Implementing ERM effectively in an organisation depends to a great extent on the ERM framework that is used. In fact, the ERM framework, correctly established, may be the guiding principles that help to establish the basis of overall organisational health and sustainability. But because each organisation has individual characteristics and needs, frameworks need to be customised. Every framework starts with the identification of the organisation’s growth strategy, its objectives, vision and mission, as well as its risks and opportunities. All organisations have to take risks; what needs to be maintained is the balance between aversion to risk and aggressive risk-taking.
The ERM framework, therefore, has to enable the organisation to deal with the risks that will confront it while continuing to build value. It will also need to take into consideration the volatility of the environment the firm is operating in, together with market trends and dynamics. The framework will not be able to address all issues but it will give Board and management some idea of the extent of the risks they will have to deal with, and support them in their efforts to mitigate these. The firm’s response to its challenges will be dictated by the kind of framework it puts in place. There are several frameworks already in use by companies operating in various industries.
These frameworks include systems and best practices which assess and mitigate potential risks, as well as designating roles and responsibilities, risk identification methodologies, risk appetite statements and prioritisation, and monitoring and reporting. The COSO ERM framework, for example, was developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), and is applied primarily with an auditing and accounting and finance lens. ISO 31000, on the other hand, provides guidelines on managing risk faced by all organisations, and can be applied to decision-making at all levels. There are also frameworks specifically for auditing, and cybersecurity application.
The elements of an ERM framework include strategy and objective-setting, risk identification, assessment and response, and monitoring. All these are bound together by the organisation’s culture and leadership. Having an ERM framework that works – and appropriately drives the firm’s ERM response – is the result of the right organisational culture and robust leadership. The framework will help to keep the firm’s ERM response consistent as it uses the framework structure to provide guidance throughout the organisation, manage complexity through accurate visualising and assessment of risk, defining roles and responsibilities and monitoring risk controls.
In addition to identifying and manipulating opportunities, ERM is intended to identify, understand and prepare the organisation for any danger, hazard or threat to its “business as usual” position. In doing so, it helps the organisation achieve its aims and objectives.
A fit-for-purpose framework will relay the necessary information at the material time, to support decision-making that affects the performance of the organisation. But the activities connected to the framework which make it effective, must be integrated into the firm’s strategy and be part of its performance. For instance, a risk assessment involves identifying, understanding and ranking risks that are of material concern to the firm.
This may raise the awareness of its importance throughout the organisation, and even among its various stakeholder groups. It reflects well on the ability and foresight of management, and increases the confidence of shareholders in the firm. The framework may be applied even when there is a change in personnel as it will ensure the continuity and sustainability of the organisation regardless of who holds what position. Stakeholders will come to realise that by setting objectives, developing strategies, constant engagement with different groups, gathering feedback and improving processes, management is able to increase the organisation’s value.
Developing an ERM framework that works for the organisation is not the easiest thing to do; neither is establishing an ERM system, but it is worthwhile because the framework is the foundation for keeping the business on track. Also, because ERM is gaining traction across the industrial board, companies which establish proper systems may be perceived as more competent and progressive. It is also worth considering that when identifying and assessing risk, such systems are able to identify opportunities in tandem. Not all risk is bad; some may present lucrative opportunities which could further increase the value of the organisation.
Correctly applied, ERM systems continually improve the way the business is run through minimising or mitigating the risks that confront the organisation. When risks are identified and assessed, they can be measured, and efforts can be made to minimise the damage they could inflict on the business. In the process of instituting ERM, the organisation is also continually realigning its operations and objectives with its strategy. This is an important component for all levels of the organisation to understand. The process of implementing ERM may not be an easy one for the firm; the better the understanding of staff and management for its need, the more smoothly it can be managed.
There should be open channels of communication and information during its implementation phases so that awareness of its benefits is heightened. It should be seen as a means of gaining both short and long-term competitive advantage through improved processes, i.e., integrating strategy with performance. In the course of selecting a framework and identifying what it should cover, the organisation may even discover more about itself as it looks more deeply into the risks it faces, how much it can tolerate, and how these can be mitigated. Frameworks are the guides that help organisations understand what they need to do.