Organizational risk consideration has undergone significant development in the past decade. Several events have influenced this development, including the corporate scandals for financials manipulation, which led to the passage of the Sarbanes-Oxley Act. The Act made the board of directors and executive management more accountable for corporate risk. The financial crisis in 2008 also raised awareness of the importance of risk management, prompting organizations to shift from traditional, silo-based risk management to an enterprise risk management (ERM) approach. Silo-based risk management refers to risk monitoring by individual departments independently without sharing information, while ERM offers an integrated view that considers risk from the perspective of the whole organization.
Enterprise Risk Management (ERM) is an overarching framework that offers a structured analytical process focused on identifying and eliminating the impact and volatility of a portfolio of risks. A study was conducted to investigate the efficiency of ERM systems during the financial crisis in 2008. Various organizations were classified into three stages: strong, weak, and no ERM system. The findings showed that organizations with a strong ERM system outperformed those with a weak or no ERM system. Therefore, it is highly recommended to have a strong ERM system and to implement it correctly.
To support the ERM approach, there are several frameworks available out of which most used are the COSO Cube ERM, ISO 31000 and the Governance, Risk and Compliance (GRC) model.
In the following part of article, the discussion will be focused on the common challenges in implementing ERM and possible mitigations.
13 steps to Implement effective ERM
In order to successfully implement ERM, an organization must ensure they have knowledgeable staffs on the ERM framework, either by educating or recruiting. To establish an effective ERM, an enterprise risk management function should be established, led by a Chief Risk Officer (CRO), who coordinates risk management efforts and reports to the Board of Directors. An effective ERM function should be staffed by professionals with an understanding of the risks influencing the enterprise and knowledge of techniques to limit risk.
In the next step of implementation, an organization needs to set its goals and risk appetite i.e. what level of risk they are willing to accept to achieve their goals. Following these, organization needs to focus on strategy and governance for ERM program.
Here are the 13 steps to implementing ERM effectively:
- Establish the ERM function with relevant professionals lead by a CRO reporting to Board.
- Set the goals and risk appetite.
- Formulate the ERM strategy and governance.
- Prepare and communicate Policy and guideline to be followed by the organization.
- Prepare risk matrix and other tools to identify, assess and report risk.
- Create risk forums by engaging CXOs and their direct reports (functional forums) and go up to executive management and Board level.
- Prepare a risk calendar and have periodic discussions on with all functional risk forums to identify risk and prepare risk response and follow up on action points.
- CRO to lead the subsequent reporting to executive management forums and Board (GRC committee) with outcome of risk forums discussion.
- Keep a line of sight from actions to root causes to risk.
- Share findings across domains.
- Collaborate with other functions like internal audit, accounting, ethics & compliance etc to be more impactful.
- Be prepared for change in process to adopt with risk environment as emerge.
- Ensure sponsorship of management and Board to keep up the risk awareness culture.
According to a COSO ERM Frameworks study, ERM is an accepted approach to dealing with business-wide risks, but the majority of ERM systems are still immature. Only a few organizations have implemented a systematic, robust, and repeatable ERM process. A large number of organizations are still not satisfied with their process of risk assessment and need further guidance in implementing ERM.
10 Most Common Challenges in ERM
Enterprise Risk Management (ERM) is a critical function for organizations to identify, assess, and manage risks that can impact their objectives. While the benefits of effective ERM are well documented, many organizations still struggle to implement ERM programs that are truly effective. Here are the top 10 challenges faced by organizations in implementing ERM and their mitigation plans:
1. Lack of resources
One of the most significant challenges faced by organizations in implementing ERM is a lack of relevant resources. Organizations need to allocate adequate resources, including personnel and budget, to develop and maintain an effective ERM program. Considering the upsides of having an effective ERM function, the organization should allocate sufficient and relevant resources to support the development and implementation of ERM programs.
2. Ineffective risk culture
A weak risk culture can undermine an organization’s ERM program. Organizations need to establish a risk-aware culture that promotes risk management and encourages employees to identify and report risks. The organization management should promote a risk-aware culture by providing regular training on risk management and incentivizing risk management behaviors.
3. Siloed risk management practices
Siloed risk management practices can create gaps in risk identification and management across the organization. Organizations need to establish a coordinated and integrated approach to ERM. An effective ERM framework and process connecting management team, strategy, legal, internal audit, accounting, and compliance functions can create a collaborative risk management environment.
4. Inadequate risk communication
Inadequate risk communication can limit the effectiveness of ERM programs. This may happen due to siloed-way of work and disengagement of management. Organizations need to create the platform to communicate and discuss risk assessments with key decision-makers. Creating risk forum by involving management team and have discussion on risk in a regular frequency can overcome this challenge efficiently.
5. Lack of senior management support
Senior management in the organizations may not prioritize risk management due to their engagement in operation. This lack of ownership and support can undermine the effectiveness of ERM programs. To have an effective ERM function senior management must have to sponsor the ERM program and provides the necessary resources to support it. The organization should establish a risk management governance structure that enables effective oversight and decision-making on risk management activities. Having a high-profile role like Chief Risk Officer (CRO) in organization’s top management team can be an excellent solution to drive ERM program with more strategically from the top.
6. Inadequate data
Inadequate data can limit the effectiveness of ERM programs. Organizations need to ensure that they have access to reliable and relevant data to support their risk management activities. The ERM process has to be efficient enough to enable the collection, analysis, and reporting of reliable and relevant risk data. To ensure that ERM process can enable risk forums with relevant resources and have risk discussions in a regular frequency.
7. Complex Environment
In today’s fast-paced and interconnected world, organizations face a multitude of challenges that contribute to a complex environment. Volatility, uncertainty, complexity, and ambiguity (VUCA) are the main factors that make this environment unpredictable and challenging. Volatility refers to the speed and nature of change, and the forces that drive it. Uncertainty arises when it is difficult to predict events or their outcomes. Complexity refers to the confounding of issues and the chaos that surrounds organizations, while ambiguity arises from the haziness of reality and the mixed meaning of conditions, leading to confusion about cause and effect. Organizations must be prepared to face the unexpected and respond quickly and effectively. By taking a proactive approach to risk management, organisations can minimise the impact of VUCA and reduce the likelihood of unexpected events affecting their business operations.
8. Challenges in the Risk Management Process
Identifying and managing risks in an organization is a complex process that presents several challenges. One of the main challenges is the identification of risks, as failing to identify a risk can significantly impact the organization. The risk management team needs to be equipped with the knowledge and techniques necessary to identify risks, which may include reviewing internal audit reports, conducting risk questionnaires, brainstorming, analyzing business trends and scenarios, and interacting with stakeholders. Assessing and prioritizing risks covers determining their significance and likelihood, which can be done using qualitative, semi-quantitative, or quantitative techniques, but choosing the appropriate technique or combination of techniques can be a challenge. Quantifying risks can also be difficult, and assessors must keep in mind that risks that cannot be quantified in monetary terms still exist and may occur. Finally, treating risks involves producing a comprehensive list of all identified risks and their corresponding tolerances and acting on risks that exceed the tolerance level. Treatment options for risks include accepting, avoiding, outsourcing, sharing, transferring, or remedying them, and these steps must be tailored to the organization’s needs.
9. Challenges with Risk Metrics
Risk metrics play an important role in the risk management process, but there are several challenges associated with them. One of the main challenges is selecting the appropriate metrics to use, as there is no one-size-fits-all solution. Different metrics may be more or less relevant depending on the specific risks an organization faces. Another challenge is in ensuring that the metrics are accurate and reliable. Metrics are often based on historical data or assumptions, which may not always be relevant or accurate. Additionally, metrics may be subject to manipulation or misinterpretation if they are not designed properly. Interpreting and communicating metrics can also be a challenge. Different stakeholders may have different interpretations of the same metrics, and it can be difficult to effectively communicate the significance of metrics to non-experts. Two different types of metrics are described below to support different steps in the risk management process.
Key Risk Indicators (KRIs) are metrics used to identify and monitor potential risks before they occur. KRIs are a type of leading indicator, meaning they provide early warning signals of emerging risks. KRIs can be qualitative or quantitative, and they should be tailored to the specific risks facing the organization. For example, a retail company might use KRIs such as customer complaints, inventory turnover, and employee turnover to monitor potential risks in their business operations. In contrast, a financial institution might use KRIs such as market volatility, credit default rates, and liquidity ratios to monitor financial risks. By tracking KRIs over time, organizations can detect changes in risk exposure and take corrective actions before risks escalate.
Scoring models are another type of metric used to evaluate risks in the risk management process. Scoring models use a systematic approach to assign a numerical value to different risk factors based on their likelihood and impact. The scores are then used to prioritize risks and allocate resources to manage them effectively. Scoring models can be qualitative, semi-quantitative, or quantitative, and they should be tailored to the specific risks facing the organization. For example, a manufacturing company might use a scoring model to assess the risks associated with a new product launch by assigning scores to factors such as product quality, supplier reliability, and production capacity. By using a standardized approach to assess risks, organizations can ensure that resources are allocated effectively to manage the most critical risks.
Finally, metrics must be regularly reviewed and updated to ensure that they remain relevant and effective. This can be a time-consuming process, particularly in larger organizations or those with complex risk profiles.
10. Changing risk landscape
The world is changing rapidly, with advancements in technology, shifting geopolitical landscapes, environmental changes, and evolving social and economic factors. As a result, new and unforeseen risks are constantly emerging, which can have significant impacts on individuals, organizations, and society as a whole. Traditional risk management approaches may not be sufficient to address these emerging risks, given their complexity, interconnectedness, and uncertainty. Therefore, it is crucial to focus on the Enterprise Risk Management (ERM) process to proactively manage emerging risks from various domains.
Introducing a Chief Risk Officer (CRO) role can help organizations address these challenges and make their ERM function more effective. The CRO can provide the necessary leadership, expertise, and oversight to establish a coordinated and integrated approach to ERM. The CRO can also work closely with senior management to ensure that the ERM program aligns with the organization’s strategic objectives and that the necessary resources are allocated to support the program.
Conclusion
To overcome the challenges of ERM implementation, organizations should focus on the benefits of effective ERM. These benefits include increased risk awareness and mitigation, improved decision-making, enhanced stakeholder confidence, and reduced financial losses. By developing a robust ERM framework that is aligned with organizational goals and strategies, establishing clear roles and responsibilities, and continuously monitoring and updating the ERM process, organizations can reap the rewards of effective risk management. Additionally, fostering a culture of risk awareness and accountability, and providing adequate training and resources to employees, can help ensure the success of ERM initiatives.