Business owners and corporate executives face a demanding range of known and emerging challenges that include such factors as economic impacts, changing technology, regulatory scrutiny, ethical challenges, and stakeholder expectations. Each decision has some level of risk hidden inside, some more apparent than others. All stakeholders expect business leaders to be risk-conscious. It’s no surprise, then, that companies across all industries and of various sizes and structures seek to formalize their risk oversight. Many chose to implement enterprise risk management (ERM) processes to help navigate new and often unfamiliar terminology: risk environment, risk assurance, risk framework, risk aversion, risk portfolio, risk tolerance, risk response. Risk, risk, risk.
It’s hard to find a company today that doesn’t recognize the importance of effectively managing risk. To be clear, we are talking about all-encompassing, company-wide risk. This differs from stand-alone risk management activities, such as safety programs or insurance risk management that, while important, are only one part of a broader risk management strategy. We know that effective ERM programs lead to increased profitability, decreased litigation and regulatory sanctions, and operational efficiencies ... or do we?
Recent studies show that 59 percent of senior financial executives believe that the volume and complexity of risks have changed “extensively” or “mostly” over the past five years. Unfortunately, only 25 percent of those same executives believe their organizations have a “complete formal enterprise risk management process in place,” and that finding does not differ from the prior year.1 Another survey of senior executives finds that the top five barriers to ERM progress include competing priorities, insufficient resources, lack of perceived value, perception of ERM adding bureaucracy, and a lack of board or senior executive ERM leadership.
Is it possible that the very thing established to bring confidence and stability to the board and executive management is the same thing senior financial executives rank low on their priorities? Tight resources, real or perceived organizational drag, and the sense that “It won’t happen to me” are all reasons management cites for not embracing an ERM process. Many ultimately make the decision to “get by” with minimal investment or do nothing. This can cause concern for many stakeholders at various levels.
Building an Effective ERM Program
ERM can be defined as a “collection of processes, methods, and other approaches businesses and other organizations use to manage, monitor, and measure risks.”2 Effective ERM programs are also dependent on people and systems. People, processes, and systems must work in harmony to deliver the highest degree of effectiveness. Senior executives must support it, find value in its efforts, and consider the factors below:
Understand who you are and where you’re going – Just as Rome wasn’t built in a day, neither are effective ERM programs. Begin by conducting an enterprisewide risk assessment, performing a gap analysis, and creating long-term goals marked by yearly improvements. If you don’t know where to start, consult a specialist who can help you incorporate the process throughout the organization.
Leverage your partners – Whether it is your internal audit group, ERM manager, compliance officer, legal counsel, information systems group, human resources, or external auditors and consultants, call upon them for their expertise. Integrating them into the risk management culture helps eliminate redundancies in responding to multiple requests and documentation requirements. Each group brings a unique perspective and can help management recognize the risk in areas often overlooked.
Anticipate – This one word is very powerful. Failing to anticipate risk causes organizations to react in the moment, leaving them ill-equipped and vulnerable to increased costs and inefficiencies. Just because it hasn’t happened yet, that doesn’t mean it won’t. Anticipating risk will help companies smoothly navigate through necessary changes and responsible reactions.
Don’t put risk in a box – It’s tempting to look at risk in silos, which can happen when we become comfortable with people overseeing an area or have preconceived notions of what risk is and where it lays within the organization. Unfortunately, rushing through the process or taking a narrow view of risk can lead to inefficiencies and surprises that can be dangerous to the organization.
Successful businesses are built upon a strong foundation of people, processes, and systems while maintaining the delicate balance of risk and reward. Taking the time to think through these strategic, big-picture considerations will pay considerable dividends in the long run.
1 2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities, 6th Edition, February 2015.
2 “Enterprise Risk: Establishing the Risk Appetite for Unifying the Lines of Defense,” Thomson Reuters Accelus paper, April 2015.
By Marcia R. Hoffacker, CIA, CFE, CRMA
Marcia R. Hoffacker, CIA, CFE, CRMA, is business risk practice leader for Reinsel Kuntz Lesher LLP in Harrisburg. She can be reached at email@example.com.