Enterprise risk management has variously been described by the terms 'business risk management' (BRM), 'risk assessment' or even 'business risk mapping'. Notwithstanding the choice of name, it represents a major shift in the management of an organisation's strategic, operational hazard and financial risks.
Previously, risk was considered and managed with a silo (individual business) mentality. The BRM perspective is, as its name suggests, enterprise-wide. It identifies, examines and, where appropriate, aggregates those risks that span different business structures, and enables the efficient function of an organisation. It is about assessing risks in relation to a corporation's risk tolerance and risk appetite, identifying and reviewing associated controls and processes, and formulating a robust strategy to exploit the threats and opportunities faced.
Key attributes of BRM, as identified by a 2004 Conference Board study, are:
- alignment with strategic intent and related objectives
- inclusion of all business risks, not just financial ones
- integration into management process
- addressing both the hard and soft aspects of risk management
- identification and management of threats while maximising opportunities.
So, BRM is more than just another approach to risk. It is a structured, disciplined method that supports the alignment of strategy, processes, people, technology and knowledge with the purpose of evaluating and managing the uncertainties an organisation faces as it creates value.
Our own organisation's approach to BRM is summarised in our process framework (Fig 1).
While many organisations are frightened by the idea of BRM, believing it to be overly sophisticated or expensive to implement, in truth the approach can deliver many business benefits. These include:
- improved ability to make better informed decisions
- ability to articulate and communicate risk-taking to the board, management and stakeholders
- greater management consensus.
Furthermore, organisations may realise a reduction in their total cost or volatility of risk. BRM may identify areas where resources may be more efficiently allocated, away from areas where risks are over-managed to areas where they are under-managed.
There are challenges and obstacles to implementing a risk management framework, including competing management priorities, insufficient resources and an internal fear or perception of change. However, we believe that the benefits are worth the challenge.
Identify, assess and prioritise
Before an organisation sets out to manage its risks, it must know what risks to manage.
The types of risk faced depend on the organisation and its operating environment. They may be clustered into various categories, such as:
- internal - fraud, production failure, fire and so on
- external - supplier failure, currency fluctuations and increased regulatory control.
Each business is likely to own a risk register. However, the silo approach may mean that the impact of one risk event on other business areas is not assessed. For example, a fire may destroy one business area's buildings and material, but it could also impact downstream operations, causing business interruption, loss of reputation, impairment of staff morale and hence retention, elsewhere in the organisation. Without an enterprise-wide perspective of an organisation's risks, the potential scale of the impact of a single event may be grossly understated.
There are varying approaches to identification and prioritisation of business risk. One such involves facilitation of a strategic workshop, leveraging individual businesses' risk registers and the outputs of previously performed operationally focused workshops.
Keys to the success of the above approach are proper advanced planning and the identification of participants for these workshops. Operational workshop delegates need to have detailed knowledge of their risks, and may include production line managers, financial controllers and human resources representatives. Board member participation in the strategic workshop will ensure consolidation of operational risks and identification of those risks that threaten the achievement of strategic objectives.
It is worth mentioning that, in addition to identifying and prioritising business risks, undertaking a risk identification exercise has the additional benefit of promoting awareness and helps embed a risk culture into the organisation.
Analyse risks and current capabilities
As mentioned, a crucial element of the risk management process involves measuring the risk appetite. This may be achieved by a number of methods:
- rule of thumb
- organisational key performance indicators and key risk indicators
- credit ratings
- agreement of senior members
- external stakeholder views.
Once this has been achieved, identified risks may be mapped with reference to the determined tolerance level.
Successful analysis of organisational risks requires measurement of those risks. Only with successful assessment of risk may the organisation's capital be efficiently allocated. There are two distinct methods of measurement: qualitative analysis, or quantitative (numerical) review (see Fig 2). Techniques for review include:
- analysis of historic loss data
- Delphi method/expert opinion
- workshop review.
In fact, with prior consideration and specification, operational and strategic workshops may themselves effectively assess the impact and likelihood both for financial and non-financial losses (including loss of reputation). Further, appropriately structured workshops will help to determine risk management effectiveness, and hence identify the existence of any risk management gaps.
Develop and execute action plans
Action plans must be developed to correspond to the organisation's risk, and address those risk management gaps identified. At the very least these plans should include risk ownership details, action by dates and an outline of what action plans are required to control or exploit the risk and in what time-frames.
Risk monitoring and process improvement
With any management process it is essential that a regular audit is carried out to ensure adequacy and tracking of the main key risk indicators (KRIs) and to identify any process improvement potential.
Educating and communicating risk management should ideally be undertaken by the nominated risk champion, who, in addition to acting as advise to a risk committee (ideally chaired by a member of the board), will monitor the process on an on-going basis.
Integrate results with decision-making process
The assessment and monitoring of operational risks are of no value unless the results are integral to the decision-making process of the company. This may involve the adoption of a risk management information system or dashboard to monitor progress and implementation relative to stated KRIs and objectives.
It may be readily observed that the enhanced management information resulting from the BRM process will deliver the significant business benefits set out above. The process allows a better understanding of the operational risks faced and of the organisation's ability to manage them. Therefore for each threat or opportunity, an organisation may determine its optimum strategy, be it to exploit, manage, transfer or avoid.
Demonstrating smart management
Today's senior managers and board members are operating in a high risk and constantly changing environment. They operate where factors such as technology, deregulation, restructuring, tighter statutory controls and stakeholder expectations are uncertain. To exist they must demonstrate smart management, particularly in risk. Currently, most businesses are at the 'analyse risk' stage, though this will of course develop as time progresses.
At its very basic level, BRM needs the formation of a risk register, risk policies, guidelines, proactive lines of communication, line management strategies and procedures. Good risk management should also include a risk committee or dedicated framework with boardroom involvement.
BRM should not be overly expensive or too sophisticated for companies to embed within their framework. Many organisations already have some form of risk assessment and reporting system - after all, business is all about taking risks, with many management processes developing with the business growth. Therefore introduction of a framework may only require refinement of existing policies and procedures. Crucial within this is embedding and educating employees in what the new process involves.
The key to any risk management strategy is to keep it as simple as possible. How often have we lost interest reading and trying to interpret a policy or process? The easier any process is to understand and implement the better, particularly with BRM. BRM must be both used, and fully understood not only from the top down, but also from the bottom up.
Effective risk management is not optional within the 21st century. Stakeholders are demanding it and governance and organisational effectiveness requires it!
- Norman Sinclair is a senior consultant and Man Cheung is a managing consultant within the risk consulting team at Marsh, E-mail: norman.sinclair@marsh.com and man.w.cheung@marsh.com
2005 ERM CONFERENCE
The Conference Board's 2005 enterprise risk management conference held last month in New York looked at how to execute ERM in your company. Topics covered included:
- what does your board of directors need?
- how to articulate and develop risk appetite within your unique culture
- COSO in the real world
- managing and coordinating risk management roles
- from SOX compliance to ERM value
- tools, techniques and approaches for building a sustainable ERM programme
- the value proposition for ERM: a case study
- quantitative measurement of operational and strategic risk: fact or fiction
- integrating ERM into strategy
- integrating ERM with performance management.
The Conference Board is a not-for-profit organisation that creates and disseminates knowledge about management and the marketplace to help businesses strengthen their performance and better serve society. It conducts research, convenes conferences, makes forecasts, assesses trends, publishes information and analysis, and brings executives together to learn from one another.
