Enterprise Risk Management

?What is Enterprise Risk Management?

Enterprise risk management?(ERM) is an enigma. Many executives say they do it, yet gather 10 of them in a room and they can’t agree on what it is. The reality is companies think they are implementing ERM, but they really aren’t. What we see in practice often demonstrates a very limiting view of ERM, from maintaining a list of risks (“enterprise list management”) to summarizing risk responses, leaving many corporate leaders underwhelmed with its value contributed in view of the speed of business and ever-changing economic environment.

So for me ERM is the discipline, culture and control structure an organization has in place to continuously improve its risk management capabilities in a changing business environment.

Why is ERM important?

Events over recent years have pointed to five realities that every CEO and board face:

1.??The time may come – sooner than we may expect – when the fundamentals of the business are about to change. Risk management is about securing “early mover” positioning in the marketplace. Management of strategic uncertainties requires an understanding of the key assumptions underlying the strategy and monitoring changes in the business environment to ensure that these assumptions remain valid over time.

2.??It is not what we know that matters; it is what we don’t know that makes the difference. The question should be: Is our approach to assessing risk identifying emerging risks and telling us something we don’t know?

3.??Most businesses are boundary-less. A strategic perspective applied to operational risks suggests the need for an end-to-end extended enterprise view of the value chain, requiring consideration of upstream and downstream relationships. What happens if any critical component of this chain were lost for an indeterminate period of time?

4.??Sooner or later, there will be a crisis that will test your company. Even the most effective risk management cannot prevent this exposure. Yet companies spend a lot of time guessing at probabilities and ignoring the speed of impact, the persistence of impact over time and the organization’s response readiness.

5.??Management and directors are struggling with delineating between risk management and risk oversight. The risk oversight playbook is evolving. CEOs fear an overlay and non-value-added activity that is out of sync with the rhythm of the business. It makes sense to start both risk management and risk oversight at the same place – with the formulation of strategy, including an understanding of the key assumptions underlying the strategy.

These five realities are forcing management and their boards to take a fresh look at risk and crisis management. An effectively functioning ERM process is important because it can help them address these new realities.

Please feel free to share your views/feedback at [email protected]