Management must identify the strategic goals and objectives of their company. These are typically based on business drivers such as revenue and market share, reputation and brand, asset and capital management, earnings and operating margins. Once the objectives have been documented, the strategic, operational, compliance and financial/reporting risks that can impede the realization of these objectives should be listed. This document is commonly referred to as a risk register.
A common pitfall in the risk identification process is that the initial effort tends to be all inclusive.. Hundreds of insignificant risks are documented. This makes the risk assessment process long, unwieldy and often frustrating. The risk register should typically focus on no more than 40-50 risks. In doing so, a concerted effort should be made to identify the unknown-unknowns. Once the risk register has been developed, the risks should be assessed and prioritized. The objective is to classify the risks as high, medium and low, and to narrow the list down to the 5-10 risks that require focus from the board and executive leadership.
Some companies tend to make the risk prioritization exercise overly academic. This need not be the case. Risks can easily be classified according to their likelihood of occurrence and the impact that they can have on the business. While some companies employ quantitative methods to assess the impact of risk events as measured, for example, by changes in revenue or profitability, others prefer a combination of quantitative and qualitative criteria. What is important here is the adoption of one approach and its consistent application across the company.
Once the risks have been categorized, management should compare each risk relative to the company’s risk appetite. Immediate attention should be focused on the high-impact risk areas that have low levels of control. Such risks need to be monitored frequently. High inherent exposures with low levels of management control form the priorities for improvement activities. The Enterprise Resource Management (ERM) exercise can also identify low-risk areas that have high levels of control. Such risks are typically accepted by management. In some instances, they may provide opportunities for process and efficiency improvements.
Each risk should be assigned an owner. Risk owners are responsible for developing mitigation plans, monitoring the impact and likelihood of risk-events and reporting the implications of potential scenarios to executive leadership. They also ensure adherence to the company’s risk management policy, promote risk consciousness and buy-in among employees and ensure that risk reports are based on reliable information. Leading practice organizations have linked risk management effectiveness to individuals’ performance scorecards.
Often, companies spend too much time in debating the relative merits of alternative ERM approaches, and on assessing and prioritizing risks that are not material. Little time is spent on managing risks that really matter. The value of ERM lies in helping companies make informed strategic choices and resource allocation decisions. This can be achieved by implementing mitigation plans for the top, mission-critical risks, monitoring them on a continual basis, and reporting progress to the board, typically, on a quarterly basis. Once such a process – however limited its initial scope might be – finds its rhythm, it can be scaled up easily.
A ship in the harbor is safe, but that is not what a ship is built for. Companies need to take on and manage risks in order to grow and enhance shareholder value. A well executed ERM serves as a radar that can enable companies to conquer new oceans, even as it helps them steer clear of dangerous waters.