For many executives, their eyes glaze over and their minds wander to other, more pressing, issues when the topic of enterprise risk management (ERM) is broached.
But yet the topic is getting considerable attention these days from regulatory bodies and many of the world’s most successful companies. So where’s the disconnect?
“Risk management practices have been around as long as businesses have been around,” says Ted Flom, member in charge, Risk Advisory Services, Brown Smith Wallace, St. Louis, Mo. “But as businesses have grown and the world has become more interconnected, risk management approaches need to evolve. While many companies are already ‘doing risk management,’ there are typically opportunities to enhance longstanding approaches and elevate the discussion in order to keep up with today’s business environment. Companies with a solid understanding of and approach to risk, and how it affects the whole organization, are more successful, more profitable and ultimately better able to manage through difficult times like a recession.”
ERM focuses on developing thoughtful strategies that address risks in a variety of areas, including strategy, finance, operations and technology. While it is not a new concept, it is an evolved way of approaching risk management, where a company proactively looks at risk from the strategic, enterprise level, versus taking a siloed approach. ERM acknowledges that risk is not good or bad, but rather that it needs to be recognized and understood so a company can most effectively prepare and react.
Smart Business spoke with Flom about ERM and how companies can implement some simple risk management principles in their organizations.
What is enterprise risk management, and how is it different from what companies have done in the past?
ERM is a continuous process that seeks to identify, analyze, mitigate and monitor potential events that create uncertainty to the achievement of a company’s objectives. An effective, integrated ERM program can help an organization identify and take action on risks that may be affecting the achievement of its core strategic objectives.
ERM should align with a company’s goals and objectives. It’s more than just a program or process: It’s a cultural shift. ERM should approach risk from a wide-angle view of a company, rather than homing in on specific activities or areas. ERM is becoming more than just a way of managing risk but also a way of doing business.
Why should companies consider adopting ERM?
In 2010, the Corporate Executive Board Co. conducted an analysis of the root causes underlying market capitalization declines of 50 percent or more in a single year. This analysis found that more than 80 percent of these significant declines were tied to strategic and operational risks. The potential consequences of these risks are considerable and highlight the need for comprehensive ERM programs.
No one likes surprises, especially ones that overturn your market share or competitive advantage. ERM takes into account silo risks, such as IT systems security or finance department checks and balances, and integrates them into the big picture of the business and its long-term goals and objectives. A company that has this comprehensive understanding of risk is likely to be less volatile and more successful in the long run.
What benefits can a company realize through ERM?
Companies that understand their risks have a greater ability to prevent or react to events that can impact goals and objectives. Ultimately, this can translate into less volatility and a competitive edge. A good grasp of risk can also open up a company’s perspective on opportunities it may want to pursue.
ERM enables management and the board to have a more consistent view of and approach to risk. Management and the board often have different perspectives on a company’s most important risks, such as implications of a disaster or a business disruption.
Often, a company’s ability to respond is not truly understood until an event such as a tornado or earthquake occurs. Considering that 50 percent of companies experiencing a major disruption or disaster are out of business within five years, a company’s preparedness can make all the difference.
How can a company begin implementing ERM?
Several recognized frameworks can be leveraged when considering ERM. COSO’s ‘Enterprise Risk Management — Integrated Framework’ and ISO 31000 ‘Risk management — Principles and guidelines’ are widely recognized information sources and good places to start.
Start small to get a feel for what ERM is, its benefits, and what it can and should be. Most companies start by doing a risk assessment and then deciding what to do with the results — e.g., which risks should be focused on, where and how should discussion occur on those risks, and who is responsible for monitoring this information and keeping it relevant.
A successful ERM program should be customized to integrate into a company’s existing organizational framework and culture, as opposed to being set up and managed as a standalone program.
What kind of culture shift can occur when ERM practices are adopted?
Ultimately, a company should seek to be more aware of risk at all levels, and to make decisions and set goals utilizing that understanding. ERM helps make risk part of the everyday agenda; it’s a way to bake it into the culture. That is when you begin to see the real benefits.
Risk management then becomes less bureaucratic, less resource intensive and more focused on implementing strategies that help a company reach its long-term goals.
Ted Flom is member in charge of Risk Advisory Services at Brown Smith Wallace, St. Louis, Mo. Reach him at (314) 983-1294 or TFlom@bswllc.com.