Risk management in uncertain times

In a climate rife with corporate bailouts and collapses, it’s easy to wonder, “Where is the risk management?” In some of these situations, risk was indeed recognised, but at some organisations, there was no forum or supportive culture for staff to voice their misgivings. Unheeded warnings and unquestioned momentum undermined existing risk mitigation efforts.

Companies with strong risk management programs are not only better equipped to weather an uncertain economy, they are better prepared to compete. There is no time like the present to rethink your company’s approach to enterprise risk management.

What is Enterprise Risk Management (ERM) and what can it do for you?

Risk is a reality of doing business and businesses must take risks to succeed. Risks arise from multiple angles — economic trends, political and regulatory factors, technological advances, demographic patterns, social or cultural changes and ecological concerns — but often, they are addressed unilaterally. One team may examine financial risk while a separate group manages IT risk, with neither one necessarily comparing notes.

ERM focuses on the strategic analysis of risk throughout an organisation, cutting across business units and departments, and considering end-to-end processes.

Focusing on enterprise-wide risk in a coordinated fashion, organisations are better equipped to prioritise the top risk drivers and are less likely to be distracted by lower-level risks. This comprehensive approach to risk oversight enables an organisation to align its risk appetite with its overall business strategy, deciding how much uncertainty is acceptable and how much could actually add value.

How to start

During belt-tightening times, it’s easy to dismiss any new process as an unnecessary overhead.  Incremental steps to expand your risk universe to include strategic, reputation and operational risk can also add value by providing better risk information for better decision-making and increase the likelihood of accomplishing objectives while laying the groundwork for ERM.

When building an ERM process, you should:

• Understand the company’s strategic objectives, operations, control environment and inherent risk. What could keep the company from achieving its business objectives? What opportunities are out there to achieve its objectives? In what ways might the organisation be too conservative about other risk areas?
• Define the risk universe and risk language, e.g. risk appetite, risk tolerance and risk response (accept, avoid, share, mitigate)
• Develop questions to gauge the current state of risk awareness (i.e. significance, likelihood and impact) through interviews, common risk attributes and industry knowledge
• Conduct facilitated sessions to define the risk appetite, finalise the risk categories and rank the top 15 risks
• Assign risk owners and create an action plan

Make ERM more effective

If your organisation has already set ERM in motion but hasn’t seen any benefits, there are numerous ways to make your system more effective. For ERM to work, it must be embraced by the board and senior management to establish a culture of risk awareness. A supportive ERM culture helps establish a “transparent” environment where people are willing to express their issues without fear of retribution. This is not possible without the CEO’s active and visible support.

Steps to ERM improvement:

• Integrate strategic planning processes and risk assessment activities to take advantage of risk opportunities and consider risk variations across strategic goals. For example, how does the company manage procurement risk? Does the company utilise cross-functional, cross-geographical commodity teams to determine assurance of supply, calculate total cost of ownership and evaluate supplier performance and viability?
• Develop practical risk response action plans and regularly report progress to the board
• Reward risk ownership and effective risk management action plans

Risk is not static. Commit resources to periodically refresh the risk universe and risk priorities. Remember that ERM is an ongoing process; it is not a project with an end date. Don’t overcommit and underdeliver — implement ERM in manageable increments. Also, establish an executive risk oversight group that regularly reports key risk management information to the board of directors.

ERM pointers - Do:

• Follow a framework like COSO’s Enterprise Risk Management – Integrated Framework or the Risk Management Standard 4360. Take advantage of ERM thought leadership already done for you
• Name a risk champion who understands ERM’s importance and can dedicate ample time to its implementation
• Reflect on how other industries can affect your organisation
• Evaluate current, not just historic, data

ERM pointers - Dont:

• Underestimate the impact of the organisation’s existing culture
• Undersell ERM as business risk assessment
• Employ ERM as a defensive measure
• Implement ERM as a part-time job
• Don’t forget high impact, low likelihood risk events – these are the ones which bring organisations undone
• Take on too much too soon
• Overcomplicate the process

Ultimately, the goal of ERM is not to eliminate risk but to help preserve and enhance value. ERM does this by arming organisations with comprehensive information; better risk information leads to better decision-making. In a global economy in which events in one sector can trigger a domino effect, organisations must take a proactive and comprehensive approach to managing risk. ERM provides an organisation with the opportunity to be an example, not a cautionary tale. 
 

Author: Peter Moloney, April 2009

Want advise or more information on this topic?
Click here to contact the author

Alternatively, phone Peter directly
T: +61 3 8663 6136