Why risk management ?
The overriding objective for implementing enterprise risk management is to provide reasonable assurance to an entity’s management and board that the entity’s business objectives are achieved.
According to COSO framework ERM primarily assists management with aligning risk appetite and strategy, enhancing risk response decisions, reducing operational surprises and losses, identifying and managing cross-enterprise risks, providing integrated responses to multiple risks, seizing opportunities and improving deployment of capital.
There are six fundamental reasons for implementing ERM. Each serves to help elevate management of risks to a strategic level. The six reasons are:
1. Reducing unacceptable performance variability:
ERM assists management with:
(a) Evaluating the likelihood and impact of major events
(b) Developing responses to either prevent those events from occurring or manage their impact on the entity if they do occur.
Most companies focus on traditional risks that have been known for some time. Few companies have a systematic process for anticipating new and emerging risks. Therefore, many companies often learn of critical risks too late or by accident, spawning the “fire fighting” and crisis management which drains resources and creates new vulnerabilities.
The strategic lens of ERM broadens the traditional risk management focus on low-probability and catastrophic risks to a more expansive view on reducing the risk of erosion of critical sources of enterprise value.
ERM assists management with improving the consistency of operating performance by increasing the emphasis on reducing earnings volatility, avoiding earnings-related surprises, and managing key performance indicator (KPI) shortfalls. ERM improves the management of increasing risk mitigation costs and the success rate of achieving business objectives.
2. Aligning and integrating varying views of risk management:
There are many silos within organizations with a point of view on managing risk, e.g., treasury, insurable risk, EH&S, IT, and within business units. Silo mentality inhibits efficient allocation of resources and management of common risks, enterprise wide.
When there are multiple functions managing multiple risks, there is a need for a common framework.For example, some organizations are:
- Assessing the need for a chief risk officer (CRO), including that individual’s role, authority and reporting lines.
- Integrating management risk efforts into critical management activities, e.g., strategy-setting, business planning, capital expenditure and M&A due diligence and integration processes.
- Linking management of risks to more efficient capital allocation and risk transfer decisions.
- Increasing transparency by developing quantitative and qualitative measures of risks.
- Aggregating common risk exposures across multiple business units with the objective of understanding the greatest threats to enterprise value and formulating an integrated risk response.
3. Building confidence of investment community and stakeholders:
As institutional investors, rating agencies and regulators talk more about the importance of risk management in their assessments of companies, management may be requested to disclose and comment on the organization’s capabilities for understanding and managing risk to enable stakeholders to make informal assessments as to whether returns are adequate in relation to the risks undertaken.
As companies increase the transparency of their risks and risk management capabilities, and improve the maturity of their capabilities around managing critical risks, management will be able to articulate more effectively how well they are handling existing and emerging industry issues.
4. Enhancing corporate governance:
ERM and corporate governance are inextricably linked. Each augments the other. ERM strengthens board oversight, forces an assessment of existing senior management-level oversight structures, clarifies risk management roles and responsibilities, sets risk management authorities and boundaries, and effectively communicates risk responses in support of key business objectives.
All of these activities are germane to good governance. By the same token, effective governance sets the tone for :
(a) understanding risks and risk management capabilities.
(b) aligning risk appetite with the entity’s opportunity-seeking behavior.
Directors often ask, “What are the risks, how are they managed and how do you know?”
5. Successfully responding to a changing business environment:
As the business environment continues to change and the pace of change accelerates, organizations must become better at identifying, prioritizing and planning for risk.
ERM assists management with evaluating the assumptions underlying the existing business model, the effectiveness of the strategies around executing that model, and the information available for decision-making. ERM drives management to identify alternative future scenarios, evaluate the likelihood and severity of those scenarios, identify priority risks and improve the organization’s capabilities around managing those risks.
As the environment changes, new risks emerge and are escalated in a timely manner for action and possible disclosure. These activities impact resource allocation for the organization as a whole.
6. Aligning strategy and corporate culture:
ERM helps management create risk awareness and an open, positive culture with respect to risk and risk management. In such an environment, individuals can raise issues without fear of retribution. With respect to matters of enterprise wide importance, ERM often centralizes policy-setting and creates focus, discipline and control.
It clarifies the distinction between risk-taking and risk-avoidance behaviors, improves tools for quantifying risk exposures, increases accountability for managing risks across the enterprise and facilitates timely identification of changes in an entity’s risk profile.
ERM encourages balance in both the entrepreneurial activities and control activities of the organization, so that neither one is too disproportionately strong relative to the other.
Enterprise risk management
Return to Business Competence - Homepage