Simply having insurance to cover your property, employees and other potential liabilities used to be enough. In today’s global economy, companies are facing more than just fires and lawsuits. New threats include intangibles such as geopolitical instability, new regulations and legislation, supply chain interruption and more.
In the post-Sarbanes-Oxley world, where industries, the government and investors are taking closer looks at companies’ risk management processes, today’s businesses need to embrace enterprise risk management (ERM), a more holistic approach that addresses tangible and intangible threats to a business’s finances, operations and strategies, according to Chris Smith, senior vice president of Aon Risk Services Inc.
“Many organizations use ERM for compliance purposes, but rarely does a company use ERM to its full capacity,” says Smith.
Smart Business spoke to Smith about how a business can utilize ERM techniques to address risks in all areas of an organization.
Why is it necessary to employ ERM?
The biggest incentive for public companies to start seriously embedding ERM within their organizations is Standard & Poor’s upcoming plan to include ERM as part of a company’s credit rating. This will be used as one of the many criteria to evaluate companies with public debt. The inclusion of ERM in credit ratings makes sense when you consider how globalization has made the definition of ‘risk’ broader for companies.
What are the biggest risks businesses face?
Threats can happen for a number of reasons, including product recall, investor litigation, regulatory sanctions, supply chain interruption, competitive challenges, union unrest, political instability, financial fraud, pandemics or natural disasters. The major risks are things like:
- Damage to reputation
- Business interruption
- Third-party liability
- Distribution or supply chain failure
- Regulatory/legislative changes
- Failure to attract or retain staff
- Market risk
- Physical damage
- Failure of a disaster recovery plan
How does using ERM address these risks?
An ERM is a process that helps a business understand the risks facing it and how those risks are interrelated. It can also be used to develop a plan to mitigate these risks should they happen. The blend of risks is unique to each business. The solutions on what to do when confronted with these risks are also exclusive to a company. For example, a business might have many different answers to a problem when a supply chain is disrupted in an overseas operation. It can opt to just monitor the situation until it changes, find new sources of materials, buy insurance, simply tolerate the risk or opt to close down that part of the business if the situation gets dire.
Who should oversee an ERM?
Many times, the executive sponsor is the CFO or the CEO. Larger companies may have a CRO, or chief risk officer. Some companies appoint board members to champion the process. Other times, it is the risk manager or internal auditor. However, the ERM process must be delegated by someone with a broader perspective — the higher up you get in the C-level, the better.
Before embarking on ERM, what do businesses need to consider?
Businesses can’t and shouldn’t try to implement an ERM strategy overnight. It is a slow process that needs to be realized in stages in order for it to be successfully embedded within a company’s culture. Some businesses already have some components of ERM in place but don’t have a formalized plan. A good starting point for formalizing the process is evaluating where you are in the ERM continuum and developing a process tailored to your company’s culture.
That said, there are certain commitments that must be in place before beginning:
- Personnel commitment. Senior management needs to be supportive of the
ERM process and dedicated to ensuring
staff activity and accountability.
- Collaborative effort commitment. If a
business hires consultants to help guide
ERM, there must be a collaborative environment with open and honest communication.
- Time commitment. ERM is a long-term
process — not a project. Each organization
will be different on how quickly ERM gets
integrated into the culture, but measurable
progress should be achieved at regular steps
along the way.
What does ERM look like when it is fully embedded into an organization’s culture?
Generally, employees have an awareness of what the risks are and know how they must be managed. For example, a manager sees a business opportunity and presents the upsides to pursuing that opportunity. If that manager is ERM-savvy, he or she will look at the risks that may impact the opportunity, both on the upside and downside. While the new business venture might bring in revenue, what will it do to the reputation of the company’s existing brands? The key is for everyone to understand the big picture.