what is enterprise risk management?

If you are the leader of a large organisation, there are probably many different kinds of activities going on, supporting a diversity of product and service types. Some will be well established, mature offerings, moving all the way through to recently launched, or even prototype offerings where teething troubles are being evaluated. Your organisation has to be able to support legacy systems as well as doing the research and development to refine innovative methods and technologies. You will have core markets and emerging markets. As the leader of the organisation, you know you have to support traditional distribution channels as well as direct, online channels. That creates some conflicts which can’t be ignored. In the past, you knew that sales were correlated strongly with product quality. Now you know that with increasing scale and the global reach of an internet presence, you increasingly have to master brand discipline and be hyper-reactive to reputational risks as well.

Alongside your organisation’s growth, you’ve found yourself increasingly exposed to regulatory control in different countries. Your supply chain has become much more stretched out than it used to be as you have embraced just-in-time manufacturing and the benefits of globalisation in trade. You employ specialists who can negotiate in Cantonese and you find it harder to trust people than when you started out 40 years ago. Your share price has tripled in the last 15 years but you have to work hard to make sure that the right messages get through to investors. If anything goes wrong there, the cost of your borrowing can quickly go up and in this period of growth, you are very aware that liquidity risk needs constant attention.

You feel responsible for your thousands of employees. You used to know everyone by name in the old days. That’s impossible now, but you still have the sense that you are the one that feeds all those families, pays their rent and mortgages, dress their kids via the wages you pay. Keeping staff happy is not as easy as it used to be. Everyone wants better benefits and working conditions but these can also make people feel complacent. Your competitors don’t relax, they’re always pushing, fighting, challenging your position. They’re smaller so can be more agile. You often wonder if it would make sense to split the company into different, leaner businesses. Sometimes you need to keep staff on their toes, so they perform better; it’s a tricky balance. Get it wrong and it damages the brand, sales go down, investors step back, cash gets squeezed, regulators start to pay more attention and before you know it, someone is turning all the lights off. Strategy is hard. Risks are harder.

(in-) effective management of risk

We’ve told a little story here that condenses some of the typical days to day risks that might be going on in a fictional business leader’s life. Before Enterprise Risk Management (ERM) was raised as a concept in the corporate world, the approach to risk management was fragmented, disjointed, taken seriously in some parts of the business whilst completely ignored in others. The leaders of the organisation might have some assurance that key risks were being handled, by they likely had growing doubts that the overall management of risk was effective. In the early 1990s, a growing consensus emerged that said that if an organisation was to be reliable, stable and consistent (in a way that was befitting for publicly traded businesses), then risk management processes had to be performed more coherently, in a structured manner. Similar attempts had been seen in the world of accounting to codify and standardise practices, greatly reducing the scope for “creative accounting” which frequently enriched board members and senior management, at the expense of investors.

Case studies revealed that even small, seemingly unimportant risks had a way of spiralling out of control, doing real damage to an organisation. Investors don’t like bad surprises like this. Top management needed a way to be able to identify risks across the whole range of business activities, both those within their internal control, but also those coming from external sources, to see how these combined risk exposures related to one another. This unified view of risk would allow management to take a top-down view. Risks could be decided upon strategically instead of tactically. Risks could be balanced across a portfolio, instead of having potentially ruinous imbalances created in isolation and never identified until too late.

“Enterprise Risk Management has the ability to bring specialist areas of risk management all into one reporting domain”

Risk could be managed as a competitive advantage because it would give top management the tools to express risk appetite – a deliberation of the amount of risk they were willing to take, in order to pursue their objectives. The idea was that in looking at risks collectively, they could be managed as a whole. It’s the same reason why parents insist that Lego blocks go back in the buckets each night, rather than simply letting there be bits of plastic distributed everywhere around the house. Effective management of risk requires gathering information, so that collective analysis, decision-making and coordination of response becomes possible. The basic premise of ERM Programs is that they raise the standard of risk managing activities from the established best practice silos, to the whole of the organisation.

erm is the standard, whatever that means.

The first really big attempt to write down how ERM should be done was by the Committee of Sponsoring Organizations of the Treadway Commission (a US accounting body initiative to combat corporate fraud), often known as COSO for short. In 2004, on the back of large corporate scandals like Enron, WorldCom, Tyco etc, the Sarbanes-Oxley laws were passed in the US. COSO’s “Enterprise Risk Management – Integrated Framework” set out an ERM process that heavily relied on internal controls to manage risks that were predominantly measured using financial instruments. To put it more bluntly, the framework saw all risk as money related, and therefore all the risk responses were about controlling money. It went down well with financial institutions but left many organisations in other sectors, struggling to implement it.

In 2009 The International Standards Organization released ISO 31000, the international standard for risk management. This was a deliberately lightweight document, based on general principles that could be flexibly applied in any industry or setting. It set out a short, cyclical process for risk assessments and risk treatment (we have omitted several steps), in order to be simple to incorporate into new ERM frameworks.

Enterprise Risk Management has the ability to bring specialist areas of risk management such as insurance, cybersecurity, financial risks, reputational risks, operational risk, technology lifecycle management, legal risk, personnel risk, fraud, business continuity management, regulatory and government affairs risk etc, all into one reporting domain. Top management should be presented with insights about how these different kinds of risks are related to one another so that the underlying threats can be managed consistently. The output should of course be, increasingly effective Enterprise Risk Management.

No tool fixes every problem and tools can be badly used. Enterprise Risk Management is no different. For all of the ideals that ERM should in theory achieve, these are offset by poor implementation or weak top management support. In our experience, we see many Chief Risk Officers attempting to strengthen their organisation’s risk managing capabilities by an almost obsessional focus on tweaking the rules within their ERM frameworks and policies. However, regulators are increasingly pointing to Risk Culture as a critical factor in ERM effectiveness. Instead of Enterprise Risk Management having a compliance orientation where the focus is adhering to static rules, many organisations benefit from shaping the knowledge, skills and attitudes of their staff. A positive risk culture approach places much more emphasis on empowering staff to quickly respond to risk dynamics; recognising changing patterns of risk and making timely, deft changes.

ERM has come a long way since it was first conceived as a means of ensuring reliable and stable financial reporting, but it still has a long way to go to fulfil all its potential.

Are you worried that eLearning is often a bad experience for people?

We know what you mean.

Download our free guide that shows the top 20 training mistakes when designing training.

Get in touch, so we can start making sense of your risks

Learn in 2 mins. what we do & how we do it