Organizations’ Risk cannot be eliminated

Enterprise Resource Management (ERM) is fast becoming an imperative for companies around the world. Leading practice organizations have been able to leverage their risk management activities which entail assessing, mitigating and monitoring mission-critical risks periodically – not only to prevent unwanted surprises and losses, but also to create a competitive advantage by exploiting upside opportunities. Indeed, the ability to manage risk exposure is increasingly being deployed as a strategic lever by CEOs and boards today.

Investors, too, are focused on companies’ risk management practices. For instance, in a global survey conducted by Ernst & Young, 82% of investors tended to agree that they would pay a premium for companies with good risk management. The research also revealed that investors penalize companies with insufficient risk management.

Over 60% of survey respondents said that they had avoided investing in companies for this reason; 48% had exited. The increasing importance of ERM is also evidenced by the fact that Standard & Poor’s (S&P) recently proposed to introduce enterprise risk analysis into its corporate credit ratings process.

Specifically, results of an ERM evaluation exercise would be used to develop a business profile for a company. This, in conjunction with the company’s financial profile, would be used to arrive at an overall credit rating. S&P’s hypothesis is that companies with mature ERM programs are less likely to experience volatile earnings and cash flows and more likely to optimize risk adjusted returns. Given this context, business leaders today are increasingly focusing on implementing robust ERM programs. Here are some leading practices that can increase the likelihood of success.

Companies typically manage risks in silos. Individual departments such as sales, operations and finance focus on functional risks. But they seldom speak to each other to understand how risks in one department impact the rest of the organization.

In addition, department-specific technical approaches and philosophies to measuring and monitoring risks lead to inconsistencies in a company’s overall approach to risk management. ERM overcomes this limitation by providing a holistic, top-down view of risks that cuts across functional boundaries. In doing so, it focuses on four key questions. Are we taking the right risks? Are we covered against these risks? Do we have the right infrastructure to manage these risks? How often, and how effectively, are we taking stock?
Build an ERM Infrastructure:

This includes developing a risk management policy, as well as implementing processes and systems for gathering, analyzing and reporting risk-information. It also entails assigning roles and responsibilities for individuals who will lead and support ERM. Typically, the program is championed by the CEO, and supported by the CFO and Chief Risk Officer.

There is an old Indian folktale in which an elephant is brought to three blind men. They are asked to identify what it is. They touch and feel different parts of the elephant’s body, and their responses range from a rope to a rock to a giant leaf. Oftentimes ERM meets a similar fate in organizations. It means different things to different people. For instance, some executives may think of risk in terms of activities that are external to the company and as such, uncontrollable. Others may view it in terms of barriers that can impede the realization of corporate objectives. While some may think of risk management as a compliance activity, others may view it through an operational lens. In the absence of a common definition, risk management cannot be effective. Risks in enterprise cannot be eliminated

Department heads usually serve as risk owners. If a company’s internal audit department gets involved, it does not design mitigation plans or make any risk management decisions. In some cases, it supports the program by reviewing the effectiveness of the company’s risk management processes.