Risk Management is simply the process of identification, measurement and treatment of risks to avoid or minimize negative impact. This is the most commonly understood definition of risk management, and encompasses specifically hazard losses such as injuries, property damage, lawsuits and other related exposures that are typically covered by insurance.
From a functional perspective, traditional risk management focuses on safety programs, catastrophic environmental hazards, and priorities addressing environmental compliance relevant to organization’s industry. A risk function may also incorporate management of the casualty insurance program in cooperation with the finance department (always best given the direct correlation of premiums to exposures such as injury costs, revenue, property values and payroll).
It is important to note, however, that even though they are not labeled as such, risk management activities are going on all over the company: contract review and administration, liquidity and credit balancing, asset maintenance and upgrade, due diligence for mergers and acquisition, business case development for new product or service lines, board reviews, marketing and social media campaign reviews, and the list goes on.
The primary point here is that no organization is devoid of risk management, it simply (if typical) is carried out in functional silos and at varying levels of formality throughout the organization. The challenge is determining if these disjointed processes are really capturing, measuring and reporting risk in a way that key decision-makers can respond to them appropriately and timely. The answer is different for every organization.
History of ERM
Beginning in the late 1990s, the concept of Enterprise Risk Management (ERM) started becoming part of the corporate vernacular in the wake of breathtaking mismanagement scandals that took down the likes of Enron, WorldCom and LTCM.
Driven by shareholder demand for increased transparency and reporting, regulatory bodies responded with standards that required new expansive, documented governance processes including the Sarbanes-Oxley Act, New York Stock Exchange Rules, and Standard & Poor’s Debt Rating revisions. Concurrently, the International Standards Organization (ISO), Committee of Sponsoring Organizations (COSO), and Risk & Insurance Management Society (RIMS) took the lead in putting pen to paper to begin formalizing a standardized, repeatable framework for risk identification and treatment with the intention of driving risk competencies to a more strategic level to improve decision making in the C-Suite.
With an integrated risk/strategy program in mind, ERM is defined as a strategic business discipline that allows an organization to manage risks and seize opportunities related to the achievement of its objectives. An ERM framework creates the foundation for risk and opportunity to be identified, analyzed and managed within an interrelated risk portfolio. In short, it puts consideration of risk (both positive and negative) front and center in every key decision-making process within the organization.
Now, while regulation forced these new changes on publicly traded companies, financial institutions, and others of similar ilk, there are many more companies and organizations that were not caught up in that net. Thus, the best practice frameworks created by RIMS, ISO and COSO were intended to support regulation for those who needed it, but also be applicable on a much broader basis.
Best practice frameworks are intended to be guidelines, not absolutes, thus the conundrum faced when determining best fit for an organization. Even so, I would proffer that ERM represents best practice management competency for any organization, regardless of industry, sector or size.
So, if my prior statement is correct (and it is!) then when why is ERM such an elusive goal?
Why do we see implementation primarily within organizations where regulation absolutely requires it?
There are many reasons, but the following usually hit the top of the charts.
ERM Programs are Complicated and Expensive
Possibly…. but they don’t have to be. Overbuilding a ERM program (or building it too quickly) is not only a waste of resources, but it will very likely fail because it cannot be easily followed or managed. And, when people become frustrated with a process, they will either find an end-around or it will be abandoned altogether. Intentionally defining purpose, objectives and key performance indicators is the only way to track both Return on Investment and Return on Value for a maturing ERM program.
ERM Programs Slow Down the Business
This is sadly true in many cases – refer to issue number one above. Because identification and measurement of risk lends itself so easily to deep analytics, it is easy to build complex matrices and risk registers, madly compiling data until all have forgotten why it's being done in the first place. A properly constructed ERM program integrates with other existing programs, practices and procedures, leveraging, enhancing and ultimately improving an organization’s internal mechanisms over time, resulting in more effective and efficient management systems.
ERM is Only For “The Big Guys”
Nope, but good try. The “big guys” got big because they understood how to capture and utilize risk information to formulate and drive strategy. The ones that have been around for a while understood also that a successful organization requires identification of emerging risk and opportunities, nimble operations, and internal resiliency. Regardless of size, industry or even profit/non-profit sector, sound management practice requires that the right people have the right information at the right time to make the best possible decision. This is the essence of ERM discipline! And while there are specific characteristics that are common to all ERM programs, the size, shape, color and personality of any one program is not fixed and should not be presumed.
So, let’s recap. ERM is a strategic business discipline that allows an organization to manage risks and seize opportunities related to the achievement of its objectives. To accomplish this, standardized, repeatable processes must exist to allow relevant information to flow up and across the organization in a timely manner.
As much as its strategy, ERM is unique to every entity and must be designed using best practice (and sometimes a variety of them) to fit the distinctive organizational personality. Program elements must fit well and complement existing processes, procedure and management structure.
Finally, the outputs of ERM must be designed from the ground up and into strategy development, with program accountability based on key performance indicators relevant to the operation of the organization. Now that we’ve defined the big picture, let’s drop back down to the fifty-foot level and talk about the foundational elements of a risk management program.
Our Essential Strategy approach and supporting toolkit of knowledge empowers our clients to take control of these critical processes so that they support – not slow down – the business of achieving goals and delivering on mission. Explore what we have to offer at essentialstrategy.com.