Has your board adopted Enterprise Risk Management (ERM) strategy? If not, then your organization is likely to be at risk.
The idea behind ERM is simple: rather than focusing on specific risks, such as worker or product safety, ERM adds a strategic layer that explores and anticipates risks.
Risk management for the whole enterprise
Within ERM’s broad scope we can identify three important strands: it must deal with operational risk, financial risk and strategic risk.
- Operational risks are hazards that, as the Basel II Accords describes them, result from “inadequate or failed internal processes, people and systems from external events”. As such, they are ‘pure risks’ and can not be planned for, although they can be anticipated within a risk assessment framework.
- Financial risks are emerging from market Impacts on assets, including risks to credit, price and liquidity. As such, they’re ‘speculative risks’ that can be projected and planned for.
- Strategic risks are somewhat different; while operational and finance risk management focus on doing things right , strategic risk management Focuses on doing the right things . That is, doing the things that will preserve the business, seeking as predictive market trends and understanding emerging risks.
ERM and strategic risk
Most organizations are already managing operational and financial risks. But not every organization is managing strategic risks, which can have disastrous consequences. There are many examples of strategic risk failure, but two recent examples stand out:
- Digital music (and cameras): It’s now a commonplace that the major record labels dismissed digital music (downloads and streaming) as a risk to their business model. As the rise and ubiquity of services like Spotify and Tidal attest, this was a clear risk management failure . Similarly, Kodak’s fate is well-known, a result of failing to address its dwindling sales in the face of digital photography (a technology it invented).
- Smartphones: The technologies to assemble a smartphone had been in existence for some time before Apple brought them together and launched the iPhone. Then-dominant mobile phone makers, like Nokia , Ericsson and Motorola, did not foresee the risk, did not respond almost enough, and have disappeared from the market.
An effective ERM strategy requires all three risk categories to be considered. Critically, domain experts should remain at the helm of risk management in their silos, but there must be a layer of strategic oversight to ensure their individual views.
That’s where the board comes in.
A board’s responsibility
Crucially, the board must take the lead in setting the ERM agenda. This is because the board is responsible for making strategic risk decisions.
By calling on the expertise of domain-specific experts (like the CIO, CFO or COO), as well as those with broader perspectives and risk expertise (like the CEO or CRO), the board can see the bigger picture and make strategic, enterprise -wide decisions
Similarly, the board is looking at a risk-aiding culture within the enterprise, in which all employees are risk-aware and there are open channels for communicating risk information, from incident reporting to raising awareness of potential new risks.
More than just risk management
Risk and opportunity go hand in hand. Boards that adopt ERM wants to gain a strategic view of their business and its risks. What are they going to do? What are they going to do?
Having the right tools and information is critical. It’s vital that the company uses a single, unified platform to identify, monitor and manage risks. It will provide an invaluable resource when considering the broader, enterprise-wide risk posture.
Diligent’s software can assist with business and risk planning , with tools to help identify and manage all types of business risk. By marrying these proven tools with enterprise-grade security, you can be assured that your planning will be as thorough, accurate and private as possible.
April 16, 2021
Top Trends in Governance, Risk and Compliance for 2021
“You need a good [GRC] system. You need the right data. You need to share the data and take those organisational learnings.” -Zeke Ward, Founder, North Star Compliance Over the past year, companies across industries have navigated diversity, equity and inclusion issues, managed intensifying…
November 30, 2020
Experts agree: Governance is the best crisis strategy
Your best defence against a crisis is good governance. Whether it’s a global pandemic, a change in senior management or the complexities of running an international organisation, governance provides ‘handrails’ to keep your organisation upright and on-track. This consensus was the unanimous conclusion of the speakers at a recent Diligent…
September 7, 2020
Avoiding Cyber Confusion in the Board Room
It is imperative that Directors understand the cyber risks facing their companies and organisations. The increasingly complex internal and external landscape presents unique challenges for Boards. Several key steps can however significantly increase the cyber resilience of any company or organisation, irrespective of size. The article outlines five key steps…