While the pursuit of risky business worked out just fine for Tom Cruise back in the ’80s metroplex, modern businesses know that the secret to success in today’s marketplace is in effectively managing, mitigating, and eliminating risk. Enterprise Risk Management, or ERM, can not only help your business reduce its risk exposure, but develop improved business strategies for bigger profits, a better reputation, and a more effective enterprise.
Enterprise Risk Management Defined
As the adage goes, forewarned is forearmed, and enterprise risk management is all about identifying, evaluating, and preparing multiple responses to any potential events that may prove dangerous (or even disastrous!) to the company—before they wreak havoc on productivity, reputation, or profits. To perform these functions, risk managers develop enterprise risk frameworks that combine risk assessment with corresponding risk response measures.
ERM frameworks vary in complexity and structure, but all are designed to identify key risks and respond with suitable risk responses. Generally speaking, a risk manager or, more commonly, a risk assessment team, will formalize an ERM workflow that looks something like this:
- Identify key risks.
- Assess risks based on likelihood of occurrence and potential impact.
- Develop a risk response strategy for each risk. Potential responses include, but aren’t limited to:
- Risk acceptance or tolerance
- Risk avoidance or termination
- Risk transfer or sharing (e.g., sharing risk through the use of insurance)
- Risk reduction or mitigation through optimization of internal controls and business processes (e.g., process improvement, automation, etc.)
- Review and implementation of the risk response strategy for each potential risk, as well as designation of an owner for each risk in the ERM workflow.
- Monitor risk mitigation measures for efficacy and efficiency.
- Refine and revise each risk response as required to achieve desired levels of mitigation through self-assessment, internal audits, and implementation of technology tools (e.g., supply chain risk management can be enhanced through the use of automation and artificial intelligence to streamline processes and provide built-in tracking of transactional and vendor performance data).
The optimal solution to the risks facing any given business will vary based on that company’s risk appetite—i.e., the level of risk an organization is willing to accept to achieve strategic goals—and risk culture, or the shared understanding of, knowledge about, and attitudes toward risk within an organization as a whole. The same measures that form an effective risk management process at one company may be viewed as too aggressive (or not aggressive enough) at another.
While it might seem as though the primary benefit of ERM is still largely to be found in controlling negative risks as tightly as possible, it’s the potential positive aspects that hold real promise for the forward-thinking risk manager.
The Value of Effective Enterprise Risk Management
Today’s business world is much more complex, and risky, than ever before. The enterprising ERM team must be prepared to tackle a wide range of areas fraught with potentially dangerous risk exposure, including:
- Production and general operations
- Procurement, supply chain management and vendor relationship management
- Legal, industry, and internal compliance
- Financial compliance
- Human resource management
In earlier centuries, many companies tackled business risks primarily through the use of insurance policies, counting on shared risk to provide reasonable assurance of protection against any potential disasters that might crop up due to natural disasters, litigation, or theft. And while it might seem as though the primary benefit of ERM is still largely to be found in controlling negative risks as tightly as possible, it’s the potential positive aspects that hold real promise for the forward-thinking risk manager.
Instead of viewing ERM solely as a shield against disaster, risk managers have instead shifted their focus to the insights and opportunities created through ERM. The preventative value of effective risk management can be found in:
- Improved decision making and strategic planning
- Reduced asset management costs through more strategic maintenance and replacement planning
- Goodwill and reputation gains from proactively implementing business processes valued by the community where the company does business. Steps such as implementation of improved environmental controls, equality-driven human resource policies, or investment in programs that benefit the public as a whole not only provide goodwill, but insulate the company against reputational damage in the event of future disasters.
- Identification and implementation of essential technology to protect against risk created by new or evolving digital threats to supply chain integrity, financial data, or customer information.
One of the case studies most often cited as illustrating the power of ERM in mitigating damage to both profitability and reputation is the 1982 Tylenol product tampering incident. Johnson & Johnson, the megacorporation who produced (and continues to produce) Tylenol pain reliever suffered significant reputational and financial damage when it was discovered someone had poisoned Tylenol bottles throughout the Chicagoland area, killing several people in the process.
Johnson & Johnson responded with alacrity. All product was removed and replaced in the affected areas. The company was extremely forthright with both the media and the public about its efforts to address the problem, and cooperated fully with investigators in their hunt to end the tampering. They modified their product and packaging to be more tamper resistant, working with the Federal Drug Administration (FDA) to pioneer the anti-tampering packaging ubiquitous throughout the pharmaceutical world today.
The result? A year later, and with an investment of $100 million, Johnson & Johnson share prices had rebounded and the company was lauded as a champion of responsible enterprise for its quick, thorough, and efficacious response.
While the Johnson & Johnson case can be viewed as an ERM initiative based largely in damage control, more recent strategic risk management initiatives by companies such as IKEA are preventative and proactive. The Swedish home goods titan has taken a comprehensive approach to environmental responsibility, from responsibly and renewably sourced cotton used in all its products to the more than 700,000 solar panels that power its stores worldwide. By identifying the reputational and operational risks associated with environmentally exploitative processes and working to replace those processes with environmentally responsible ones, the company has gained both significant social capital with consumers and a strong strategic/financial advantage with regard to government programs and initiatives focused on bringing corporations into line with evolving efforts to combat climate change.
Key Components to Effective ERM
When implementing your own ERM program, remember that every risk management framework begins with asking, and answering, key questions about your company’s risk culture and risk appetite:
- What are the focus and goals of our overall business strategy?
- Which internal and external factors could slow, disrupt, or dismantle the processes necessary to achieving our business goals?
- What processes are in place to identify, address, and eliminate risk exposure from these internal and external challenges?
Armed with the answers to these questions, you can next consider the ERM framework you’ll be building to support the ERM program. Typically, an ERM framework is split into three sections: Risk Governance, Risk Infrastructure/Management, and Risk Ownership.
Risk Governance is led by a board of directors, working with an audit committee to provide corporate governance of the ERM program. Their role is strategic and focused on developing an intelligent, proactive, and comprehensive risk culture within the organization. They confirm risk appetite and have the power to approve and modify ERM program particulars. They also engage with upper management and the C-suite to ensure enterprise-level risks are adequately addressed within the ERM program.
Risk Infrastructure/Management involves:
- Executive management, who define risk appetite, review potential ERM strategies against that appetite, and update all parties on information relevant to risk exposure.
- Enterprise-level risk teams, who identify risk exposure, collect and analyze risk data, and monitor both risk exposure and the risk responses developed to address each risk.
- Internal auditors, who evaluate the completeness, efficacy, and efficiency of the ERM program, its controls, and the risk response measures.
- Risk managers (and risk management teams), who work together to build an organization-wide ERM framework, provide feedback and guidance on policy and procedure, research and implement technological enhancements to support the ERM framework, and coordinate training and support.
Risk Ownership touches all business units and support functions, across the enterprise. Each business unit is tasked with identifying and analyzing relevant risks, responding intelligently according to corporate risk appetite and culture, and monitoring unit-specific risks and reporting as necessary to the enterprise-level risk teams. Support functions assist those same enterprise-level risk teams with assistance in training, education, and hardware/software tools.
Technology such as artificial intelligence, deep analytics, and process automation can provide invaluable assistance at all levels of the ERM process, through enhanced data management, real-time insights gleaned from comprehensive collection of process and transactional data, and advanced analysis used to identify and mitigate potential disasters long before they occur. For example, cloud-based, automation-driven purchasing software provides improved risk management through elimination of rogue spend, invoice fraud, and process errors/inefficiencies inherent to manual procure-to-pay workflows.
Finally, it’s important to keep a few central principles and best practices in mind while developing your ERM program, including:
- ERM is strategic, goal-oriented, and comprehensive. It should always involve consideration and analysis of not just specific risks, but risk exposure created by the interaction of those risks.
- ERM is a process, not a project, and can always benefit from refinement through continuous improvement.
- Full support from board members, the C-suite, and upper management is essential to developing an accurate and intelligent risk culture.
- Enterprise-wide engagement, at all levels, is critical. ERM should be “baked into” the business of doing business, and considered a key part of everyone’s
- Start small, leverage the skills, knowledge, and resources available at each level, and build toward an ERM program that fully encompasses your organization.
Strategic Success Begins with Effective Risk Management
Acceptable risk is different for every company, but that doesn’t mean you have to accept risk as inevitable. Understanding which risks hold the most danger, and which hold the most opportunity, is a powerful tool in today’s fast-paced and strategy-driven market. Building an intelligent ERM framework and program can help your company take control of its risk exposure, and develop processes and controls to keep your business proactive and productive by transforming every potential risk into a positive and profitable reward.