With Enterprise Risk Management becoming increasingly institutionalized, global best practices are continually under revision as international standards-setting bodies such as ISO or COSO seek to improve on ERM methods and guidelines. A core development in recent years has been the recognition that an objective-centric approach to ERM yields greater outcomes compared to the traditional taxonomy approach. At the same time, the constant evolution of ERM practices means that there is often a gap where organizations are slow to correct outdated methodologies – due to the complexity and resources required to change existing processes, structures, and culture.
Conventional risk management is based on taxonomies, which create an often inductive process for risk assessment. Risk is identified and aggregated into a static and ‘stable’ set of categories, then prioritized according to likelihood and impact. The limitation to this approach is that risk is not stable. While taxonomies allow for a certain level of customization across different business units, their success and efficiency is predicated on the use of a standard and somewhat rigid set of categories and shared language – ultimately ineffective for large corporations facing wide-ranging risk complexities.
1.Fostering Organizational Agility
Risk identification exercises are performed annually or semi-annually. While these exercises are useful as a way to track risk over the long term, they don’t contribute to organizational agility. An important part of ERM is the ongoing monitoring of risk, whereby decisions can be made or plans adjusted in accordance with new information or data. Limiting risk identification to a largely retrospective and irregular activity renders these exercises outdated as soon as they occur. In effect, taxonomies can often produce a disconnect between the management of risk and the actual activities and objectives that preserve or create value, resulting in organizations potentially losing out to their competitors.
With the taxonomy approach, risks are identified, managed, audited, or reported in a silo-ed manner, where the relevant business units deal with their own sets of risks, without much overlap or coordination. With the objective-centric approach, risk assessment is driven by the objectives set from the top, i.e. the Board and Senior Management, ensuring the integration of risk and strategy, as well as their alignment with the organization’s vision and mission. This approach allows for the management of the full range of risks faced by an organization, and for decision-making that is anchored by a comprehensive set of information.
2.Top-Driven Risk Management: Aligning with Strategy, Vision, and Mission
The objective-centric approach facilitates better integration of risk and strategy, and their alignment with the organization’s vision and mission. Deciding on a strategy, laying out a plan, and executing the strategy should be based on complete risk profiles.
Using an objectives-first risk assessment process helps with covering all your bases from the get-go. Creating a central foundation to work from, all levels of staff and business units can then align their areas of responsibilities in risk using a shared language as well as common overall goals. Of course, organizations and the relevant business units will have to ensure that all objectives are accounted for during the risk assessment.
An objective-centric approach promotes having a shared language enterprise-wide, and also allows for greater flexibility as the management of risk is centralized around objectives, rather than individual risk events. Ultimately, the shift towards an objective-centric approach to risk management will have to come from the CEO and Board of Directors.
3.Keeping Up with Best Practices
ISO 31000:2018 as well as COSO ERM:2017—the two commonly accepted global ERM standards—explicitly promote the use of objective-centric risk management. These standards provide the recognition that an effective ERM framework is also a decision-making tool for strategy, corporate governance, compliance, and business continuity management.
Having an objective-centric approach can allow management to move from merely value preservation and financial controls to supporting value creation activities. In essence, organizations have to move from structures that are biased towards risk-aversion and compliance, and towards an ERM framework that can recognize risk as opportunity.
