ENTERPRISE RISK MANAGEMENT–EXPECT THE UNEXPECTED
Whenever I hear the word “ENTERPRISE” It always reminds me of the U.S.S. Enterprise the space ship on the Startrek series we use to watch as kids on Saturday mornings.
The actual meaning of Enterprise is 1. A project or undertaking that is especially difficult, complicated or risky 2. Readiness to engage in daring or difficult action. So I think the creators of Startrek appropriately named their ship the Enterprise. What could be more difficult or daring than to explore outer space? The same could also be said about the creators of ERM.
I decided ERM would be my next topic from comments and feedback I had received from my previous blog “Managing Net Income Loss Exposures.” What I heard from readers is, how do I manage all the risks facing my business without hurting the bottom line or going crazy trying to do it?
The answer is having an Enterprise Risk Management system. ERM is an organized approach that allows an organization to manage all of its risks, threats and to exploit opportunities that may present themselves.
Traditional Risk Management deals with hazard and operational risk which are called pure risk that is risks that can be covered by insurance to compensate for the loss. ERM includes the risk categories in Traditional Risk Management plus financial and strategic risk, known as speculative risk.
ERM’s goal is to improve an organizations strategic management decision making, by gathering and analysing key information to enhance executive decisions. An ERM system should have an Economic Intelligence and Business Intelligence aspect to gather data pertinent to your business, industry and geographical location.
Why should you adopt an Enterprise Risk Management System?
1. Higher Profits: Using ERM allows an organization to make better strategic decisions at all levels of the organization, which improves efficiency and profits.
2. Enhanced Organizational Decision Making: ERM enables an organization to manage all of its risks and determine the most beneficial solution and to seek out opportunities that will improve profits.
3. Increases the Chances of Attaining Your Strategic Goals: ERM involves all of the organization becoming active in achieving the strategic goals as opposed to just managers and executives.
4. Reduces Financial Volatility: By identifying risks and opportunities in advance, it allows organizations to determine their cash flow needs to ensure there is adequate capital available.
5. Better Risk Management Communication: By making ERM a team approach with all employees it empowers them to identify obstacles that may prevent the organization from achieving its goals and to communicate the risks to the risk owner.
6. Improved Management Agreement: ERM provides management with the information necessary to make informed decisions based on the upside and downside of risk and creates a decision making process based on facts instead of the top down management approach.
7. Broader Stakeholder Acceptance: ERM becomes the glue that holds the pieces together and creates a culture of cooperation within the management ranks that then instills confidence in the employees, customers, and investors.
ERM is not just for business, it offers the same benefits to all levels of government and non-profits.
So why is there so many organizations that don’t have some kind of an ERM program?
One of the reasons I hear a lot is it is too complicated or will take up to much of our time. Yes there are many moving parts in the ERM process but it only has to be as in-depth as you want it and you can start small and build on it over time.
So How Do You Integrate ERM Into The Strategic Management Process?
By following a risk management process organizations can adopt an ERM program into their strategic plan.
A. Develop ERM Goals: The Board would develop the goals they want to achieve such as the risk appetite, reasons for establishing an ERM program, the organizations need for a ERM program, the scope of the program, the expectations of how the program will help to meet their strategic goals and how the culture of the organization will affect the implementation of the ERM.
B. Identify Risks to The Organization: This step will divulge a large number of risks, it is then necessary for the organization to assess and evaluate these risks to narrow down the field to identify those with the highest severity and frequency.
C. Analyze Critical Risk: The board will then examine internal and external threats to the organizations strategic plan. The threats are identified by noting events that can compromise the organization and changes that could be potential opportunities. Areas to review are competition, demographics, the economy, regulatory and technology.
D. Select the Appropriate Response: This would be to avoid the risk, to accept the risk, transfer the risk to a third party such as an insurance company and mitigate the risk, by taking appropriate measures to reduce the frequency or severity of the risk. Lastly, you can exploit the risk by taking advantage of the risk to maximize profits.
E. Monitor the Risk: Risks to the organization must be monitored by following events, trends and red flags.
To help in the design of the program, there are a number of Risk Management Frameworks to act as a template to develop your ERM. Such as the ISO 31000, BS 31100, COSO, and AS/NZS, it is my experience and observations that most organizations pick one as a template and adapt them to their own organizational requirements.
ERM can be a large undertaking or it can be as simple as you want it. ERM uses a lot of analytical tools such as the Exposure Spaces Model, SWOT Analysis (Strengths, Weaknesses Opportunities & Threats), and Performance Management Score Cards to name a few. I encourage every organization to conduct a SWOT analysis. Or you can keep it simple and talk to your managers and identify the number one risk facing your organization and start with that.
Regardless of how you approach it, the most important thing is to get started. Implementing an ERM program for your organization will truly pay dividends for years to come. I have been told that the actual ERM process itself has benefited the organization. By increasing the awareness of risk in the organization, helping various departments identify and break down data silos, improve communication between the various departments and divisions and to enhance the reputation of management in the employees eyes.
One HR Director even told me that it helped improve their working relationship with their union. I think they actually found some common ground. By identifying risks and opportunities it would preserve existing jobs and create new ones. Disclaimer; There is no guarantee ERM will improve your relationship with your unions. (My lame attempt at humour)
We have looked at what is ERM, how your organization will benefit by implementing it and basic steps to get started. I want to just point out a few tips to help you get started on your Enterprise.
1. Try and get the CEO and Board Approval: It helps to have the CEO on board for many reasons, sometimes you have to put on your sales hat and convince them. Having them onboard will help sell it to the organization and provide necessary human and financial resources. If you can’t then you could still implement it into your own department or division.
2. Start Small and Think Big: A work breakdown schedule allows you to take a big project and break it down into smaller pieces. Find a manager or department that is having problems and is desperate for help. Once you help resolve the problem you will get some credit for it and hopefully be noticed by senior management.
3. Keep It Simple: Don’t worry about ERM terminology and advanced analytical techniques. Focus on a single risk and ask what if questions, and cause and effect relationships. Because your managers work around this every day, they will be the experts on the risks and their cause and effects. Then you can determine an appropriate risk mitigation strategy.
4. Monitor the Plan: Like any good plan it needs to be monitored to ensure it is working and to tweak certain areas to adapt to changes. If you have an Internal Audit Department then they would be a great choice to monitor the program. Internal Auditors are very knowledgeable about their organizations because they are familiar with all departments and divisions.
So if your organization has any kind of a strategic management planning process, which most organizations do, then I recommend that you set up an ERM program. The tangible and intangible results will be worth it. It allows you to plan for uncertainties and benefit from opportunities that may not have presented itself without ERM.
If I may quote a line from the movie Field of Dreams “If You Build It They Will Come.” Meaning if you start small and identify the most urgent risk to your organization and help mitigate that risk. People will notice and you can build on that foundation. Then one day when you are presenting to the Board of Directors your ERM update on how the program identified critical risks early on and discovered an exceptional opportunity for the company. After you have finished the presentation and you’re walking out the boardroom door, maybe, just maybe the CEO will turn to you and say “Hey Rookie You Were Good.” I love that movie!