What is Enterprise Risk Management?
Enterprise risk management (ERM) is the means by which overall risk to an enterprise or business is identified, prioritised and managed.
Enterprise risk management will usually encompass:
Financial risk management – this usually describes risks across an organisation which are readily quantifiable, e.g. credit risk, interest rate risk, market risk. Financial risk management is normally undertaken by most major companies and/or financial institutions as a matter of course.
Strategic risk management – There is no point delivering products or projects on time and in budget if the market no longer wants them. This means that it is imperative to identify strategic risks and assumptions as the highest priority.
Before you can identify strategic risks, it is imperative that the strategy of the business is captured and communicated to all key stakeholders.
Programme risk management These are the risks that a programme of change will fail deliver in some shape or form. For example, a project may be behind schedule or drastically over budget. Project risks are harder to identify than operational risks as, by definition, they are trying to change the business.
Operational risk management These are the risks to ongoing business processes within an organisation (for example a risk that could lead to a production line failing). Operational risks are often relatively easy to identify, as processes are generally well-established and staffed by experienced personnel who fully understand the processes and the risks.
What are the benefits of Enterprise Risk Management?
Applying ERM can improve both short term and long term profitability and performance in any of the following ways:
- Avoiding costly mistakes by capturing and managing risks in key projects and operational processes.
- Validating strategy by checking that all key stakeholders are on the same page with strategic priorities.
- Improved operational effectiveness through the adoption of a systematic and structured approach.
- Building relationships by increasing confidence of key stakeholders and clients.
- Preserving business reputation and public image by avoiding potential corporate disasters and their associated publicity.
- Anticipating market trends by ensuring that key market assumptions remain valid.
What are the challenges of Enterprise Risk Management?
There are a number of obstacles which can prevent an ERM strategy from becoming an achievable goal. These can include:
Quantification of some risks can be difficult or, in some cases, virtually impossible. For example, whilst it may be easy to quantify risks surrounding financial or contractual matters, it becomes harder to quantify reputational or publicity related risks. This means that, when trying to quantify total risk to a business, poor quality data is mixed with good quality data; the value of the results may be diluted and the wrong conclusions drawn.
Prioritising enterprise risks can become difficult when comparing risks from different parts of the organisation. This is because the understanding of the strategic objectives is not clear or prioritised across the business.
Processes are not consistent across teams leading to different focus, analysis, prioritisation and management/mitigation approaches.
Over reliance on risk tools
Organisations can rely too heavily on risk tools without backing them up with effective processes. Software tools are often the first attempt by an organisation to provide consistency in ERM. However, if these are not backed up by an effective risk process, this can result in a Garbage In-Garbage Out (GIGO) effect; i.e. poor quality data is mistaken for high quality results.
Our processes and techniques
The ABCD risk management process can be used for all elements of ERM; i.e. all risk assessment is based on capturing and analysing key assumptions.
The ABCD Strategic Target Analysis technique can be used to make quantitative analysis as accurate as possible ie by weighting “good quality” data more than “poor quality” data.
The Assure web-based toolset is the most effective way of embedding the ERM process into the business. Assure is the only toolset commercially available that has built-in prioritisation and escalation rules that ensure true enterprise risk management.
Why the De-RISK approach works
It will never be possible to achieve high quality quantification across all types of business risk, as indicated in the diagram above. However, De-RISK has developed a simplified ERM model that ‘de-emphasises’ financial risk, whilst also emphasising areas of risk not normally considered.
In all areas of risk, there can be enormous uncertainty surrounding the data. However, it is important to remember that you don’t always need to quantify risk in order to manage it – but you do need to measure risks in relation to one another in order to appropriately prioritise, and this can be done qualitatively.
Essentially, our De-RISK ERM model is a simplification of the total ERM framework, with the financial element removed.
This is not to suggest that financial risk should be ignored – far from it -but it is meant to imply that that financial risks should continue to be identified, quantified and managed (separately) using established processes and tools.
All other risks should be evaluated qualitatively and only quantified where this can be justified by the quality of the available data and there is a clear need to have a quantified result.
The De-RISK approach to ERM emphasises two ‘new’ areas:
Transformation risk management
Projects and programmes which result in significant change (such as new product development, mergers and acquisitions) will transform the current business. This is often when the business is exposed to the most risk, as the pressures of change increase the risk to both existing operations, and the projects designed to transform them.
Whilst contingency planning is not strictly “risk management” (contingency planning is reactive, where risk management is pro-active), it is still an essential part of any ERM system, as business continuity is paramount for any organisation.