Taking it to Another Level – Why Enterprise Risk Management is not about Risk Management
In many companies, RM comes about following an incident or event which disrupts…
At first glance, Enterprise Risk Management (ERM) is just Risk Management (RM) with an ”E” but there is so much more to ERM than just managing the risks which beset any organisation. RM is good but it tends to be localised, and concentrates on losses, the costs that are incurred and the hazards to the business posed by “risks”. ERM, on the other hand, takes a macro perspective of risk as it pertains to the organisation, and posits that not all risks are bad. There are also “good” ones that may benefit the organisation – provided they are appropriately managed – and even makes taking chances worthwhile.
In many companies, RM comes about following an incident or event which disrupts the business and causes a financial loss. The firm then institutes RM measures so that if the incident or something similar recurs, staff will know how to act and losses may be minimised. In this sense, RM is reactive. ERM, on the other hand, is proactive; it searches for risks, weaknesses, issues, challenges and problems that the organisation may face, through the institution of frameworks and systems throughout the entire enterprise and decision-making process. RM is not as extensive, and in most cases, is confined to the business unit or department that is directly affected by the perceived risk.
Of course, this makes ERM infinitely more complicated. RM is just one part of ERM; ERM extends beyond merely responding to risks and the threats that arise therefrom. When an organisation implements ERM, it is implementing a complete management tool that body-checks the enterprise for fitness of purpose, so to speak, from its strategy to operationalisation and beyond. Not only does it identify risks, it deciphers how and why certain incidents could happen, and puts checks and balances in place that will kick in to mitigate these if it appears that there is a chance of such an occurence. It also attempts to figure out when such incidents could take place by analysing data and identifying trends.
What this does is place the organisation in a state of preparedness so that no time is lost in scrambling for solutions when problems occur. Incidents and risks often have far-reaching impacts, and their repercussions may be felt for a considerable time. Companies have to determine how long they can tolerate this sort of situation before it starts to take a toll on their business. While all this is being determined, the processes and systems that are put in place as part of ERM will start identifying areas vulnerable to risk, and the company can then decide what courses of action to take. The firm deepens its understanding of itself and can then manage its resources better.
While RM is definitely a good thing to have, ERM is a proactive performance and strategic management tool that helps the organisation make informed, well thought out decisions that go a long way to supporting organisational strategy and planning in the long run. Regardless of size, every organisation has to take risks in the course of doing business, and confront risks that challenge it. ERM takes a holistic approach that considers all risks faced by the business and analyses them for trends or connections, to work out how best to manage them in line with the stated objectives and strategies of the organisation. It identifies areas where the business is vulnerable, and brings these to the attention of the Board and management.
ERM is a bit of a conundrum in that it is and simultaneously is not about risk management. While it does help to manage risk, it does so as just one element amid a myriad of others that all affect the performance and success of the business. RM is good, and does protect the business – but it is limited in its scope. ERM, however, takes protection to the next level, creating value and working out how to keep the business running while mitigating threats and ensuring the organisation stays true to its objectives.