What is Enterprise Risk Management?

Enterprise Risk Management (ERM) is a process by which the total risk to the business is identified, prioritised and managed appropriately. Part of this activity may involve attempting to quantify the total risk to the business

What are the benefits of applying ERM?

The key benefits that should be realised from applying effective ERM are improving both short term and long term profitability and performance by:

• Avoiding costly mistakes – by capturing and managing risks to key projects and operational processes
• Validating strategy – by checking that all key stakeholders are “on the same page” with strategic priorities
• Improved operational effectiveness – through the adoption of a systematic and structured approach
• Building relationships – by increasing confidence of stakeholders/clients
• Preserving reputation – by avoiding corporate disasters and associated publicity
• Anticipating market trends – by ensuring that key market assumptions remain valid

What are the challenges?

Few organisations have implemented ERM effectively – why is this?

• Quantification is difficult/impossible – some risks (eg financial, contractual) are easy to quantify whilst others are virtually impossible (eg quality, reputational). Therefore when organisations attempt to quantify the total risk to the business they tend mix “good quality” data with “poor quality data” and therefore dilute the value of the conclusions.
• Prioritising enterprise risks is difficult – when it comes to comparing risks from different parts of the organisation, it can be like “comparing apples with oranges”. This is because objectives are often not clear or prioritised across the enterprise.
• Risk processes are not consistent across teams – leading to differing focus, analysis, prioritisation and management approaches. Again this makes it impossible to build a consistent picture of risks across the enterprise
• Risk tools are not supported by effective process – very often, software tools are the first attempt by an organisation to provide some consistency. If these are not backed up by an effective risk process, the effect can be one of “GIGO - Garbage in – Garbage out” as poor quality data is captured, analysed and then held up as a “high quality” result

Quantified ERM

It will never be possible to achieve high quality quantification across all types of business risk. However, where it is necessary to calculate total risk exposure, a simple model that will allow quantified risks to be combined is shown below.

Risks that can be readily quantified include all types of financial risks eg credit risk, interest rate risk, market risk etc. Indeed, this is the extent of “enterprise” risk management for many organisations. Even in these areas of risk, there can be enormous uncertainty surrounding the data. However, it is important to remember that you don’t need to quantify risk in order to manage it - but you do need to measure risks in order to prioritise appropriately and this can be done qualitatively.

ERM – the Qualitative Model

A tried and tested model for identifying, analysing, prioritising and combining enterprise risks is shown below. This is a simplification of the Total RM framework with the financial risk element removed. This is not to suggest that financial risk should be ignored – far from it – but it is meant to imply that that financial risks should continue to be identified, quantified and managed using established processes and tools. All other risks should be evaluated qualitatively and only quantified on an exception basis i.e. where this can be justified by the quality of the available data and there is a clear need to have a quantified result.

The elements of the ERM model are:

Strategic Risk Management – There is no point delivering products and projects on time and budget if the market no longer wants them! Thus it is imperative to identify strategic assumptions and risks as the highest priority. The prerequisite of identifying strategic risk is that the strategy of the business is captured and communicated around all senior stakeholders.

Operational Risk Management – These are the risks to the ongoing processes in the business (eg the risk that a production line will stop). Often operational risks are relatively easy to identify as the processes are well established and staffed by experienced personnel. Many organisations include their projects under “Operational risk” but this is often not a good idea.

Programme/Project Risk Management – These are the risks that a project will fail to deliver (eg a new product/over budget/late etc). Project risks are more difficult to identify than operational risks as projects are, by definition, trying to introduce something new to the organisation. Risks within major change programmes are the most difficult of all to identify/prioritise/manage due to the programme complexity which makes it difficult to “see the wood from the trees”. 

Transformation Risk Management – Projects and programmes that result in significant change (such as new product development, mergers and acquisitions will “transform” the current business. This is often when the business is exposed to most risk as the pressures increase the risk to both the current operations and the projects trying to transform them. For organisational purposes, Transformation Risk is often treated as part of the Programme/Project Risk

Contingency Planning – Strictly speaking, this is not “risk management” ie risk management is about stopping risks occurring (ie pro-active) whereas contingency planning relates to what to do if the risk impacts (ie re-active). However, this is an essential part of any ERM system as business continuity is paramount for any organisation.

The ABCD risk management process can be used for all elements of the ERM process ie all risk assessment is based on capturing and analysing key assumptions.

The ABCD Quality Based Costing technique can be used to make quantitative analysis as accurate as possible ie by weighting “good quality” data more than “poor quality” data.

The Assure web-based toolset is the most effective way of embedding the ERM process into the business. Assure is the only toolset commercially available that has built-in prioritisation and escalation rules that ensure true enterprise risk management.