The Right Audit Facilitation Partner Makes All the Difference
Enterprise Risk Management Framework: Insights & Tips From the ERM Frontlines
If the last few years have taught us anything, it’s that things can go sideways quickly. And we don’t just mean slight veers from the road. No, we’re talking about possibly historic events that come out of nowhere and punch your business squarely in the jaw.
Although we’d like nothing more than to say all of those operational meteorites are behind us, that’s obviously not the truth. So what’s a good, forward-looking organization such as yourself to do?
The answer is to establish an enterprise risk management (ERM) program that will help you manage risk, effectively and efficiently react to the unforeseen, and give your strategic planning a whole new perspective. And if you’re new to ERM or want to find out what it can do for your enterprise, then you’re in the right place.
What Is Enterprise Risk Management?
ERM isn’t a software suite that you install into your network and walk away from. Nor is it a checklist of static items you monitor every now and again to make sure all operational systems are a go. While we won’t be so new-agey as to describe ERM as a lifestyle for your organization and people, that term is actually a much more fitting description than a single solution or process.
Rather than trying to reinvent the wheel, though, let’s start with a definition from the industry-standard – the COSO ERM framework:
Enterprise risk management is the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value.
That pretty much says it all, right? As we said, ERM isn’t a single function, department, or checklist. In fact, it’s not even exclusively about identifying all the risks you face. Ultimately, ERM is an organization-wide approach, embedded in strategy-setting and day-to-day operations, that drives value for an enterprise.
Putting it in bumper sticker language, ERM helps keep the bad stuff from your front porch, guides you toward the good stuff, and lets you constantly gauge your progress. And that’s the type of thing that stakeholders, regulators, and employees all want to see.
To use an extremely topical example, sustainability is practically a fundamental component of modern investing, operations, and governance, to the point where the SEC now has an entire webpage devoted solely to ESG-related issues. Integrating such areas into your ERM program should almost be a given at this point, making compliance and ESG reporting easier while also meeting the evolving demands from the public and regulating bodies.
Why Should Business Leaders Consider ERM?
We understand that was a pretty high-level look at ERM. So let’s take a deeper dive into the benefits of ERM and why business leaders should consider it for their enterprises.
Spot and Manage Risks Hiding Across Your Entire Enterprise
Any given group or department in your organization likely has a fair grasp of the key risks involved with their day-to-day operations. However, understanding risks across the entire enterprise is a different story, where those individual groups can form risk silos through no fault of their own.
But risk doesn’t exist in a vacuum. Since organizations are incredibly connected across their different departments and business units, risk has a way of crossing departments or creating a domino effect, even when you think the source or impact is siloed. ERM breaks down those silos, ensures visibility and transparency, and helps organizations achieve optimal outcomes.
From a broader perspective, ERM also prepares you for the sources of risk that you haven’t seen first-hand or don’t see on an everyday basis. To state the obvious, out of sight, out of mind isn’t exactly a great risk management strategy. Therefore, being able to identify and manage risks across the enterprise means focusing on what lurks in the shadows as well.
Minimize Bad Surprises, Maximize Favorable Results
COVID-19. Ransomware attacks. Machine failures. Labor strikes. We could go on and on, but you see where we’re heading – there’s no shortage of internal and external risks that can appear from the ether and wreak havoc on your operations.
Sure, when it comes to once-in-a-lifetime events like the coronavirus pandemic or an earthquake, there isn’t much you can do to eliminate or even squelch that risk. However, through a comprehensive enterprise risk management program, you can improve your ability to identify and respond to risk. And simply improving these capabilities will greatly reduce the likelihood that a risk sneaks up on you and catches you by surprise.
In doing so, you’re generating a byproduct of ERM that too often gets overlooked. As your organization increases its capabilities around identifying and responding to risk, you also get to leverage that knowledge and understanding into a potential strategic advantage. Therefore, when you understand what goes bump in the night, you can use that knowledge to drive your strategy, create value, and gain a competitive advantage.
Be Wise and Efficient With Resources
Business is about dealing with scarcity, choosing how, when, and where to deploy your resources in the most efficient manner possible. When it comes to risk, a robust enterprise risk management program helps you identify the areas where risk exceeds your risk tolerance and, thus, can guide your resource deployment to those specific areas. Such resources might be people, money, technology, or anything else that can help you address excessive risk levels.
Build an Enterprise Forged Like Steel
There’s something to be said for having a battle-tested enterprise. Or at least one that is well-prepared across the board. As you’re developing your ERM program and identifying your sources of risk, just playing out all of those what-if scenarios and anticipating change creates a more resilient organization that can adapt and pivot when looking the repercussions of risk in the eye.
The COSO ERM Framework
Of course, you’ll never realize the benefits of ERM if it stays hypothetical. That’s why the design and implementation of your ERM program are such critical components of your risk management strategy.
Just remember, the goal with your program isn’t to entirely eliminate risk – that’s impossible. However, by prioritizing your sources of risk, a proper ERM program allows you to manage them within acceptable levels.
When it comes to assembling your initial program, most organizations turn to the most prominent ERM frameworks available – COSO and ISO 31000 – or some combination of the two, to work from. However, since our goal isn’t to dive into the sometimes subtle yet significant differences between the two, we’re going to stick with COSO (Committee of Sponsoring Organizations of the Treadway Commission) and its more focused attention on business, accounting, and financial reporting.
Specifically, we’re going to base our discussion on the five components from the 2017 COSO ERM Framework. But as you start to assemble your own ERM program, keep in mind there aren’t any absolute right or wrongs because every ERM program is different. Thus, what works best for you will reflect your unique needs, risk sources, risk appetite, and seemingly countless other factors best.
Governance and Culture
Effective ERM starts at the top of an organization, but also relies heavily on engagement from all levels of the enterprise. Therefore, while management and governance bodies establish a company’s tone and outlook on risk, that outlook gets absorbed into everything from company culture and core values to its operating structures, talent acquisition strategy, and board risk oversight.
Strategy and Objective-Setting
You have to know your desired destination before you set out on a journey. The same goes for your ERM program, which works together with strategy and objective-setting, to help you define an aligned risk appetite, formulate business objectives, and evaluate potential strategies to obtain those objectives.
Internal and external risks will always arise as you pursue your business objectives and strategy. The Performance category emphasizes risk identification, severity assessment, prioritization, and risk response.
When assessing risk severity, you’re using factors like likelihood, magnitude, and velocity – speed of onset – to prioritize identified risks. You also evaluate severity based on inherent risk and residual risk – the risk existing before any mitigation strategy versus the remaining risk after mitigation.
Review and Revision
You need to chart your course as you go, gauging your performance against risk and your ability to enact substantial change. This is where ongoing monitoring and risk assessments play such a pivotal role, allowing you to understand how your risk management processes, overarching mitigation strategies, and people hold up in the face of risk.
Also, since the whole concept of risk management is dynamic – risk itself is a world-class shapeshifter – this Review and Revision area of the framework focuses on the importance of ensuring your ERM continually evolves and improves.
Information, Communication, and Risk Reporting
All roads lead to this point, where the prior framework categories and principles are in place to generate and share actionable insights for your leadership and people. Simply put, ERM must be an open window, one you can quickly and conveniently peer through to see where you are, what has changed, what you struggle with, and where you want to be.
Technology is especially important in this area, where many of the tools involved in a digital finance transformation – data analytics, dashboards, and automated reporting – let your board of directors, business leaders, and employees see in-depth reports on risk, culture, and performance, usually in real-time. This throughput of information is vital for communicating about your risk, strategies, and objectives across the enterprise.
The COSO Framework Is Only the Starting Point
As we said, no two companies are alike. Thus, an ERM program that works well for one company might leave another susceptible to massive gaps in its program. As such, while the five components laid out by COSO give us a common framework for establishing ERM, each company’s risks, mitigation strategies, culture, and information-sharing will – and must – be unique to your specific company and internal environment.
Establishing an ERM Process and Methodology
As you set out to establish ERM at your organization, it’s helpful to do so through a sequential process that begins with a foundation you can build from.
1. Educate the Enterprise
There’s a vocabulary and set of definitions that are critical to understanding enterprise risk management. That’s why educating your people on the concept and purpose of ERM should be your first building block, including:
- What ERM means
- What ERM doesn’t mean
- How far ERM reaches across the enterprise
- Why management of risk is so essential
2. Establish a Steering Committee
Like any major initiative in your organization, a steering committee is critical in providing oversight of the ERM program’s initial implementation. Comprised of senior management from different areas of your enterprise, the steering committee also helps define the many roles and responsibilities within your ERM program, including those belonging to:
- Board members and CEO
- Senior management
- Business units
- Supporting functions like HR, IT, and legal
- Compliance and internal audit
3. Develop an ERM Methodology and Roadmap
You’ll need a blueprint to follow as you implement the different components of your ERM program. This methodology should include key definitions, descriptions of the different roles and responsibilities involved, and a clear layout of your procedures – and the related timeline – for identifying, assessing, measuring, mitigating, monitoring, and reporting on risk.
4. Define Risk Appetite
You’ll want to create a formal document that covers your spectrum of business areas and speaks to your strategic direction and objectives. In this context, you should discuss the company’s capacity to absorb risk and potential loss. Your leadership and board should revisit this defined risk appetite regularly to ensure it continues to align with your strategy and objectives.
5. Identify Sources of Risk
There are seemingly countless sources of risk for an enterprise, especially one that is growing. However, taking a meticulous approach to identifying these different sources is essential for creating a thorough, well-developed ERM program that minimizes gaps.
Between the different risk types – credit, liquidity, environmental, market, strategic, event, and operational risks, to name just a few – determine which business activities or aspects of the organization’s strategy are exposed to that specific type of risk. From there, establish inherent risk level rankings – high, medium, and low is a popular way to go – and assign them to those risks. Do so according to the three main elements we discussed previously:
- Likelihood of occurrence
- Velocity/Speed of onset
Afterward, evaluate and score mitigating factors or your mitigation strategies along the same quality scale – high, medium, low – and pair them with the ranked sources of risk. This will tell you what your residual risk levels are across the enterprise, allowing you to prioritize risk and coordinate your resource deployment.
For example, a business activity that entails a high level of inherent risk and minimal or no mitigating factors, activities, or internal controls will result in a fairly high amount of residual risk. Thus, the steering committee and management should broadly prioritize that particular risk with appropriate resources.
Also, try to tie quantitative metrics to those risk levels to make your assessment as objective as possible. The more you leverage quantitative measures, the more you enable effective and meaningful monitoring going forward.
6. Develop Risk Mitigation Plans (RMPs)
Building from the previous step, creating risk mitigation plans lets you address the areas with the largest gap between residual risk and your risk target. Try to quantify and establish accountability as much as you can in these plans, including target completion dates as well as the owners responsible for driving the applicable mitigation activities. Once again, quantifying these plans whenever possible is essential in providing much-needed context to leadership.
7. Implement Monitoring and Reporting Tools
To revisit a previous point, the monitoring and reporting component of your ERM framework is an ideal place to implement some of the automation and analytic tools from a digital transformation.
Through data dashboards and real-time reporting, you can ensure your organization maintains a clear picture of its risk exposure. These tools are also critical in driving faster, more informed decision-making from leadership based on accurate, reliable, and timely information.
Enterprise Risk Management Examples
Let’s take a step back from methodology now and see what ERM looks like in the wild. And the best way to do that is by seeing how a comprehensive ERM program might address some of the most common types of risk organizations encounter.
COVID is the most obvious example of a hazard risk to enterprises these days, but obviously not the only one. Think of hazard risks as those that wield a significant threat to your people, their health, or your property. Therefore, everything from earthquakes and fires to dangerous equipment and chemical spills fall under this category.
For example, companies in California must constantly plan for “the big one,” a large earthquake that will inevitably occur along the San Andreas Fault at some point. Yes, on any given day, the likelihood of such an event is small. But if such an event were to occur, the impact on your business and people could be catastrophic.
From an ERM perspective, there are three areas where an effective risk management strategy can mitigate the consequences of such hazards:
- Logistics – Developing supply chain diversion strategies to help you maintain production and distribution channels if “the big one” disrupted either you or a supplier
- Employees – A robust communication system that allows you to deliver up-to-the-minute information to your people on, for starters, building safety and closures
- Business infrastructure – In the event of an earthquake, an evacuation plan along with emergency supplies and backup equipment that will keep your people safe and operations running
Liquidity and cash flow make the business world go ‘round. That’s why they’re top-of-mind for CFOs when a significant threat presents itself, as we saw during the scramble for capital toward the beginning of the coronavirus pandemic.
To protect an enterprise against potential threats to working capital – one of the many financial risks enterprises face – an ERM program can:
- Mandate specific cash reserves
- Establish an initiative to diversify a customer base
- Improve collections and credit processes
- Enhance cash flow forecasting
There are countless ways that even a well-planned business strategy can turn south. For instance, for a company focused on growth through M&A, acquisition risk – including misaligned cultures and operations, inaccurate valuations, and hidden liabilities, amongst others – poses a potentially severe threat to its strategic goals and growth strategy.
While an ERM framework can’t eliminate those different sources of acquisition risk, it can certainly minimize them by:
- Defining the acquisition objectives
- Establishing financial and non-financial goals, continually monitoring progress toward those goals
- Creating reporting systems and data dashboards to support goal monitoring
- Mandating frequent strategy reviews
Operational risks, in large part, stem from breakdowns in internal processes and governance. System failures, data breaches, human error, and regulatory failures are just some of the operational risks companies must manage.
Using cybersecurity as an example, ERM can protect an organization by:
- Limiting a company’s “attack surface,” or the areas across an IT footprint where you’re susceptible to attack
- Conducting frequent vulnerability scans to identify gaps in the data infrastructure
- Creating training and educational programs covering topics like phishing scams
- Preparing an incident response plan
- Ensuring sufficient cyber insurance is in place
Potential Challenges in an ERM Implementation
Implementing ERM isn’t a small undertaking for your enterprise. It requires a high degree of agreement and cooperation across the organization, particularly at the senior management level. Put another way, challenges abound during implementation, including:
- Your people not understanding risk or the benefits of ERM
- Lack of ownership for different risks and responses
- Inability to identify risks and quantify potential damage
- Insufficient risk prioritization
- Inadequate RMPs that lack direction
- Delayed and inaccurate reporting and data
- Inaccurate risk appetite statements
There are plenty of other ways for an ERM program to get stuck in neutral – or even reverse – but we just wanted to prove a point. Looking at this list of possible challenges, preparation and expertise in ERM development and implementation are very effective ways to head all of them off at the pass. Because none of them are inevitable, especially with some foresight and planning on your part.
Yes, there can be unforeseen circumstances that might pose an unexpected challenge to your ERM implementation. But isn’t that why you’re implementing ERM in the first place? To help you effectively plan for and address such circumstances?
Ultimately, if you’re deliberate with your planning and rely on experienced partners along the way, an effective risk management function will mitigate risk, create new value, and inform your strategies going forward. Thankfully, Embark is just that type of partner, and we’re ready to help your enterprise lasso the countless benefits that a comprehensive, efficient ERM program brings. So let’s talk.