The many ongoing risks that businesses face daily extend well beyond organizational risk and market risk to include a much longer set of risks that can be derived from both internal and external forces. And once one specific risk has surfaced, it tends to have the domino effect of multiplying the probability of the occurrence of additional risks. Below is a set of enterprise risks that an organization must be cognizant of and be ready to face at any given time.
Mapping Enterprise Risk
For example, the financial world is a prime space for fraudulent activities, including cybercrime, money laundering, trafficking and corruption. The number of villains who commit these activities is growing as is their ability to break through security barriers. As such, technology providers and financial institutions are forced to continuously evolve and upgrade to predict and mitigate future breaches.
These illegal activities could put many businesses at risk, particularly if they are using manual processes. But implementing application service providers (ASPs) such as cloud computing or Software as a Service (SaaS) doesn’t eliminate IT risk, as some systems may be outdated and, thus, vulnerable.
In today’s era of high-speed digital computing, businesses of all sizes need technologies and systems that enable consistent risk management assessment, monitoring and transparency. Lacking these functionalities makes it challenging to operate legally, ethically and in compliance with a vast network of ever-changing regulations. Only then will a business be able to gain and maintain the level of loyalty and trust from all its constituents—not only customers, but employees, partners, stakeholders, vendors and the communities in which the business operates.
This is where enterprise risk management (ERM) becomes essential. ERM is the process of planning, structuring, supervising and controlling all activities within an organization with the goal of minimizing the adverse effects of risk on its earnings and capital. ERM addresses risk holistically to include financial, strategic and operational risks as well as risks associated with accidental loss and idiosyncratic risks.
The Benefits of ERM
The goal of ERM is to evaluate total returns relative to total risks, leading to more informed business decisions. Employing ERM tools is essential to all enterprises and businesses as they discover, manage, control and mitigate risks in addition to providing the following benefits.
- Transparency: ERM is increasingly fueled by external factors. Governmental bodies, investors and the industry in which a business operates are more closely scrutinizing the risk management policies and procedures of businesses of all kinds. Boards of directors today are required to review and report on the adequacy of risk management policies and procedures in their organizations in a timely and transparent manner.
- Increase Customer Base and Volume: Customers are more likely to do or increase business with a company when they trust them.
- Cost of Non-Compliance: Companies can reduce or avoid the costs associated with non-compliance, including fees, penalties, legal costs and regulatory fines as well as time and opportunity costs. Neglecting to invest in compliance today may result in paying a sizable price tomorrow.
- Recipe for Success: Technology solutions can help a business succeed, even when dealing with limited resources and human capital.
- Increase Awareness: The right ERM tools can increase awareness of business risks across all divisions and levels of an organization. These tools can improve compliance within regulatory and internal compliance mandates, instill confidence in strategic objectives, and enhance operational efficiency through consistent and widespread applications of processes and controls.
- Proactive Versus Reactive: ERM helps organizations benefit by shifting their corporate culture from a focus on meeting IT compliance obligations to targeting a holistic risk reduction. Such a change in focus relies heavily on the security of the entire organization and shifts risk management’s approach from being reactive to proactive.
Identifying and Understanding Risk
Before an organization implements a strategic ERM program, it should begin by having instilled some well-established practices. Examples include:
- Governance: A model addressing senior management, compliance, IT, operations and organizational elements such as security, risk, legal and other areas affecting stakeholders.
- Risk Strategy: Procedures that incorporate internal policies and standards for all security and risk concerns as well as operationally focused areas such as system configuration.
- External Risk Assessment: The ability to see all risks threats and vulnerabilities that can potentially influence the risks to the enterprise and its assets.
Choosing an ERM Program
Once the above practices have been established in some form, it’s time to choose an ERM program, first by determining what would best fit within the enterprise, based on a set of factors, as follows:
- The internal environment
- Objective setting
- Risk identification
- Risk assessment
- Risk response
- Control activities
- Information and communication
- The roles of the board of directors and the management team
- Common risk failures
- Investing, trading, hedging and cash management activities
The tool most used for obtaining the above information is an ERM questionnaire to be filled out by company executives. Some common questions might include:
- How do internal and external forces impact the risk profile?
- How are risks monitored and reported within the organization?
- What communication barriers are present within the organization?
An ERM program expands upon these building blocks to address both the internal and external risks of the organization. A risk management model continuously evolves as economies, the environment, legislation and competition change, making it dynamic rather than static in nature. It is a work-in-progress that continuously develops, grows and evolves. Senior management, with input from all levels and departments, should regularly revisit, monitor, revise and update the program.
Once an ERM is selected and employees are trained on how to best utilize it, it’s important to continuously stay current on issues within ERM within the industry and, more broadly, to ensure that the organization is informed and ready to potentially confront new risks early and head-on.
An ERM Knowledge Hub
Being informed, educated and up to date on all aspects of ERM means having the ERM tools, data and information readily available and accessible. The subject matter should be easy to search, query, navigate and understand. It's not idealistic to think that all this information can be obtained on just one platform or source, without having to access multiple journals, articles, texts, and websites or travel to conferences or presentations. A central hub of data and information should include the following:
Newsletters: Frequent and timely newsletters may include such topics as the importance of a risk-informed perspective and key components of a risk-informed approach.
Guides: ERM guides should provide leading practices related to improving an organization’s ERM program. Guides can provide customary risk assessment ERM templates with well-defined scenarios evaluated by severity and likelihood, resulting in a risk or heat map where key risks are prioritized. Critical risks are further analyzed by sources and outcomes, thus allowing the business to better identify, prioritize and plan for risk.
Articles: Staying up to date requires a steady flow of articles discussing current ERM issues. They should help provide a bird’s-eye view of where an organization is, in terms of ERM implementation and usage, including identifying and understanding risks.
ERM Tools: A variety of tools should be available providing leading risk management best practices related to improving an organization’s ERM program. For example, C-suite executives and board members need to understand and mitigate the difficulties of finding and retaining talent while preserving a culture that serves as a magnet for that talent. And they must aim to stay at the edge of technology and innovation.
ERM Audit Reports: Sample audit reports can be used by auditors to review the ERM function of an organization. They included testing involved activities such as documenting enterprisewide policy guidelines, implementing an ethics hotline and company code of conduct, and documenting and integrating risk mitigation and oversight.
ERM Board Reports: Sample board reports can help a board to best articulate its policies, processes and actions and communicate them with its stakeholders.
ERM Committee Charters: Sample charters outline the responsibilities and duties, membership, operations, meetings and attendance of an organization’s ERM committee. The ERM committee should monitor the company’s risk environment and provide direction for the activities to mitigate, to an acceptable level, the risks that may adversely affect the company’s ability to achieve its goals. The committee facilitates continuous improvement of the company’s capabilities around managing its priority risks, and individuals on the committee may have specific risk management tasks as part of their primary management role at the company.
Booklets: More lengthy content may include ERM design principles outlining clear objectives, integration with the core business, risk culture, infrastructure, unique risks to the organization, risk ownership and executive sponsorship.
From Static to Dynamic ERM
In today’s challenging global economy, there’s a need for identifying, addressing, managing and monitoring an organization’s business opportunities and risks. The concept of ERM helps to redefine the value proposition of risk management by elevating its focus from the tactical to the strategic level. ERM is about designing and implementing capabilities for managing the risks that matter.
Get answers related to some of the most asked ERM questions. Obtain a variety of helpful and strategic suggestions and insights for executives responsible for ERM implementation.
The information exists in one central hub and it's available 24/7. KnowledgeLeader is a subscription-based website that provides tools, publications, best practices and training to audit and risk management professionals. We provide just the right mix of relevant and applicable subject matter dealing with all aspects of ERM, from short articles and quick instructional content to in-depth interviews and deep dives. An organization's value proposition can be determined by assessing its ERM's strategy. Make that strategy informed, evolving, proactive and dynamic.