Distinguishing Between ERM and ORM Approaches
Tackling the common misconceptions of ERM and ORM…
On May 4, over 20 professionals from across industries attended a Tea Talk session at the IERP® International Secretariat. Our keynote speaker for this session was Mr. Ramesh Pillai, Chairman of the Board of Governors of the IERP® and Group Managing Director of Friday Concepts, an ERM, GRC, and BCM boutique consultancy. Speaking on distinguishing between Enterprise Risk Management (ERM) and Operational Risk Management (ORM) approaches, he aimed to dispel common misconceptions of the two related but different approaches.
He noted that more attention has been placed on Operational Risk as of late as a result of geopolitical volatility and technological disruptions. The possible escalation of conflict and the deterioration of interstate ties, for example, are genuine concerns that would have far-reaching effects across the interconnected global economy. With a large range of risk factors to consider, an organization can face up to thousands of risks at a time, most of which are constantly changing and need to be re-evaluated as such. In such an environment, it is essential that risk management moves from a siloed approach towards a more integrated and dynamic one.
ERM as a Strategic Management Tool
Though ORM is practiced enterprise-wide, its practice and implementation is limited to Operational risk matters and issues – with little or no direct linkage to an organisation’s strategy – and with an emphasis on controls and eliminating risk. Conversely, Pillai emphasised that ERM is a strategic management tool that needs to be applied enterprise-wide while also creating connections between all stakeholders.
Thus, the ERM framework doesn’t start with controls; it starts with the vision, mission, strategies and goals of an organisation. At the same time, however, there is often a disconnect between vision/ mission and strategy/ risk management. This is a missed opportunity as a clearly-articulated vision or mission, along with strategic objectives that line up with it, can be a useful starting point to ensure that top management down to daily operations are on the same page and will be better placed to manipulate risk and, hence, returns.
Value Creation vs. Value Preservation
From Pillai’s perspective, the aim of risk management should be to create value in line with those objectives, using a proactive approach to find new streams of revenue via opportunistic risk, in turn ensuring business sustainability; that is the basis of the ERM framework.
In essence, whilst ERM is proactive, ORM is protective. While ERM seeks to optimise risk, ORM seeks to eliminate or minimise risk. In ERM, it can be a reasonable step to attempt to increase risk, so that there will be higher return; in ORM, there is no such thing as a return on risk. ORM, as an essential but limited framework, should be integrated as part of an overall ERM strategy.
Other Key Takeaways: Fraud Management and Cyber-security
During Q&A, participants were particularly engaged with the topic of fraud management, a key function of ORM. Pillai drew on his past experience to point out that while whistle blowing is the best method for detecting fraud, there must be the appropriate culture in place that allows employees to report on wrongdoing without fear of repercussions on their personal or professional life. This is not the case, for example, if organisations lack the policies or processes to ensure anonymity in reporting or provide certain protections. Overall, a culture rooted in integrity will also be conducive to efficient risk management.
Another key discussion point was on cyber-security. Pillai stressed that cyber-security is the top risk for the current business landscape. Rapid advances in technology allow for ever-greater risks related to cyber-attacks and data-theft, and implementing cyber-defenses and performing scenario tests are now a necessity to anticipate and mitigate potential disasters.
In this age of uncertainty and constant innovation, the proactive and offensive nature of the ERM approach is well-suited for organisations seeking to thrive, not just survive. As Pillai put it, “You should disrupt yourself before a competitor or the economy disrupts you.”