Upside risks offer benefits and present opportunities to enable business strategy and achieve performance management objectives. Examples of upside risk that could impact an organisation include innovation, technology as an accelerator and/or expansion into new markets.
Managing upside risks requires the selection of strategic risks; improving the organisation’s ability to manage risk events; establishing risk tolerances, predicting the impact of possible risk events, and monitoring key risk indicators. Outside risks arise from events outside the organisation’s control, and can offer negative or positive benefits. Organisations cannot influence the likelihood of these events but they can reduce the cost of the impact or manipulate the opportunities that come up. Examples of outside risks include competition, legislation, natural disasters, tariffs etc.
Addressing these risks requires identification and mitigation of the impact through scenario analysis. Organisations should try to figure out the most likely scenario, then apply actions or mitigation to deal with the potential downside, and to be ready to manipulate the potential upside. The third category, downside risks, are risks that arise within the organisation, i.e., internal risks that are confirmable and should be eliminated or avoided, such as cybersecurity, fraud, and regulatory non-compliance. All of these are operational risks.
Managing such risks comes through active prevention and designing controls to mitigate them. Organisations need to recognise the shortfalls in their risk identification processes and educate themselves on the implications of upside and outside risks, particularly as it pertains to strategic planning and performance management. Risk is not always bad. Steps should be implemented to identify, monitor and proactively manage upside risks, and seek out opportunities to leverage their potential.
Businesses are seizing a competitive advantage by engaging with the various unknowns that they will encounter, when they take this approach, and will have to proactively convert those unknowns into strategic opportunities. Companies must also realise that outside risks can threaten their existence, and significantly impact their strategies. “Many organisations unfortunately only focus on outside risks that seem obvious,” Ramesh said. “They fail to recognise the full universe of forces that affect their business.”
The management of outside risks is often disjointed from strategic planning, resulting in missed opportunities. Organisations thus need to link analysis to strategic planning, and go beyond just value protection and compliance, focusing directly instead on value creation through the integration of business performance objectives and metrics. “Having ERM anchored in strategy will not just encompass evolving and managing threats but will also maximise value to enhance business performance and resource allocation for the opportunities that may lie ahead,” he said.
Advocating the development of a performance framework, he cautioned that three things needed to be understood: what constitutes success as defined by the performance drivers; what success is measured by performance measures or KPIs; and the application of performance measures to strategic drivers. “Management teams will see a benefit by applying this approach to how they make their decisions, and the impact of the decisions on performance because this method is an essential toolkit for avoiding scenarios that might result in detrimental impacts,” he said.
Noting that there was often misalignment between an organisation’s risk appetite and tolerances and its selected risk response strategies, he said that this meant the risks which have the greatest potential impact on strategic initiatives or the competitive viability of the business model, could result in a potential loss of competitive advantage. ERM was needed to inform business decision-making, using data and metrics. Risk professionals should therefore help organisations to evolve from qualitative to slightly more quantitative ERM.
ERM must help the organisation understand and analyse its risk drivers in relation to strategic objectives, identifying key financial metrics and focusing on targetted mitigation strategies which will reduce the volatility related to business outcomes and financial performance. A structured approach leverages metrics and risk quantification, and allows organisations to identify critical sources of volatility that could adversely impact strategic objectives and performance measures.
“For organisations to fully leverage the benefits of risk management, they should define how this quantitative information is integrated into strategic planning and more broadly, how the organisation makes decisions,” he said, adding that rather than creating a separate routine, ERM must be seamlessly integrated within the existing business planning routines. “This practical approach will ensure the accuracy of risk management analysis to setting business objectives, and help to strengthen oversight of risks across the whole organisation.”
It will also align risks with performance management goals by balancing risk and rewards, help drive consistency in data gathering, analysis, and reporting to the Board and Senior Management. By adopting a culture of continuous improvement, companies can gain a competitive advantage, achieve consistent results and successfully adapt to changes and disruption in the business environment. But ORM needs to be properly integrated into ERM, and strike the right balance between efficiency and resilience.
“Organisations which prioritise both ORM and ERM, and operational excellence and strategic sustainability are better equipped to not only optimise their processes and reduce costs but also to withstand disruptions, adapt to change and ensure business continuity in the face of the kind of uncertainty we face today,” Ramesh concluded. “The bottom line is that it really doesn’t matter whether you want to just manage risk or drive outcomes. If you just want to manage risk, wouldn’t it be better to manage risks in such a way that you could drive outcomes properly?”
