Written by Nerissa R. Mendoza, 10 July 2008
A business organization, whether celebrating its second year of operations or decades of corporate existence, undoubtedly has in its management portfolio core tools and techniques to manage risks.
From traditional risk management approaches, a best practice risk management approach, called Enterprise-wide Risk Management, or ERM, has evolved.
By definition, it is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks within its risk appetite and provide reasonable assurance regarding the achievement of the entity’s corporate objectives.
Whether driven by the 911 incident and/or the continuing rise in expectations of both shareholders and stakeholders, increasingly restrictive regulatory environments, nonstop escalation in fuel costs and the food crisis, we now hear of organizations that have migrated from the siloed approach to risk management and mitigation to the enterprise-wide strategy.
Those who have crafted their ERM business case and implemented it rigorously are now benefitting from the following:
1) Greater understanding of key risk dimensions — an appreciation of the downside and upside of risks
Downside risks are commonly understood as hazards and uncertainties, while the upside view treats risk as assets that can be put to better use. Based on the Chinese character or representation of a problem or risk, it also foretells opportunities.
2) Adoption of a common language and approach to undertake risk identification, evaluation and response
By use of common definitions and accepted qualitative or quantitative metrics, organizations can better rationalize why risks are high, moderate or low and how resources can be best allocated to effectively mitigate them.
On the implementation side, it could be via a questionnaire scheme or a workshop-based brainstorming exercise.
The workshop or collaborative decision-making is known by such various names as Risk and Controls Self-Assessment ( RCSA ), Controls Self-Assessment (CSA) or Management-directed Assessment and Controls (MAC). Such workshops are intended to de-mistify risk management into a common activity as typical as brown bag lunch huddles among co-workers in a functional or cross functional units.
3) Formation of a new breed of risk-educated personnel who are seen as manifesting more participative postures in helping avoid unpleasant organizational and operational surprises. They comfortably escalate rather than hide, risk issues which could not be addressed at their working and authority levels.
4) Setting up of an up-to-date knowledge database described alternately as risk universe, library or risk register. Accessible anytime by decision makers, it provides a company-wide status of ongoing risk management initiatives within a business, a project or a specific process of the organization’s product or service value chain. Decision makers no longer take action without looking at the repercussions or impact of their decisions to other functions and to the organization as a whole.
5) Availability of a good tool to support paradigm shift. As the RCSA and questionnaire processes get repeated, they naturally trigger a mindset change — from being siloed to becoming enterprise-wide and deciding from a reactive to a proactive stance.
What has contributed to such effective risk identification, evaluation and mitigation?
Our sets of experience with ERM clients and those who participated in risk management surveys have shown various interesting practices. Noteworthy ones are the following:
1) Creation or reiteration of a risk management philosophy to ensure it is aligned with the organization’s vision and mission
Vision and mission statements are revisited to define the company’s stand on risks. Key and operational level decision makers provide support in disseminating the developed philosophy and selling risk management as an inherent aspect of the any job vested by the organization.
2) Integration of risk management with the business planning process
Given identified strategies and goals, the planning process is considered not complete without going through the rounds of evaluating the upside and downside risks that can influence or bar set objectives from being met.
3) Visible risk management sponsors and champion
Active endorsement by members of the Board, especially no less than the chairman or the Audit Committee chairman, is the strongest evidence of support to the program.
A designated risk champion, who can be a functional head performing risk management in concurrent capacity, is tasked to orchestrate all risk management activities. His mandates could range from spearheading series of awareness or ERM advocacy programs, RCSA workshop facilitations or questionnaire distribution and collating as well as providing senior management and the board of directors periodic risk management performance reports. Metrics are set to track overall progress or the rate of success in each function conducting RCSA.
4) Affordable technology enabling the ERM process
Technology systems support required in the initial implementation of ERM serves as leverage to existing communications and database management systems. ERM knowledge databases can be programmed using Lotus Notes, a popular internal E-mail system. If they are being used company-wide, collaborative work teams can input or update data into the ERM knowledge database with ease.
5) Internal audit adding value to the process
From its typical assurance role, internal audit is appreciated at a higher level by functioning as seasoned controls and risk mitigation adviser.
Indeed, the modern corporate world now has to contend with the ins and outs of risk management which, from the looks of it, is definitely here for the long haul.
