Enterprise risk management (ERM) has become a big buzzword in business the past few years. However, corporate governance and compliance, which is how business executives utilize ERM, is really a traditional management function.

“What’s new about it is that there’s market interest and significant value associated with an enterprise that has implemented true ERM,” says Alyssa Martin, a partner in Risk Advisory Services at Weaver.

When an investment company is looking at an enterprise’s value, a consortium of banks are considering giving a syndicated loan, or companies are weighing a merger or acquisition, an ERM program increases the company’s intrinsic value, illustrating the sophistication of its corporate governance. An organization can also use ERM to improve internal decision making, promoting and instilling risk awareness within its culture.

Smart Business spoke with Martin about integrating ERM into strategic, business and financial management processes.

How does ERM differ from other methods of assessing and managing risk?

Risk assessment was more widely implemented during the regulatory increase and Sarbanes-Oxley wave, but companies often assess risks at the process level in silos.

ERM looks at risk across the entity, casting a wide net, incorporating the results of the risk assessment with integration practices throughout the organization. The first step is to perform an entity level risk assessment identifying the most critical risk categories and related events that influence the organization’s success. Then, you drill these risk considerations down into processes and functions.

An ERM program considers the business goals, objectives and strategies at all times, following these steps to monitor and manage risk on an ongoing basis:

  • Identify, assess and prioritize business risk.
  • Analyze key risks and current capabilities.
  • Determine strategies and new capabilities.
  • Develop and execute action plans and establish metrics.
  • Measure, monitor and report risk management performance.
  • Aggregate results and integrate them with the decision-making process.

An organization identifies the risk categories and specific risk events that have the most material influence, which are not necessarily the most common, for current operations and strategic initiatives. So, a domestic company that wants to grow internationally is changing its business condition and risk influences, and in turn, the management of related risks.

One of the advantages of ERM is that business leaders can move from managing negative events that have occurred to managing key risk indicators, which allows you to get in front of identified critical activities. For example, if a retailer that does 60 percent of its sales on credit monitors key risk indicators, such as U.S. consumer credit ratings and credit interest rates, it can modify business practices or promotional tactics before a credit freeze trickles down. Instead of offering customers no interest for one year, the retailer can offer no interest for six months.

Are many companies already following ERM?

Absolutely. ERM practices such as building internal controls, joint venturing with business partners or identifying regulatory requirements are already occurring within management functions. But an ERM program helps bolt decision-making and business tactics together to create cohesiveness within an organization, where everything is based on the same risk profile and agreed-upon risk tolerances.

With that said, companies must align the ERM program with their existing goals and strategies. This alignment is crucial. It ensures that program activities are not just new tasks but rather different ways of executing the tasks that may or may not include additional elements.

Where do companies fall short with ERM?

The most common mistake is thinking that entity level, enterprise-wide risk assessment equals ERM. That’s only the first step. Companies must use what they’ve learned through the assessment to put management tactics and monitoring into place.

An entity level risk assessment also does not instill a risk-awareness culture. Risk must become part of a company’s operations and decision-making processes through business planning, product development and regulatory compliance.

As an example, when considering performance evaluations, managers need to ask: Did you consider risk when you made that decision? Did you incorporate more anticipatory business planning versus reactionary planning? Risk management must become a component of the executive management’s responsibilities while ERM is integrated across the organization.

Alyssa G. Martin, CPA, MBA, is a partner, Risk Advisory Services, at Weaver. Reach her at (972) 448-6975 or alyssa.martin@weaver.com.

Insights Accounting is brought to you by Weaver

Published in Houston