What is the point of Enterprise Risk Management?
By Deven Chitaliya, Vice President, Risk Management, Olam International
Thousands of satellites orbit earth, gathering and distributing data, and facilitating effective communications. This is analogous to the mission of boards and management, who seek to gather as much intelligence as possible to effectively manage their organisations.
All organisations must manage risks effectively to endure and thrive. In fact, all would agree that risk management has to be embedded into business operations. Over the past decade, many have been making the case for an Enterprise Risk Management (ERM) framework. Despite ongoing conversations, confusion remains about what ERM is and how it differs from traditional, tried-and-tested methods of risk management. If businesses are already enforcing risk management, what is the point of ERM?
Proponents of ERM, including Olam, aren’t suggesting that organisations haven’t been managing risks well. Instead, ERM is about thinking differently – considering risks that don't fall neatly along business lines and can affect the entire organisation. It is a strategic tool that is especially crucial for senior management and boards in tackling risks that may impact long-term, strategic success.
Traditionally, organisations assign risk management to business unit leaders within their areas of responsibility. We call this as “silo” or “stove-pipe” risk management. For example, the Chief Technology Officer is responsible for managing risks related to information technology operations; the Treasurer is responsible for managing risks related to financing and cash flow, and so on.
But risk does not respect organisation charts; it can be anywhere and take any form. Some risks “fall between siloes”, unnoticed by individual leaders. Others can affect different units differently – managers may not know that a decision taken for one silo can cause or escalate risk in another. The upshot is that risk can go unnoticed or not be effectively tackled until a catastrophic event is triggered.
All Organisations Must Manage Risks Effectively To Endure And Thrive
Another challenge with traditional risk management is that although most business leaders understand the concept of “risk-and-return”, most struggle to connect risk management to organisational level strategic planning. Risk management is often internally focused and granular – looking within the four walls of the organisation, with minimal focus on risks that may emerge from outside the business.
Over the last decade, some business leaders have recognised these potential shortcomings and have begun to embrace ERM as a way to further strengthen risk oversight. They realise it is simply too late to wait until a risk event occurs to act.
Simply put, ERM is a framework to effectively identify and manage risks and seize opportunities to achieve the organisation’s goals. It seeks to build a top-down, enterprise view– hence the name - by creating a basket of all the risks that may impact business viability, whether negatively or positively. The process broadly involves identifying risk events or situations relevant to the organisation's goals, assessing them by likelihood and magnitude of impact, determining an appropriate response strategy, and monitoring progress. Coordination is key, and the output from this process is integrated to provide a clear picture of risk for stakeholders and improve risk management for the organisation.
Given the goal of ERM, responsibility for setting the tone and implementation rests on senior management and boards. They have the best enterprise view and must take charge of understanding, managing, and monitoring the most significant risks the group faces. But again, as the name suggests, all functions must play their part. For example, the risk department is vital in evaluating risk management processes and advocating continued improvement. Other control functions can help in regular assessments and to develop an engagement plan at various levels that is continually updated.
By identifying and proactively addressing enterprise risks and opportunities, businesses protect and create value for their stakeholders, including owners, employees, customers, regulators, and society. This is especially crucial in today’s increasingly VUCA (volatile, uncertain, complex, and ambiguous) operating environment. The volume and complexity of organisational risk are growing at an unprecedented pace. The recent crisis caused for hundreds of companies worldwide by the WannaCry and Petya ransomware is just one example among many. At the same time, expectations for more effective risk oversight on management and business leaders have become much higher.
Because risk constantly emerges and evolves, it is important to understand ERM implementation is an ongoing process. Even though ERM has become more popular, some unfortunately view it as a project with a specific beginning and an end. While the initial launch of an ERM process might require aspects of project management, the benefits can only fully realised when management thinks of it as an active and alive process, with constant updates and improvements.
As a leading global agri-business operating in 47 product platforms across 70 countries, Olam is firmly committed to ERM as a complementary catalyst for our continued growth and viability, in buttressing our risk management capabilities. We hope more organisations will join in embracing ERM to generate long-term, sustainable value for stakeholders.