Trying to avoid all risk in business is the same as trying to avoid all opportunity. Simply reacting to risk, meanwhile, is just crisis management: shutting the barn door after the horses are gone……
How can we do better at keeping our businesses safe? Enterprise risk management (ERM) is an ongoing process designed to manage all risks within an organization and perhaps can be defined as:
“A process, effected by an organization’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the company, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of the organization’s objectives.”
It is important to establish an ERM Framework because it enables an organization to gain a clear view of its overall risk level. Identified below are the steps that we think need to be taken to establish a workable ERM Framework:
1. Create a Common Language around Risk – Common terminology will facilitate communication across business units.
2. Establish a Risk Management Steering Committee – to provide oversight of the implementation of the ERM Framework.
3. Roles and Responsibilities – must be clearly defined and understood throughout the organization.
4. Develop a methodology for the ERM Framework. This should include clear procedures for risk identification, assessment, measurement, mitigating, monitoring, and reporting.
5. Implement Risk Appetite Statements that clearly outline the firm’s capacity to take risk and its tolerance for potential loss. Review regularly
6. Risk Identification – use a risk matrix to identify applicable risks, inherent risk levels, quality of internal controls, and residual risk levels.
7. Risk Prioritization – prioritize key risks based on the residual risk levels and set risk mitigation plans.
8. Risk Mitigation Plans – take a risk-based approach to address the areas with the greatest control weaknesses and largest potential for loss.
9. Reporting and monitoring – Key risks that have been identified must be monitored and periodically reported to senior management and board of directors.
An effective ERM Framework will:
• Allow an organization to gain a clear picture of its overall exposure to risk
• Improve organization-wide understanding of risks and controls
• Reduce operational losses
• Improve the deployment of capital
• Align risk appetite and strategy
• Facilitate board and senior management oversight
• Breakdown silos between various departments and across all risks
• Result in a more efficient use of resources
• Improve regulator, rating agency, and shareholder perception
• Enhance internal control
• Promote a culture of risk awareness
After considering the benefits of implementing an ERM Framework, it is surprising to see that only 36% of institutions participating in Deloitte’s Global Risk Management Survey had an ERM program in place. Although 72% reported that the benefits of ERM outweigh the costs!
Playing fast and loose with risk in your organization is not a recipe for success and the cost of getting it wrong can be significant. Establishing an effective ERM framework creates sustainability and identifies opportunity for growth.