Enterprise risk management – Science fiction or reality?
Enterprise risk management (ERM) is the Holy Grail in many organisations. Recent events have made ERM even more desirable in some businesses but is this achievable in reality or just science fiction? What is Enterprise Risk Management?Enterprise Risk Management (ERM) is a process by which the total risk to the business is identified, prioritised and managed appropriately. Part of ERM normally involves attempting to quantify the total risk to the business – and this is where the fiction starts!
What are the benefits of applying ERM?
The key benefits that should be realised from applying effective ERM are improving both short term and long term business profitability and performance by:
- Avoiding costly mistakes – by capturing and managing risks to key projects and operational processes
- Validating strategy – by checking that all key stakeholders are “on the same page” with strategic priorities
- Improved operational effectiveness – through the adoption of a systematic and structured approach
- Building relationships – by increasing confidence of stakeholders/clients
- Preserving reputation – by avoiding corporate disasters and associated publicity
- Anticipating market trends – by ensuring that key market assumptions remain valid
What are the challenges?
If I were asked how many times I have seen a truly enterprise-wide risk management process I would have to answer: about as many times as I have seen Klingons at Waterloo station! In other words, very few organisations have implemented ERM effectively – why is this?
- Quantification is difficult/impossible – some risks (e.g. financial, contractual) are easy to quantify whilst others are virtually impossible (e.g. quality, reputational). Therefore when organisations attempt to quantify the total risk to the business they tend mix “good quality” data with “poor quality” data and therefore dilute the value of the conclusions.
- Prioritising enterprise risks is difficult – when it comes to comparing different risks from different parts of the organisation, it can be like “comparing apples with oranges”. This is often because objectives are not clear or prioritised across the enterprise.
- Risk processes are not consistent across teams – leading to differing focus, analysis, prioritisation and management approaches. Again this makes it impossible to build a consistent picture of risks across the enterprise.
- Risk tools are not supported by effective process – very often, software tools are the first attempt by an organisation to provide some consistency. If these are not backed up by an effective risk process, the effect can be one of “GIGO: Garbage In – Garbage Out” as poor quality data is captured, analysed and then presented as a “high quality” result.
At the highest level the problem is that businesses fails to define their ERM strategy. They fail to agree what they are trying to measure and fail to recognise the difficulties they will face in building an ERM process. The most common trap, which is particularly common in financial institutions, is to integrate the various financial risk management measures (e.g. Credit Risk, Market Risk etc) and to call this “ERM”. Then when a large change programme in the company goes wrong, it happens off their ERM radar and has a massive impact on the business.
It will never be possible to achieve high quality quantification across all types of business risk. However, where it is necessary to calculate total risk exposure, a simple model that will allow quantified risks to be combined is shown here.
Risks that can be readily quantified include all types of financial risks. Even in these areas of risk, there can be enormous uncertainty surrounding the quality of the data. Calculating risks around projects and operations is much more difficult. Techniques such as Quality Based Costing will need to be used to model the uncertainty appropriately; otherwise the numbers will be totally guess work. However, you don’t need to quantify risk in order to manage it – but you do need to measure risks in order to prioritise appropriately and this can be done qualitatively.
A tried and tested model for identifying, analysing, prioritising and combining enterprise risks is shown here. This is a simplification of the Quantified ERM framework with the financial risk element removed. This is not to suggest that financial risk should be ignored – far from it – but it is meant to imply that that financial risks should continue to be identified, quantified and managed using established processes and tools. All other risks should be evaluated qualitatively and only quantified on an exception basis i.e. where this can be justified by the quality of the available data and there is a clear need to have a quantified result.
The elements of the Qualitative ERM model are:
Strategic Risk Management – There is no point delivering products and projects on time and budget if the market no longer wants them! Thus it is imperative to identify strategic assumptions and risks as the highest priority. The prerequisite of identifying strategic risk is that the strategy of the business is captured and communicated around all senior stakeholders. Strategic risks will by definition have massive potential impacts.
Operational Risk Management – These are the risks to the ongoing processes in the business (e.g. the risk that a production line will stop). Often operational risks are relatively easy to identify as the processes are well established and staffed by experienced personnel. Many organisations include their projects under “Operational risk” but this is often not a good idea……………..
Programme/Project Risk Management – These are the risks that a programme or project will fail to deliver (e.g. a new product/over budget/late etc). Project risks are more difficult to identify than operational risks as projects are, by definition, trying to introduce something new to the organisation. Risks within major change programmes are the most difficult of all to identify/prioritise/manage due to the programme complexity which makes it difficult to “see the wood from the trees”. These risks are often massive if they relate to a critical change programme for example.
Transformation Risk Management – Projects and programmes that result in significant change (such as new product development, mergers and acquisitions) will “transform” the current business. This is often when the business is exposed to most risk as the pressures increase the risk to both the current operations and the projects trying to transform them. For process purposes, Transformation Risk is often treated as part of the Programme/Project Risk
Contingency Planning – Strictly speaking, this is not “risk management” i.e. risk management is about stopping risks occurring (i.e. pro-active) whereas contingency planning relates to what to do if the risk impacts (i.e. re-active). However, this is an essential part of any ERM system as business continuity is paramount for any organisation.
ERM in practice
The key to successful ERM is to clearly define the scope of your “enterprise” and be prepared to accept that you will not be able to quantitatively measure all aspects of business risk accurately – recognise and discriminate between good quality estimates and guesswork. Set up a consistent qualitative rating system so that you can compare “apples with apples” and therefore prioritise risks consistently across the organisation.
And having done all that you can beam me up Scotty!