Whoever thought that the above picture would give flutters of fear to senior management one day?
But thanks to Mr. Nassim Taleb who brought the concept of the “Black Swan” event to the forefront, it’s what sleepless nights are born of. Of course, the Natalie Portman movie comes a close second…
Let’s start off with what Enterprise Risk Management is all about. As per Wikipedia:
“Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.”
I came across another definition by Jim Deloach, which I felt was equally (if not more) clear:
“Enterprise Risk Management is the discipline, culture and control structure an organization has in place to continuously improve its risk management capabilities in a changing business environment.”
Essentially, my distillation of ERM is a framework which helps an organization to manage risk. Now, in a similar manner, I’m going to try and distill the Who, What, Where, When and Why of ERM. Please feel free to correct me, as I think I’m going to be a student of ERM till my dying day (not because of any misplaced sense of passion, but because ERM is an ocean).
ERM is a complex, complex bit. Let’s begin by trying to understand who is the owner of the ERM framework.
ERM is kind of like voting – it’s everyone’s responsibility, but ultimately tends to get forgotten in a world of everyday complexities. However the buck should and will stop at the CEO. Under the CEO, we might see specialist roles like the Chief Risk Officer or Risk Managers or Auditors.
Hmmm…didn’t we define what ERM is? If we assume we know ERM because we know it’s definition, I would say that we are making the same mistake as the crew of the Titanic – what you see is a small part of a large thing.
ERM incorporates, as per COSO, 8 odd elements from Internal Environment to Monitoring. If I attempt to simplify, ERM constitutes all the elements of Universe measurement, Goal alignment, Risk & Mitigation and Measured Monitoring.
Okay – so there’s a huge laundry list of ERM related activities. Now where do we apply these…
As with everything else about ERM, my answer would be everywhere. ERM figures in all your day-to-day operational activities all the way to your 10 year strategic goal. In my experience, the space where ERM is given due importance today is primarily in Compliance. It’s been pointed out in various findings that ERM, as a complete practice, is quite immature.
Ah, this question. To be honest, I do not have a complete and convincing answer for this one. I would encourage you, the reader of this post, to provide your perspective.
In my view, the earlier the better. ERM is a vast area. It would be useful to start your ERM practice when the internal processes and universe is still manageable.
Why you ask? In the words of George Mallory, when asked why he wanted to climb Mount Everest – Because it’s there.
To expand on this, ERM enables the business to safeguard itself against a potential cascade of risks which would threaten its existence. ERM enables large organization to be nimble and respond to opportunity. ERM aligns the organizational goal across all its functions not only from an operations perspective, but all the way into the strategic horizon. ERM would, though indirectly, improve customer and share-holder perception of the organization. I would say that the real question here is, why wouldn’t you implement an ERM framework. Here again, I invite the reader to give your perspective.
After reading this post, the obvious question you might have on your mind is – where do the swans come in. I think I’ll leave that for another post for now. The intent of this post was to provide a base on which we can build.
Authors note: I wish I knew who to credit for the wonderful picture I have used in this post.