The Institute of Enterprise Risk Practitioners (IERP®) is the world’s first and leading certification institute for Enterprise Risk Management (ERM).

Image Alt

IERP® International Institute of Enterprise Risk Practitioners

  /  Articles   /  Get It Into The DNA: Possible Ways Of Embedding ERM In Organizational Culture

Get It Into The DNA: Possible Ways Of Embedding ERM In Organizational Culture

If there is one thing that the pandemic has taught us, it is the necessity of planning for unheralded, unanticipated emergencies. But if emergencies are unheralded and unanticipated (and, like the Covid-19 pandemic, unprecedented), how do you plan at all? One way is to be aware of the risks confronting the business. The more people who know this, the better it will be for the organisation. It is not just the responsibility of the Board or management to be cognisant of risks; employees have to understand these too. Even when the pandemic is just a dim memory, managing risk will still be necessary.

Develop a risk culture for everyone, long-term
Organisations therefore have to seriously consider ERM for long-term sustainability. Embedding ERM has to be done in tandem with the development of a risk culture within the organisation, and be supported by both management and employees, or efforts will fail. Developing a risk culture does more than create awareness among managers and employees. It ultimately develops a firm’s ability to share knowledge, operate with best practices and continuously improve processes – internal drivers that increase the value and competitiveness of the organisation.

Developing a risk culture – which includes the right behaviour and attitudes towards risk – is not an overnight process. It cannot be imposed on the organisation. Rather, the elements of risk culture have to develop organically, or the process of development cannot be sustained. Risk culture, at its core, is capable of binding together an organisation’s processes, procedures, networks, policies, mechanisms and frameworks. Because of its pervasiveness, getting risk culture right is pivotal to the organisation. While risk culture is expected to gain traction at the lower levels of an organisation, it is really the tone at the top which sets it in place for the rest of the firm to follow.

Risk culture and ERM
Because risk is about uncertainty and general emphasis is placed on how to mitigate its negative fallout, the organisation has to be proactive about identifying risk. Early identification will improve the firm’s chances of mitigating it more effectively and neutralising threats to the business. It can also identify possible opportunities. But both of these are dependent on the Board, management and employees of the organisation being able to recognise which is which. Appropriate awareness can be raised through the right training and ongoing education on risk, and the necessity of managing it throughout the organisation.

Ideally, every organisation should develop its own approach to enterprise risk management. There is no one-size-fits-all solution, but formulating something that works always starts with an honest assessment of the current situation of the firm, and what it can achieve with the resources at its disposal. Commit to having a risk culture; that means garnering support for it at all levels, from the Board room to the reception desk. Communicate that “this is the way we have to be” throughout the organisation, in no uncertain terms. Be clear about the direction to be taken but leave room for feedback, and ensure channels of communication remain open at all times.

Embed to create and protect value
Developing and sustaining a risk culture in an organisation is not a one-off exercise or a short-term project to educate human resources. It is a long-term commitment. Once the structures are in place for its development, employee behaviour has to be monitored to determine attitudes or perceptions which may indicate success or failure, or areas which require more attention. Every organisation will demonstrate its own peculiarities; adjustments must be made because culture deals with the human element, first and foremost. The risk management process has to enable, not encumber, the business. Processes and procedures therefore need to be simple, easy to implement and measure.

Risk culture is very much a focus of ERM because it is a major indicator of how robust the firm’s risk management policies are as well as how widely their risk management policies, processes and procedures are being adopted. As risk culture gains traction, employees will begin to better understand its value within the context of ERM. They will realise how risk management protects the value of the organisation, and can spur the creation of further value. Ethical behaviour, good corporate governance and transparency are integral to the establishment of a viable risk culture and successful implementation of ERM. Stakeholders are increasingly focusing on these elements and using them as a yardstick to measure corporate success.

Walk the talk
Properly implemented, ERM becomes the responsibility of everyone. As their understanding of risk culture develops and matures, employees will start considering the risk aspect of everything they do, and apply it when making decisions at their respective levels. It makes sense to integrate these risk-based decisions into the company’s strategy, policies and operations. Doing so will be both expedient and empowering, and hone employees’ sense of ownership of their responsibilities. They will start to feel a deeper sense of accountability and empowerment as they will be making decisions that affect them directly. It will also increase transparency and improve corporate governance.

But all this can happen only with careful planning, strategising and alignment with the organisation’s objectives. Checks and balances will need to be built in when the foundations are being laid, and proper measurements taken during implementation so that accurate assessments and fine-tuning can be made. Embedding anything in an organisation is never easy; it becomes doubly difficult when trying to embed culture which is all-pervasive yet intangible. Successfully embedding risk culture while developing and embedding ERM in an organisation, requires vision, and has to be led from the top. Board and management need to “walk the talk” before expecting anyone to follow.

If there is one thing that the pandemic has taught us, it is the necessity of planning for unheralded, unanticipated emergencies. But if emergencies are unheralded and unanticipated (and, like the Covid-19 pandemic, unprecedented), how do you plan at all? One way is to be aware of the risks confronting the business. The more people who know this, the better it will be for the organisation. It is not just the responsibility of the Board or management to be cognisant of risks; employees have to understand these too. Even when the pandemic is just a dim memory, managing risk will still be necessary.

Leave a comment

User registration

Reset Password