While many organizations struggle with implementing Enterprise Risk Management, the benefits are worth the effort.
Its called ERM and implementation isn’t always easy. Yet as business risks continue to increase, organizations in all types of industries, public and private, are finding it necessary to engage some sort of formal risk management system. An effective enterprise risk management—or ERM—program not only can help organizations manage risks but also maximize opportunities.
Exactly what is ERM? A committee of five organizations dedicated to thought leadership around risk management provided a definition of ERM in 2004. The Committee of Sponsoring Organizations (COSO) defined it as: “… a process, effected by the entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives.”
In simple terms, ERM is a way to effectively manage risk across the organization through the use of a common risk management framework. This framework can vary widely among organizations, but typically involves people, rules and tools. This means individuals with defined responsibilities use established, repeatable processes (rules) and the appropriate level of technology (tools) to mitigate risk.
Many organizations struggle with implementing ERM and identifying how, and at what level, to integrate it. Managers often say they are already aware of the risks for their respective areas of the business. In these situations, what value does ERM provide, and how does it enable better perspectives and management of risks and risk data?
Organizations often find that ERM programs provide a combination of both qualitative and quantitative benefits. While there are many benefits to ERM, let’s focus on five of them.
Creation of a more risk-focused culture for the organization. Organizations that have implemented ERM note that increasing the focus on risk at the senior levels results in more discussion of risk at all levels. The resulting cultural shift allows risk to be considered more openly and breaks down silos with respect to how risk is managed.
As risk discussions develop into a standard part of the overall strategic business processes, operational units often find that addressing risk in a more formal way helps manage their part of the organization as well. Communication and discussion of risk is recognized as not only a process to provide information to senior management, but also a way to share risk information within and across operations of the company, and allow better insights and decision making concerning risk at all levels.
Standardized risk reporting. ERM supports better structure, reporting and analysis of risks. Standardized reports that track enterprise risks can improve the focus of directors and executives by providing data that enables better risk mitigation decisions. The variety of data (status of key risk indicators, mitigation strategies, new and emerging risks, etc.) helps leadership understand the most important risk areas. These reports can also help leaders develop a better understanding of risk appetites, risk thresholds and risk tolerances.
Major values of ERM risk reporting are improved timeliness, conciseness and flexibility of the risk data. These provide the data needed for improved decision-making capabilities within the executive and director levels and in other layers of management. ERM helps management recognize and unlock synergies by aggregating and sharing all corporate risk data and factors, and evaluating them in a consolidated format.
Improved focus and perspective on risk. ERM develops leading indicators to help detect a potential risk event and provide an early warning. Key metrics and measurements of risk further improve the value of reporting and analysis and provide the ability to track potential changes in risk vulnerabilities or likelihood, potentially alerting organizations to changes in their risk profiles.
In addition, ERM permits a more complete viewpoint on risk. Traditional risk practices focus on mitigation, acceptance or avoidance. However, effective ERM processes give management a framework to evaluate risk as an opportunity to increase competitive positions and exploit certain market and operational conditions.
Efficient use of resources. In organizations without ERM, many individuals may be involved with managing and reporting risk across operational units. While developing an ERM program does not replace the need for day-to-day risk management, it can improve the framework and tools used to perform the critical risk management functions in a consistent manner. Eliminating redundant processes improves efficiency by allocating the right amount of resources to mitigating the risk.
Effective coordination of regulatory and compliance matters. Bond rating agencies, financial statement auditors and regulatory examiners have begun to inquire about, test and use monitoring and reporting data from ERM programs. Since ERM data involves identifying and monitoring controls and mitigation efforts across the organization, this information can help reduce the effort and cost of such audits and reviews.
Through all of the benefits noted above, ERM can enable better cost management and risk visibility related to operational activities. It also enables better management of market, competitive and economic conditions, and increases leverage and consolidation of disparate risk management functions.
Editor’s note: Sue Ulrey is principal, Business Risk Services, and Mike Sargent is director, Business Risk Services, for CliftonLarsonAllen, one of the nation’s top 10 certified public accounting and consulting firms. [cliftonlarsonallen.com]