SOX risk assessment

Business World Complexity Requires Sophisticated Enterprise Risk Management: So How Do You Get There?

Emma Marcandalli, Managing Director Risk and Compliance, Protiviti - Italy

In my previous post, I discussed how companies can leverage enterprise risk management (ERM) for strategic planning and risk-informed decision making. I want to continue this discussion here with focus on the ERM journey and its various stages of maturity.

ERM as a journey

Though the metaphor is a bit worn, I will nevertheless apply it here. Based on our experience, we know that ERM programs and related expectations are unique to each company and influenced by organizational culture, strategy and business goals, none of which are static in the ever-changing environment in which most companies operate. That’s why we describe ERM as a journey rather than a state, because it is always evolving and is never a simple straight line from point A to point B. Some organizations are just beginning to map their ERM journey; others are in middle of their unique trip and perhaps stuck there; and some are well along in their ERM practices and equipped with the tools and experience to keep going.

Stages of ERM maturity

For a company just starting with ERM, prioritizing enterprise risks is the very first step. It helps companies understand what their key risks are, how they know them and how they manage them.

Focusing on the risks that are relevant for the entity’s viability and the execution of strategies and operations – the so-called top risks – an organization must next work on enhancing the maturity of its existing top risks measurement, monitoring, reporting and governance systems. For instance, an organization that considers counterparties, commodity prices, business continuity risks, etc., as critical for its performance may need to develop measurement models and capture data in order to better understand and monitor the related risk exposures, as well as select the most appropriate risk response. Focusing on what really matters from a performance standpoint begins to elevate ERM to a strategic level – which is where it should be. Even though risk management is useful enough when applied at the operating level, that alone does not constitute ERM.

A company would want to further add value by integrating ERM with the process of setting strategy and business objectives. I discussed this in my earlier post when I talked about leveraging ERM as a tool for strategic planning.

At a certain point during the journey, an organization must define the desired behaviors that characterize its core values and attitudes towards risk and must ensure that such behaviors are disseminated across the entire organization. Establishing a risk culture that is embraced by all personnel is critical for the success of an ERM program. The culture, in fact, is a fundamental pillar to ensure that opportunities are seized and risks are minimized at all levels of the organization, thus increasing the probability of executing strategy and achieving desired business objectives successfully.

Is ERM for everybody?

This is a question I face often, and my answer is, yes, ERM is relevant for any organization, regardless of its size or the markets and business sectors in which it operates. However, there are some indicators that suggest ERM could be urgent, such as:

  • The company is acting in unstable, volatile or regulated markets
  • The company has recently faced business issues due to unpredicted events
  • The company is undergoing a significant transformation
  • The company is a subject to corporate governance regulations or exchange listing standards

In addition, some industries are particularly sensitive to certain risks and, therefore, effective risk management practices are a must. This includes companies in industries that typically require large investments, such as oil and gas, utilities, infrastructure and technology. It also includes those entities largely exposed to public scrutiny, for which reputation is a fundamental asset beyond financial results (i.e., consumer goods, healthcare, banks, and education, to name a few).

What is the call-to-action for companies at different points in their ERM journey?

For those companies that have not yet started the journey, my suggestion is to think about the following questions:

  • Do we know our key value drivers, and do we know what risks can impact them? In other words, do we have a shared vision of what can really affect our capability to achieve business objectives?
  • Do we know how we are managing critical risks and whether existing risk responses are adequate to reduce exposure to an acceptable level?

Companies that have already started or implemented a periodic enterprise risk mapping but have stalled at that point should ask themselves:

  • Is our risk mapping process helping us identify risks on a timely basis?
  • Are we able to quantify risks and provide relevant analysis to senior management so that risk responses are prioritized?
  • Do we consider risks and opportunities when setting strategy and business objectives and do we submit them to the Board for consideration?
  • Do we know what type of risks and how much risk we can take in pursuing our business objectives? Most importantly, do we have the right indicators in place to monitor the risks taken against the entity’s risk appetite?

Finally, companies that are already mature in their ERM should ask themselves:

  • Are we truly considering risk and return in our decision-making process?
  • Are we able to recognize the signs of disruptive change and are we agile or resilient enough to adapt and be prepared for the unexpected?
  • Does our organization have a risk culture that is embraced by all key personnel, at all levels of the organization?

In closing, companies can no longer wait to self-examine the maturity of their approach to risk and risk management. The business world has grown in complexity, and organizations would be wise to review their governance and risk management systems to make sure they match, meaning the capabilities in place are sufficiently robust in view of the current and expected business environment. Viewing ERM as a journey helps entities to identify their current state and envision their next steps as the environment changes. As long as the goal is clear, advancing toward it should be considered progress. Likewise, as long as the environment changes, the journey never ends.

Add comment