Consider the 9/11 World Trade Center bombing, the Bernie Madoff fraud scandal, the loud crash of AIG, or the fraudulent activities of one lone French index trader. What do these events have in common? Only weeks before the historic events, few could have predicted the events, or their severity. Yet an organization’s growth and indeed survival depends on its ability to face risks both expected and those that lie at the low ends of the probability curve.
Enterprise risk management processes can help organizations more strategically and thoroughly manage their risk.
According to a recent joint study by MARSH and Risk and Insurance Management Society, 56 percent of companies who responded said that current economic conditions are driving changes to their risk management strategies, with fully 55 percent trying to take a more strategic approach to risk management. Almost one-fourth of the respondents reported a heightened focus from ratings agencies was driving increased risk management emphasis.
Whatever the impetus, managing risk through an enterprise risk management (ERM) approach is the wave of the future.
What is ERM? It is a strategic approach to managing all of an organization’s key business risks and opportunities to better maximize shareholder value. Whether profit-driven, a non-profit or charity, or a governmental entity, all organizations must manage both threats and opportunities to achieve an ultimate goal: organizational survival. Whether threats are internal like employee theft or external like supply chain disruptions, forces that can disrupt your organization must be proactively recognized and managed. Opportunities must be managed, as well. For example, adequate staffing so that intellectual capital is present to drive market innovations can mean the difference between a company’s rapid expansion and its demise.
ERM is a topic that cannot be adequately covered in one article, of course. To put ERM in a nutshell, I would define it as, “A well-developed system that drives critical information about risk and opportunities throughout the organization.”
Frequently, company information is siloed. Important knowledge about risks, corporate strategies and organizational frameworks is kept centralized with certain key personnel, which means that essential decisions are often made without adequate information. With an ERM approach, risk identification and the management of that risk is embedded throughout the organization. The ability to identify roadblocks, opportunities or hazards that could interfere with organizational strategic goals must be developed in all managers, even line personnel.
Along with this awareness, however, employees at all levels of the organization must feel free to open dialogues designed to explore ways to mitigate or take advantage of those risks or opportunities. Each organization must institute a method to gather information company-wide and develop a framework for analyzing and communicating that information both up and down the organization.
One caveat, however. An enterprise risk management system does not mean an organization can reduce the essential steps of risk management. Risk identification, risk assessment, loss control and risk monitoring, as well as effective claims management post incident, remain the bedrock of any sound risk management program.