What is Enterprise Risk Management (ERM)? Some have described it as the methodical application of an organisation’s management processes, policies and procedures to identify, assess, prioritise, treat and monitor its risks – and organisations need to do all this in order to achieve its business objectives. But what are the organisation’s risks? That depends on the respective organisation. Each organisation is unique when it comes to risk; even if they are operating in the same industry. This is primarily because of the character of the firm, which is made up of different employees, who bring various experiences and skillsets to their positions. Each one of these employees is individual and unique, and brings to the firm a personal and professional worldview that influences the way they work. And all of these, the culture and behaviour, shape and affect organisational risk.
Every organisation has to deal with risk; just being in business is a risk in itself. When it comes to describing what “Risk” actually means, however, there are several definitions. Risk is sometimes seen as the threat or probability that an action or event will adversely affect or benefit an organisation’s ability to achieve its objective. It may also be defined as the uncertainty of an event occurring that could have an impact on the achievement of the firm’s objective. Risk can also be defined as the probability or threat of damage, injury, liability, loss or other negative occurrence. Exposure to the consequences and impact of uncertainty also qualifies as risk, especially if there is the possibility of economic or financial loss, a change in regulations, physical damage or injury to people, or a delay in achieving the firm’s objectives.
One may ask, if risk is inevitable and unavoidable, why should companies care about managing it? Experience has shown that risk can be managed, and if it can be managed, its negative impact can be mitigated, and the damage it could cause, be decreased. Being able to limit this negative impact could increase a firm’s competitiveness and support its efforts at sustainability. The objective of business is to remain a going concern; thus, anything which helps its sustainability is always worthwhile. The business environment today is fiercely competitive; and is made more challenging with issues like terrorism, globalisation and money laundering. Stakeholders – not just shareholders – have started demanding greater accountability and transparency in the way businesses are run.
This has put pressure on Boards and senior management to perform to higher standards. Even so, there is no single pressing reason for organisations to look seriously at implementing ERM; rather, there are so many reasons that not implementing ERM may leave them at a serious disadvantage. Companies may only have needed to deal with challenging local conditions before, but today, their outlook needs to be global. Similarly, their risks and threats are global in nature. What happens in one small region in one country may have a devastating knock-on effect on industries on a totally different continent.
These uncertainties are further exacerbated by technology which is a double-edged sword: it can enable or disable, depending on how it is used. There is also the disruption that can be caused, deliberately or inadvertently, by the application of technology, which is an increasingly worrying factor for many companies that are scrambling to keep abreast of technological development while they juggle operational sustainability in an environment that grows more challenging by the day. But ERM goes beyond just standard preparedness. All processes that are involved in the development of ERM are geared towards helping the organisation achieve its objectives. This has multiple benefits.
Firstly, of course, the processes support the organisation’s growth in the awareness of its risks, allowing it to manage these effectively. ERM processes are ongoing; thus, they move the organisation towards constant improvement, helping it hone a competitive edge in parallel. These processes have a tendency to bring the organisation’s shortfalls to the surface, and identify potential hotspots. The firm can take evasive action in a timely manner, and not wait for disasters to happen, before putting in mitigative measures – by which time it is usually too late – instead of having to deal with the fallout of the event, which could be highly disruptive and costly in terms of finance and other resources.
Early detection will increase the control the organisation has over its risk, allowing it to manage its resources better. Developing an anticipation of threats and challenges can lead to better, more informed decision-making which in turn will contribute towards the company’s growth, sustainability and competitiveness. While it develops its anticipatory abilities, it will cultivate a viable risk appetite in tandem, enabling it to “work smart” when it comes to taking risks. Confidence in the business is likely to increase as well, as shareholders and stakeholders see the company being efficiently and responsibly managed.
It is worth noting that not all risk is negative. Although most organisations tend to avoid risk, believing that it is detrimental to business, risk can be something positive, as the higher the risk, the higher the returns are likely to be. How much risk an organisation is willing to take, will depend on its risk appetite – and this is something that ERM, properly applied, will help it realise and leverage upon.
