There are those that shudder at the mere mention of the word ‘risk’ or, worse still, view the concept of risk and its management as being something that applies only to top-level organisations with sophisticated systems.
The reality is that risk is present in every business.
A risk is defined as the effect of uncertainty (either positive or negative) on a business’ objectives. Viewed from this perspective, it is undeniable that risk management affects all businesses, whether large or small. Moreover, it is intrinsically connected to a business’ strategy and its ultimate success or failure.
Whose responsibility is risk management?
Risk has traditionally been viewed as something to be addressed by only a few key individuals in a particular area. However, with the view that risk affects the objectives of a business, it’s clear that it also impacts every function and operation of a business.
Put simply, the identification and effective management of risk is everyone’s responsibility.
Adopting an enterprise-wide risk management (ERM) approach ensures that everyone in an organisation takes risk management seriously. It promotes structure, process and a level of conformance within the organisation to ensure risk is approached systematically and continually reviewed.
What is ERM?
ERM involves a pro-active, holistic view of a business’ risks across every level and business unit. An effective ERM model is tied directly to the business’ strategy and specific objectives. It involves outlining the business’ appetite and tolerance to risk and identifying key areas of uncertainty that could affect the objectives of every business unit.
Under an ERM model, risk is not restricted to one individual or group of individuals but, rather, it is the responsibility of all, as shown in the table below:
|Board of Directors & CEO||• To be ultimately accountable for all risks.
• To periodically review risk management practices and related policies.
|Senior Management||• To design, implement, and maintain an effective risk management framework.
• To develop policies and procedures.
• To establish and monitor the risk appetite, and report regularly to the board of directors.
• To promote a risk-aware culture.
|Business Units||• To identify, assess, measure, monitor, control and report risks to senior
• Manage relevant risks within the framework established by senior management.
• Ensure compliance with policies and procedures.
|Support Functions (i.e. Legal, HR, IT, etc.)||To provide support to business units in developing and enforcing policies and procedures.
|Internal Audit & Compliance||To monitor and provide independent assurance of the effectiveness of the framework.|
|Risk Management Personnel||To coordinate the establishment of the framework and provide risk management expertise.|
How can ERM be a tool for growth?
Risk, in itself, is not bad. Negative consequences arise when it is mismanaged, misunderstood or mispriced. When fully embraced, risk and a risk management program can create opportunities to grow and add value.
The greatest benefit of implementing an ERM approach is the way in which it aligns every function of the business with the same objective – the organisation’s business strategy.
A business with a well-established ERM model could expect the following benefits:
- Clarity around the transactional aspects of an organisation’s risk management program.
- A reduction in overall costs.
- Improved decision-making and greater comfort at the board level.
- Improved communication, as ERM forces divisions and people to talk and communicate, and helps to break down individual silos. This helps establish both to a better understanding of risk overall, and facilitates the flow of information to senior management and the board.
Need some help with your ERM approach? Don’t hesitate to speak with a William Buck advisor.