What is Enterprise Risk Management (ERM), and what are organisations looking for, when they implement it? ERM may be described as methods of risk management that are applied to identify and mitigate risks faced by the entity (or enterprise). By applying the principles of ERM and its tools, users hope to identify the obstacles to achieving their objectives, and put in place the appropriate checks and balances that will allow them to succeed in business. ERM is all about opportunity, managing risk, achieving objectives, improving decision-making and achieving an optimum level of agility, resilience and sustainability for the organisation.
But the economic environment today is challenging, and risks may change frequently, often without warning. ERM therefore has to have the appropriate flexibility to accommodate these dynamics. Its framework has to help organisations assess and mitigate potential risks. Frameworks may vary by industry but most include roles and responsibilities, guidelines for risk identification, mitigation strategies and monitoring and reporting or relevant feedback mechanisms. The two most frequently used are the ISO 31000 guidelines and the COSO Framework. The COSO Framework originated, and is used mostly, in the US.
ISO 31000 on the other hand, is a set of international guidelines issued in 2009 by the International Organization for Standardization (ISO) to serve as a guide for the design, implementation and maintenance of risk management. It is a systematic, logical process of risk management, effected through identifying and analysing it, then determining its treatment.
It provides a level of assurance of the firm’s economic resilience, professional reputation and environmental and safety outcomes. But ISO 31000 itself evolved from AS/NZS 4360, the first known standard for enterprise risk management, published by Standards Australia and Standards New Zealand. AS/NZS 4360 was issued in 1995, then revised and reissued in 1999 and 2004. It then became the basis of ISO 31000 which was first published in 2009. The team which put AS/NZS together came from diverse backgrounds and industries and were not limited to representatives from the financial, auditing, banking or insurance sectors.
The standard was thus very wide-based and accommodating of businesses across the industrial board; AS/NZS 4360 could be applied to the public sector, the environment, business continuity management and healthcare. The 1999 version of the standard introduced the Communicate & Consult principle. Subsequently, in its third iteration, AS/NZS 4360 formally adopted the term ‘risk assessment’ and deleted a number of explanatory appendixes because these were seen as hampering rather than helping businesses in their ERM efforts. What all this demonstrates is that ERM models and frameworks are not static, and have to undergo a continuous process of refinement.
But they need to be flexible, in order to accommodate the ever-changing needs of businesses with regards to risk, and the evolution and severity of the risks which challenge them. This is what happened with ISO 31000:2018; it became shorter, clearer and more concise to better help firms use risk management principles to improve planning and make better decisions. Among the main changes were its focus on top management leadership to drive integration of risk management into all organisational activities, and greater emphasis on incorporating new experiences, knowledge and analysis when revising processes.
The feedback from users – in a diverse range of industries – over the years is what has helped shape subsequent iterations of the standard. Firms will generally want to create and protect their value, drive growth and profitability, comply with regulations, and avoid bad publicity. They will also want to avoid unpleasant surprises and negative events like cyberattacks which disrupt services to customers. Organisations also need to constantly strive to find ways of optimising resources to sustain growth and remain competitive. They have come to realise that risks have company-wide repercussions, hence the need for integrated frameworks and systems.
Businesses are becoming more complex; firms are entering new, unfamiliar markets, establishing overseas subsidiaries and engaging with different cultures. They will look for ERM frameworks that are simultaneously scalable and acceptable across borders, preferably recognised and benchmarked internationally – and easy to apply. So what can be expected of future ERM models and frameworks? Besides flexibility, adaptability and scalability, more ‘issues of the day’ such as gender diversity, inclusiveness, human and cultural factors are likely to become more prominent, reflecting societal trends and aspirations, as well as the need for stricter governance.
Although it has been a painful experience, the Covid-19 pandemic has taught valuable lessons, which are likely to be incorporated into future frameworks. Stemming from this, there will be increased emphasis on uncertainty, and efforts at greater transparency in decision-making. “Future readiness” may receive more attention, in view of the disruption brought about by the pandemic; future models and frameworks may also stress more concertedly the necessity of cultivating more robust and discerning risk cultures, and making these a more integral part of organisational processes. They may also do more to empower stakeholders’ efforts to improve the organisation.
