Grabbing the Tiger by the Tail-Taking Charge of Enterprise Risks

Implementation of an effective ERM framework will ensure that each key risk is appropriately assessed and documented. The outcomes of the risk assessments can, in turn, form the basis of Business Continuity Planning (BCP). This will build organisational resilience and assists avoid reputational damage for failing to identify and mitigate known business risks.

Many regulated businesses – such as those in the banking, transport, and infrastructure and energy industries-are required to have clearly documented ERM and BCP processes in place. In addition, audit firms are increasing looking at risk management frameworks and controls as part of their ongoing audit processes.

There is sound business reason to have documented ERM and BCP processes in place even if not formally required however. A deep understanding of the risk profile of all aspects of an organisation can assist and identify material risk issues or gaps that can adversely impact on its financial performance, regulatory compliance, customer experience, and reputation. This will in the long run improve financial performance. In addition, confidence in the overall resilience of an organisation can often lead to a superior value being assigned to that organisation by equity investors.

Challenges will exist in being able to accurately assess the likelihood and impact in many risk categories. Cyber security is a good example of this and perhaps the most topical risk category in recent times. How do you assess the likelihood of a cyber event taking place, what type of cyber issue will you have and what will be its impact? It is true that it is difficult to answer these questions definitively. Using the ERM approach, the first steps of understanding an organisation’s cyber risk profile will be a series of workshops to develop a baseline assessment (using external expertise if necessary). This will in turn guide the organisation’s assessment of the likelihood of cyber risk events occurring.

Similarly, business operating models that involve the use of third parties for specific parts of the value chain should follow the ERM approach to understand the business risks of these arrangements. Often risk assessments have either never been done or only done as part of an initial due diligence or approval process for an outsourcing or supply arrangement. What happens if a key supplier or outsourcing business part has a business disruption, elects not to renew a contract or ceases operations due to financial difficulty? Supplier or third party outsourcing contracts usually enable periodic reviews to be undertaken of the contracted party and its performance. These provisions provide an opportunity to gain a deeper understanding of the risk profile of outsourced activity and the contracted third party. This is particularly common in IT and business process outsourcing. Cloud computing arrangements should also be assessed in the same manner.

The frequency of risk reviews and management reporting of the overall risk profile will vary from organisation to organisation. The most effective ERM frameworks will require ongoing monitoring of risks–with the onus on risk owners (the role or function within an organisation that owns a particular risk)–to document and promptly report any material change in a risk category. Periodic management reporting of risk profiles can be monthly, quarterly or half yearly depending on the size, complexity and maturity of an organisation. A comprehensive, pan-organisational review of all risks should be undertaken at least annually.

More mature and sophisticated ERM frameworks will see the assessment of strategic business risks incorporated into the ERM process. This will look at the potential impact of medium to longer term trends on an organisation’s overall business profile. These can include demographic, technology, competition, social, and other changes that may pose a longer term threat to the sustainability and financial performance of the organisation. This is very much a top down exercise that is usually undertaken as part of the strategic planning process.