There are numerous theories about what constitutes a solid ERM program. While theories are important, they are often difficult to put into action. This blog covers 10 practical guidelines that are feasible ways to ensure your organization’s ERM program is as robust as possible.
The unprecedented levels of business complexities, ever-changing geopolitical scenarios, latest regulations and laws, and the increasing stakeholder demands have made managing enterprise risks a crucial priority among CEOs, CFOs, and other members of any company’s C-suite.
Over the last years, investors have made it a point to look into companies’ risk management policies and procedures. In most industries, boards of directors are expected to review the competence of their respective organizations’ risk management processes. Most organizations have audit and risk committees who oversee risk management systems in organizations.
The significance of enterprise risk management is palpable. Risks that have a huge impact on corporations today have become virtually manageable and foreseeable. Directors and senior executives have every reason to use enterprise risk management as a handle in ensuring that unnecessary losses are managed.
Enterprise risk management (ERM), in a nutshell, can be viewed as a way of aggregating, managing, and reporting on the all the possible risks a company faces, making feasible the consolidation of all risk information.
Most corporations adhere to the standard ERM definition outlined by the United States’ Committee of Sponsoring Organizations of Treadway Commission (COSO). In Enterprise Risk Management—Integrated Framework (2004), COSO defines ERM as a process designed to:
- Identify potential events that may affect the organization.
- Manage risk within the organization’s risk appetite.
- Provide reasonable assurance regarding the achievement of the organization’s objectives.
The COSO definition outlines eight interrelated components of enterprise risk—internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.
Of course, risk management is not a linear process wherein one component is affected by what comes before it. It is multidirectional and iterative, which means any component can influence the other.
Of late, ISO 31000:2009, Risk Management: Principles and Guidelines has become a well-accepted industry standard. Simple in its approach and designed to supplement existing management systems, the standard has made the appreciation and uptake relatively simpler for companies. It provides principles, frameworks, and a process for managing risk. Any organization, regardless of size, sector, and activities will do well to make use of ISO 31000 to increase chances of attaining objectives, determining organization opportunities and threats, and effectively allocate and use resources for risk treatment.
The 2015 Report on the Current State of Enterprise Risk Management: Update on Trends and Opportunities by the American Institute of CPAs, which is based on survey responses from 1,093 business executives from a number of industries and different types and sizes of organizations, provides detailed insights about the state of maturity of their organizations’ ERM practices. The report highlights that there appears to be a disconnect between the recognition of today’s high-risk business environment and organizations’ decision to invest in ERM.
While 59 percent of companies believe that the volume and complexity of risks have extensively changed in the last five years, only 25 percent of these companies feel they have a complete ERM process in place.
According to the same report, despite 68 percent of executives stating that calls for increased senior executive involvement in risk oversight, only 23 percent describe their organization’s level of ERM maturity as “mature” or “robust.”
These facts point out that organizations appear to be struggling to integrate their risk oversight with their strategy development and execution. ERM must begin to be viewed as a top priority strategic tool that provides a unique competitive advantage.
The need to revisit your company’s ERM culture and improve it through an advanced ERM training is only pertinent.
Published by the Economic Intelligence Unit, here are 10 practical lessons learned from the current financial crisis that companies can use to help address perceived weaknesses in risk identification, assessment, and management:
1. Risk management must be given greater authority.
Risk managers’ opinions and concerns take a back seat when the opportunity for profit arise.
To be relevant and effective, risk managers need to be an independent function with sufficient authority to efficiently challenge risk-takers.
Companies should be wary if risk professionals are given due authority in the organizations. There should be balance between the authority for risk management and the profit-making objective.
Read full article here