A few years ago, I was promoted into a risk role. An Enterprise Risk Management (ERM) framework design and coordination role, but I did not know that at the time.
After two years in my hands, the risk management framework was looking completely different and I was starting to call the process what it was, an Enterprise Risk Management process.
There was nobody to guide me, so I had to figure out by myself the “WHYs” and “HOWs”.
- Why should we have an ERM approach? Does it bring any benefits? Which are those?
- How to implement different components of the ERM? What works, what doesn’t? What is the biggest issue? How to address those issues?
For us, the answer to the first “why” was simple. The organisation was listed on the London Stock Exchange and the UK Corporate Governance Code applied. It was a listing rule requirement.
For an Enterprise Risk Management leader a regulatory requirement is a starting point. A helpful one but should not be sufficient.
I was not happy to just design and coordinate a process which was mandatory. I was not happy to have a tick-the-box process. I wanted to have a process that makes a positive impact in the organisation.
So, I tried to identify the “WHYs”, the benefits of having such a process and respective framework in place. I will present my top picks further below.
But before that, two more thoughts.
Firstly, there is a difference between ERM and traditional risk management. In essence, with ERM you consolidate and are able to see in one place the results of all traditional risk management processes that happen in your organisation.
The second though, refers to what the ERM means, its definition.
So, what is ERM?
ERM is a process like any other process that is implemented in a business to manage that business. And like any other process, it has an objective (at list one) to be achieved, resources used to achieve that objective, and activities.
It is a process as much as accounting, treasury, credit management, change management are processes that businesses put in place to be able to achieve their objectives and strategies.
ERM deals with all risks to the business. It identifies the key ones, ensures there are recurrent actions (i.e., controls) taken to address risks, helps define how much risk the organisation is prepared to take and very importantly, helps with communicating all this information.
What value does ERM bring?
As I said earlier, I wasn’t happy to just run a process that responded to regulatory requirements but have little positive impact in the organisation. So, I tried to understand what other benefits it can bring.
The desired benefits are important since they will guide the design of the process. Here are mine:
1. Provides a prioritization of risks which translates into taking the right (as opposed to the easiest) actions
A business may have a significant number of risks. If your employees are having a good imagination, they can find hundreds of risks, hundreds of things that could go wrong.
And their natural instinct will be to address all of them. Actually, they will address the easy ones to solve first. But are they the right ones?
The ERM helps to identify what should be addressed. And to take into consideration all sorts of risks, regulatory, competition, funding and liquidity, safety etc…
This is, in my opinion, the most important value adding benefit of implementing an ERM process.
2. Generates information for better decisions
My first boss told me that I should take decisions fast. Fail, and then take another decision to correct the first one. I was 21. I think he was encouraging me to learn how to take decisions and how to use information in the decision-making process.
One of the key elements of an ERM structure is the risk appetite framework. Implementing this concept involves thinking about how much risk you can accept. And not only for one type of risk, but for all key risks your business is exposed to. The ERM will help you with questions like this:
- Should I invest in this new product that will bring me more market share or will keep me relevant in the market? The return is probably very high, but you should also know that there will be risks and you should also know what those risks will cost you. Can you afford those risks?
- My people tell me that we have a number of risks in the business. Should I address them all? Can I afford to address all of them?
ERM helps with decision making because it generates information that will help you to take a decision.
3. Provides a basic structure to risk management that can be applied to the entire organisation
Traditional risk management is valuable. But why should you put an ERM process on top of traditional risk management?
One of the reasons is that it creates a basic structure for management of all risks.
Very often, traditional risk management is as successful as the risk manager that is in charge of that respective risk. But what if you do not have talented people in all the risk areas of your business?
It happens. I work with a Chief Marketing Officer that is better than me in all aspects of risk management. But I also worked with people who simply didn’t understand the concept of risk management. Or they were too abstract, too theoretical.
A common methodology helps to ensure all areas of key risk in the business are tackled effectively.
4. Engages the whole business which will help building a healthy culture
The ERM approach engages the whole business. Almost everyone can have a role to play in the process and this helps with creating the company culture.
In my role, I work a lot to develop all sorts of policies and procedures. Nonetheless, I am the first one to admit that policies and procedures will not build a culture. Involving people, finding them a role in the process will.
Why culture is important? I am not an expert in culture, but try to manage a business only through policies and procedures and without trusting your people to do the right thing at the right time, fast. Just think about the early pandemic days. Why did your business survive? Was it because everyone knew what to do from the existing policies?
5. Tells you about where to look to address some of the performance issues
Every organisation has a strategy development plan and process and a performance management process.
They can have different names, they can be more or less formal, but all organisations plan on what they want to achieve and then they monitor performance against that plan.
The ERM process can provide answers to the following questions:
- Why performance is not where it should be if issues relate to risks not anticipated and addressed?
- What to address in strategy execution?
- How to address issues / risks that seem to be out of the control of the organisation?
6. Demonstrates commitment and builds trust
The ERM is widely in use by organisations. Regulators are also used to it. Investors the same. Being able to claim that an ERM approach was implemented in the organisation will win 50% of the trust game with these stakeholders.
However, there are other stakeholders interested in ERM. Talented employees, having experience in their previous organisations would appreciate the structure and familiarity of the approach.
I once worked with an information security risk manager. A very talented person, a real asset to our organisation as he was very good at balancing the risk level with the cost and benefit for the business.
In his “first 100 days report”, under the “things I like the most” in the organisation, he mentioned the ERM process.
Final thoughts
I believe there are many more benefits, but these are my top picks for you.
If you would like to chat about this, give me a call. I am happy to try to convince you why this is a good approach 😊.
