A Well-Oiled Machine
Enterprise risk management (ERM) is like a well-oiled machine. Management culture varies. Each departmental leader has a different approach and style, which underlies the culture of their business unit. Enterprise Risk Management (ERM) draws on these differences in style and culture across an organization, establishing a unified and cohesive approach to managing risk and strategic opportunities. As such, ERM provides a framework that gives structural integrity and prepares the organization to face uncertainty. Interestingly, ERM views risk to have both positive and negative outcomes. Hence, through an ERM framework, an organization can incorporate a universal perspective on managing risk, leading to a balance in managing uncertainty.
ERM and Organization Performance
Most organizations already practice some elements of ERM. As such, full alignment with the principles of ERM may be a relatively minor adjustment. For example, ERM mandates a management commitment, alignment with organizational objectives, and provision of resources. These are all common objectives that organizations can incorporate into ERM. Blending these elements into an ERM establishes safeguards which support the structural integrity of a risk management framework and align with organizational objectives. Just risk management is a distinct field of practice, the application of risk management across an organization must be a separate, but culturally-imbued, attribute of day-to-day management. These principles are the foundation of the ISO 31000 and COSO ERM standards.
Even though many organizations apply elements of ERM, their approach often lacks consistency across all business units. In essence, many organizations employ differing “language” to describe their goals and objectives, even between different departments of the organization. Additionally, budgetary pressures can influence departmental performance. Performance may drift from risk awareness and preparedness to mere survival. This concern may be especially true of the ground level of a business, especially when communication of the organization’s ERM principles is unclear.
The use of the risk management frameworks founded in ERM standards can connect the dots. The framework helps the organization stimulate cultural and procedural collaboration across business units. This standardization of approach is a useful tool to manage the uncertainties across an organization. Ultimately, the approach creates a stronger foundation to face and manage uncertainty, which we loosely define as
Impact of Climate Uncertainty
Uncertainty about climate is a risk. A typical uncertainty lies in how an organization’s exposure to hazards, people, and financial fluctuations through climate change. Variations in temperature or amount and location of precipitation may result in adverse impacts on an organization. For instance, swings in ambient temperature can expose more significant percentages of the population to illnesses such as the common cold, or influenza. As a consequence, organizations may experience absences and lower productivity.
In another example, extreme high-temperature demands increased air conditioning loads, resulting in more energy use and higher greenhouse gas emissions. In this way, responding to the immediate threat, high temperature may exacerbate a long term threat, global climate change. Warmer air contains more moisture and more energy. This phenomenon leads to increasingly more significant, and more frequent precipitation events, and tornados, for which we must prepare.
Clarity of vision can aid in navigating the path forward. The language and frameworks provided by ERM standards can help organizations and society better manage for the future.
Risk Assessment versus Risk Management
Risk assessment is a component of the ERM process, but it is not the central piece of the risk management standards.
Just as we take our temperature and perform medical tests and examinations to gauge our health, an organization uses risk assessment to measure organizational health. Other essential components of risk management include risk treatment, monitoring, and reporting on the effectiveness of the overall ERM program. Communications of findings must contribute to a continuous risk management cycle. A cycle of scanning for exposures and opportunities, assessing, treating, monitoring and reporting that inevitably lands back at scanning. Clear communication adds to the picture of the health of an organization over time. As external pressures change, the program must respond. In this way, ERM is a process, not a one-time project.
Risk assessments are used periodically to give an organization a glimpse of performance, vulnerability,
External Consultants can Help Oil the Machine
Establishing an ERM framework may feel like a daunting undertaking. As a result, organizations may be reluctant even to start. A form of risk management inertia develops. However, gradual implementation of a planned program, aligning standard business practices with ERM principles, can improve an organization’s resiliency in the face of uncertainty.
External risk management experts can help the organization build on the existing culture to establish a robust ERM program. Just like mechanics at the garage, external experts can help organizations oil the ERM machine. Organizational success depends on a clear and consistent focus on achieving objectives. Senior management provides leadership to sustain this process by allocating adequate resources, communication, and time to imbue the culture of risk management, at all levels of the organization. In this way, a holistic risk management program can become the cultural norm of the organization.
An external consultant can apply their expertise and experience in holistic risk management, gained from multiple engagements with many different entities and industries, to help an organization implement an effective ERM framework.
It’s a Process!
Implementing effective risk treatment plans will safeguard and improve the performance of business units. Monitoring and reporting on the outcomes of treatments, both positive and negative, will add to the organization’s risk knowledge base. As a result, this data serves as a foundation for continuous improvement.
When an organization implements treatment plans and reports methodically, it will develop an organizational risk profile, allowing them better to prepare for uncertainty. Eventually, they can use the risk profile as a foundation for a risk governance model for similar business units across the organization.
An underlying principle of risk management is that it is a continuous improvement process. Consequently, there is no, one, ideal solution to safeguard an organization completely. As such, over time, they must identify evolving treatment options, for changing business, physical, and financial environments. As the external environment changes, so too must the organization’s responses to counter risk and capitalize on opportunities. Generally, this is the Plan-Do-Check-Act (PDCA) process, emphasized in ISO 31000. We see the PDCA cycle as gears in the ERM machine.
The Never-Ending Story
As decision-makers embrace the objectives of value creation, and risk management in the core goals of the organization, the PDCA cycle becomes the cultural norm, nurturing success. A well-tended organization will act much like a well-oiled machine. When all the individual components and gears are functioning correctly, the engine will work at its optimum level. So too does an organization, when senior managers and staff nurture and tend to safety, performance and managing uncertainty in all business units. It’s a never-ending story providing a consistent risk-aware, and risk-managed culture, ensuring a secure and productive future.
Let’s T alk
If you wish to discuss your enterprise risk management questions or concerns, please feel free to talk to us. Or, you can start the conversation in the comments section for this post. We appreciate your input!