When it comes to integrating Enterprise Risk Management (ERM) into decision-making, people who are managing risk and making decisions know it has to be done – but are not entirely clear about how it should be done in real-life situations. Acknowledging that companies today want more value from ERM, presenter Ramesh Pillai, Chairman of the IERP Board of Governors, pointed out that many in decision-making positions still equated risk management with having risk registers, but “Risk management is not about Risk Registers,” he emphasised. This topic, “How to integrate ERM into decision-making” was in the spotlight at a recent online Tea Talk.
The first step towards implementing effective ERM should be the harmonisation of the organisation’s goals and objectives. Ideally, each department, division, and unit needs its own vision and mission, and to align these with the vision and mission of the organisation. They need the proper strategies and processes for this, for clarity of purpose. When risks are identified, then mitigation plans can be identified in tandem. In the general scheme of things, risk registers are just one of the risk management tools available. Difficulties may also arise if risk practitioners are following the taxonomic, instead of objective-centric approach; the taxonomic approach is not considered current best practice.
From the outset, companies need to determine what they want to achieve, whether it is just to comply with regulations, or go beyond. Ramesh stressed that in the current pandemic situation, there was a need to anticipate not just the New Normal, but the Next Normal. “Transition depends on how we anticipate people’s needs,” he said. “ERM helps us anticipate, and adapt to resources and conditions.” Additionally, firms may be able to identify opportunities by correctly managing their risk; they need to pull all elements together to create an impact on performance. But even with the best intentions, no one has all the right answers, he cautioned.
Another reason that companies may not be able to achieve integration of ERM into decision-making may be that their boards are still inclined to traditional methods and are not as supportive of ERM as they need to be. This may also indicate that risk management professionals and the industry in general are not mature or proactive enough to push the ERM agenda. ERM should ideally be embedded in organisational processes to strengthen the company as this supports risk-informed decision-making that creates value for the firm. “Risk management is about the psychology of risk,” he said. “It’s about how people react to risk, and how to deal with risk to drive performance.”
In leveraging ERM as a strategic decision-making and planning tool, organisations should ask what main risk and opportunity events could affect the achievement of their business objectives, and how much impact these could have on their expected performance. He said that they should also determine if the estimated variation from expected performance was acceptable, and if it would be sustainable over the plan’s timeframe. Stressing that analysis was always more important than data, Ramesh urged risk practitioners to always question what they saw, and not take anything at face value. This supports strategic planning.
By integrating ERM into strategic business planning processes, management and the board are actually equipping themselves in advance for further discussion of key questions. Knowledge and understanding, although integral to the process, are not enough. Risk professionals need to undertake enhanced due diligence, often on their own, to be effective and to support risk management activities in creating value. “Risk management processes are there to help you,” Ramesh said. “Policies are guidance statements. The risk management team has to ensure that the enhanced due diligence processes are ready and available.”
The team also has to ask if the plan is robust enough, or too ambitious – because plans are needed for both failure and success. Evaluation and selection of strategic options must be applied; the organisation must understand its alternatives or options, in order to derive a better risk-return balance. ERM is a strong tool to support capital allocations based on risk-return consideration. Integration of ERM can facilitate the quantification of risk impacts on financial results. This boosts its value and helps the board and management develop and disclose the organisation’s risk-informed business plans. But is there really value in getting ERM into the decision-making process?
Definitely. It opens the organisation’s eyes to possible risks in the future, thereby reducing surprises and vulnerabilities. The board and management also develop a clearer understanding of the implications of the risks identified. By applying a risk-informed approach, the company can execute strategy in a more confident manner. ERM also improves senior leadership decision-making by strengthening the quantity and quality of the information available. “The role of ERM is not to minimise risk,” Ramesh pointed out. “The role of ERM is to optimise the risk-reward relationship.” Risk professionals need to strike a balance between the downsides and upsides of risk.
ERM frameworks are particularly helpful when it comes to decision-making, taking internal and external factors into account and fostering a risk-informed perspective. Risk identification, risk quantification, risk management and monitoring are all ERM tools for integration into decision-making. ERM enablers like methodologies, data and tools further support the risk-informed approach, allowing management and board to formulate the organisation’s risk profile and acceptable performance variability. “It’s the enablers that get you there, at the end of the day,” remarked Ramesh.
Likening ERM to a journey that is constantly evolving and dynamic, he said that there was no one-size-fits-all solution; ERM has to be tailored to fit the needs of individual organisations. The ultimate goal is to improve the organisation’s decision-making capabilities in order to achieve its objectives.
