Enterprise Risk Management (ERM) is increasingly important for organisations of all sizes. We live in an age of change, ambiguity and uncertainty which requires that more than ever, risks to the achievement of objectives must be forefront in the minds of everyone, from the boardroom to front line staff.
ERM enables an organisation to consider the potential impact of all types of risks in relation to strategy, processes, people, systems, activities, stakeholders, products and services.
Implementing a comprehensive approach to ERM will result in an organisation reducing the downside of risk and benefiting from the ‘upside of risk’.
Why ERM is not properly understood
ERM in reality encompasses many categories of risk, many of which have specific legal or regulatory requirements that must be applied.
A board for example, can misunderstand the risks associated with an investment opportunity which results in a financial loss of millions of dollars. Provided they acted in good faith and within the law, the worst that might happen is reputational damage and possibly losing their positions.
At the other end of the spectrum is a fatality in the workplace or significant damage to the environment. If the board cannot prove they have applied the specific requirements applicable to the management of safety and environmental risk, they could face court and a prison term.
While in certain circumstances it is a good strategy to accept risk as part of a risk and reward proposition, in other circumstances adopting that approach would draw serious attention from regulators.
Options also exist to adopt strategies to transfer risk from time to time, but at other times, no matter how much you would like to transfer risk, laws, regulations and contracts specifically prevent any risk transfer.
This is why we say that a proper understanding of ERM is required to ensure that not only do you manage and control risk within your organisations risk appetite and tolerances, but that you also meet your legal and regulatory obligations and have a defensible position in the event particular risk events occur.
What questions should be asked?
Accountable people in organisations including directors, executives, general managers and those in specific roles should be asking themselves:
- Are we engaging in ERM or just risk management?
- Are we applying the right approach to the right categories of risk?
- What role is ethics playing in our risk management approach?
- How embedded is risk in our organisational culture and decision making?
- Am I confident that my organisation has met its obligations across all categories of risk?
ERM done well – driving value in every business
The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in operational efficiency and effectiveness, change management, business resilience and the strategy of the organisation.
Only through assured risk management can organisations take advantage of the Risk / Reward proposition.
A properly implemented ‘Three lines of Defence’ approach is key to embedding risk management into the psyche of an organisation.
i3 Australia is continually looking to challenge conventional thinking about risk management.
Risks can only be successfully dialled up to achieve higher returns if an organisation’s risk management is mature and embedded at every level of the business.
You don't have to believe in coincidences because they happen every day. The trick is to be able to discern when something is more than coincidence."