Enterprise Risk Management – Great Idea But Too Complicated?

I was listening to this great podcast a while back from Riskologists and they got onto the topic of enterprise risk management and whether they’ve truly seen the perfect finished article. Both the host and the guest jokingly agreed that this is “the dream” and confirmed neither had yet to see one so far.

So if the best in the business say they haven’t seen it, why has it yet to be achieved?

The modern-day organisation is becoming far more complex (even if yours isn’t already). The standard pillars of the business are always thought to be Sales, Ops, Finance, HR and IT etc. and they still are, but the way in which they exist are changing dramatically, as is the general make-up of the traditional organisation. It’s no wonder enterprise risk management is still an aspiration for many.

Exam Question: How do you capture, analyse, assess and present the risk landscape of a truly dynamic organisation like this? And, is enterprise risk management the answer?

How Has the Organisation Changed?

Once upon a time a company would develop a product or service in-house and focus their operation to just one country. That service would often be supported via a physical process in a physical location with an actual person.

The new “post” pandemic remote offering and hybrid working has accelerated a rapid transformation in the workspace. Organisations that would have been a little later to the party, because of budgets or traditional cultures, are now right up there in full transformation mode. This has radically changed the way we do business and who we do business with. This has seen a major increase in the use of IT vendors offering things like software, cloud hosting etc. As a result, the org set up and how it operates is becoming unrecognisable.

I blogged and hosted a panel session back in September 2020 with senior resilience professionals from Zoom and IBM. We talked about suppliers changing with everyone now adopting a cloud-first strategy. The bottom line is that most organisations are now partly, or completely, made up of someone else’s data centres and someone else’s applications. Yes, it’s your data and yes, it’s your responsibility but to me it feels like so much has changed. Perhaps not everyone is feeling the pace of change but it is happening. Having helped to onboard a major IT service provider in one bank and then globally managed supplier resilience in another, I can safely say I see the transition in full flow. Businesses aren’t the same as they use to be.

Why Enterprise Risk Management (ERM)?

The case for an organisation to develop an enterprise-wide approach to risk management continues to be a widely discussed topic by many a risk professional and academic. ERM however is not new but has been gaining traction in recent years. This has been driven, to a certain extent, by the fact that ERM is becoming something of a business requirement, as evidenced by its inclusion in the ISO 31000 standard. As organisations have begun to recognise the growing prominence of ERM in recent years, researchers and bloggers (such as myself) are beginning to look for case-study examples. However I can’t find a publicly available finished article.

ERM in theory can consolidate all known global, cross-domain, cross sector risks into a well organised system. An organisation might choose to decentralise its risk view to domain-specific areas such as IT risk, fraud risk, project control risk, credit risk etc. However, an ERM framework can organise a collective view in the full context of the organisation. The emergence of ERM allows for the risk related issues to be aligned into one space using one tool allowing for enhanced corporate governance.

By bringing together silos of sub-discipline, ERM could potentially provide a thorough understanding of the organisation. This allows leadership to have more of an enhanced and holistic view of the operations internally and externally. This can often present a range of unexpected benefits. The Economist Intelligence Unit back in 2007 presents a useful example, using exchange-rate risk, which demonstrates the advantages of taking a consolidated view of an organisation’s risk exposure through ERM:

“A company with divisions set up as separate profit centres in different geographical locations. Each division uses currency derivatives to hedge its exchange-rate risk. But it may be that exchange rate movements that are damaging to one division are favourable to another. In this case, separate hedging by individual divisions is a wasted expense, and one that could be avoided by adopting a centrally coordinated strategy. Given that such hedges can easily cost 1% of the overall transaction value, there is much to be gained from looking at this kind of activity from an enterprise-wide perspective”

EIU 2007

Surely consolidating your risk view can only benefit the business here? As the above example suggests, even financial benefits can be derived from taking this view. Also, the enhanced perspective on “total risk” for the business will surely empower the leadership to become more aware in the full context of the organisation?

Brining it all together into a balanced and well communicated ERM framework is arguably the way forward. No?

#Complicated – Easier Said Than Done?

Before we get ahead of ourselves. For those organisations considering ERM, there still remains a number of challenges to overcome. The above example on exchange risk works both ways. Yes, you can see the benefits of a risk in the wider context but adapting a unified approach that communicates a common and balanced picture is one hell of a complicated task. What about differences in risk appetite born out of jurisdiction, product line, local strategy etc? Different parts of the business will likely assess risks in different contexts. How can we be sure we have a balanced view?

Conceptually speaking, a holistic program makes total sense but I imagine many risk managers will be unsure about how to get started on such a program because managing risk across the entire company is far more complex.

Where’s the Guidance?

An enterprise-wide approach to risk management will often present a range of unique complexities. In order to ensure the successful implementation of ERM, and so to receive the associated benefits, the design of each framework will need to be tailored to the scale and complexity of the organisation. To help achieve this, the Institute of Risk Management provides high level principles known as PACED for business to first consider:

COSO also do a pretty good model on the complexities involved in this space. There is so much content all over the internet on this so I won’t deep dive.

They basically select interrelated components which are derived from the way in which management run an enterprise and their relationship with the overall business objectives. The relationship is then presented as a matrix, in the form of a cube. There is way more to it though and it might help risk managers to take a look if they are struggling with the complexity element.

Summary

I can totally see the benefit of a holistic view that ERM can bring by breaking down internal silos of risk management activities, removing wasted resource and duplication etc. It could also add greater context to the strategic insight which will ultimately improve decision making. The message is clear on benefits.

However, the complexities and associated challenges with implementing ERM into an organisation and getting it right does put me off a bit. It will need constant balance against bias and anchoring in the board room and the ever present evolution of the business.

Consistency will be one of the greatest challenges!