Demystifying enterprise wide risk management

There are those that shudder at the mere mention of the word ‘risk’. Or worse still, view the concept of risk and its management as being something that applies only to top level organisations with sophisticated systems.

The reality is that risk is present in every business.

A risk is defined as the effect of uncertainty (either positive or negative) on a business’ objectives.  Viewed through this perspective, it is undeniable that risk management affects all businesses whether large or small. Moreover, it is intrinsically connected to a business’ strategy and its ultimate success or failure.

Whose responsibility is risk management?

Risk has traditionally been viewed as something to be addressed by only a few key individuals in a particular area. With the view that risk affects the objectives of a business, however, it is clear that it affects every function and operation of a business.

Put simply, the identification and effective management of risk is everyone’s responsibility.

Adopting an enterprise-wide risk management (ERM) approach ensures that everyone in an organisation takes risk management seriously. It promotes structure, process and a level of conformance within the organisation to ensure that risk is approached systematically and continually reviewed.

What is ERM?

ERM involves a pro-active holistic view a business’ risks across every level and business unit.  An effective ERM model is tied directly to the business’ strategy and specific objectives. It involves outlining the business’ appetite and tolerance to risk and identifying key areas of uncertainty that could affect the objectives of every business unit.

Under an ERM model, risk is not restricted to one individual or group of individuals but rather is the responsibility of all as shown in the table below.

 

Function Responsibilities
Board of Directors & CEO
  • To be ultimately accountable for all risks.
  • To periodically review risk management practices and related policies
Senior management
  • To design, implement, and maintain an effective risk management framework.
  • To develop policies and procedures.
  • To establish and monitor the risk appetite and report regularly to the board of directors.
  • To promote a risk-aware culture.
Business units
  • To identify, assess, measure, monitor, control and report risks to senior management.
  • Manage relevant risks within the framework established by senior management.
  • Ensure compliance with policies and procedures.
Support functions (i.e. Legal, HR, IT, etc.) To provide support to business units in developing and enforcing policies and procedures
Internal Audit & Compliance To monitor and provide independent assurance of the effectiveness of the framework
Risk management personnel To coordinate the establishment of the framework and provide risk management expertise.

 

ERM as a tool for growth

Risk in itself is not bad: negative consequences arise when it is mismanaged, misunderstood or mispriced. When fully embraced, risk and a risk management program can create opportunities to grow and to add value.

The greatest benefit of implementing an ERM approach is the way in which it aligns every function of the business with the same objective – the organisation’s business strategy.

A business with a well-established ERM model could expect the following benefits:

  • Clarity around the transactional aspects of an organisation’s risk management program
  • A reduction in overall costs.
  • Improved decision-making and greater comfort at the Board level.
  • Improved communication as ERM forces divisions and people to talk and communicate and helps to break down individual silos. This contributes both to a better understanding of risk overall and facilitates the flow of information to senior management and the Board.