Advisory

Enterprise risk management: New risks, new approach

Shane Troyer Shane Troyer

The risks facing your business are evolving—and accumulating—at a breakneck pace. In today’s increasingly interconnected world, safeguarding your organization from such risks as IT security threats, economic volatility and corrupt business practices is only the first step. You also need to make sure each member of your organization is playing their part in mitigating and managing risk effectively, in accordance with regulatory requirements.

To say this is a challenge for many business owners would be an understatement. As the risk playing field changes from all angles on a seemingly regular basis, organizations need to update their risk management objectives along with it—and ensure their enterprise risk management (ERM) processes are up to the job.

While it may be tempting to make excuses to avoid ERM implementation, the ostrich approach is no longer sitting well with regulators. Sticking your head in the sand and pleading ignorance will not satisfy your regulatory responsibilities—and it won’t protect your organization.

The good news is ERM implementation doesn’t have to be an expensive and laborious undertaking—and the effort you put into it is well worth the outcome. To illustrate our point, we’ve suggested simple ways to get past four common ERM implementation excuses:

Excuse #1: Our business is simple and risks are well known, so there is no need to invest in the development of a formalized risk management program.

Solution: If your organization has simple business objectives, that doesn’t mean it faces no risk. It may, however, position you to document and address those risks in a simple manner. Rather than avoiding ERM altogether, consider assessing your primary risks at a high level, documenting them through a simple risk register and identifying any existing mitigating controls.

Excuse #2: We haven’t had any problems in the past (that we know of) so there’s no need to worry about this now.

Solution: The argument that a formal risk management process isn’t necessary doesn’t hold water anymore. In this day and age, ignorance is no defence. Implementing even the most basic ERM processes is better than having none at all.

Excuse #3: We will look into ERM once we solve (insert operational challenge of the day here).

Solution: ERM is a tool that can greatly assist your organization. It can help you understand the potential risks facing your organization and properly prioritize operational challenges accordingly. ERM also gives those charged with governance a better understanding of the inherent risks that may prevent the achievement of organizational objectives, which should guide their allocation of resources. Essentially, by seeing ERM as the useful tool that it can be, you’ll be making your organization stronger.

Excuse #4: If we formalize our risk management processes, we will have to document what could go wrong. If this is documented, we will have to manage the identified risks—resulting in the allocation of resources from an already-stretched resource pool.

Solution: A strong risk management culture starts at the top. If ownership supports risk-based decision-making, an appropriate risk management culture can flourish. If ownership chooses, instead, to fear it—and turn a blind eye to risks—the business will be open to countless risk events, and the consequences associated with them.

Essentially, by changing your view of ERM—and treating it as an essential line of defence against today’s business risks, you’ll be helping to more effectively protect your business, preserve your brand’s reputation and maintain shareholder value.