Black Swan Ahoy!!!
Whoever thought that the above picture would give flutters of fear to senior management one day?
But thanks to Mr. Nassim Taleb who brought the concept of the “Black Swan” event to the forefront, it’s what sleepless nights are born of. Of course, the Natalie Portman movie comes a close second…
Let’s start off with what Enterprise Risk Management is all about. As per Wikipedia:
“Enterprise risk management (ERM) in business includes the methods and processes used by organizations to manage risks and seize opportunities related to the achievement of their objectives.”
I came across another definition by Jim Deloach, which I felt was equally (if not more) clear:
“Enterprise Risk Management is the discipline, culture and control structure an organization has in place to continuously improve its risk management capabilities in a changing business environment.”
Essentially, my distillation of ERM is a framework which helps an organization to manage risk. Now, in a similar manner, I’m going to try and distill the Who, What, Where, When and Why of ERM. Please feel free to correct me, as I think I’m going to be a student of ERM till my dying day (not because of any misplaced sense of passion, but because ERM is an ocean).
ERM is a complex, complex bit. Let’s begin by trying to understand who is the owner of the ERM framework.
ERM is kind of like voting – it’s everyone’s responsibility, but ultimately tends to get forgotten in a world of everyday complexities. However the buck should and will stop at the CEO. Under the CEO, we might see specialist roles like the Chief Risk Officer or Risk Managers or Auditors.
Hmmm…didn’t we define what ERM is? If we assume we know ERM because we know it’s definition, I would say that we are making the same mistake as the crew of the Titanic – what you see is a small part of a large thing.
ERM incorporates, as per COSO, 8 odd elements from Internal Environment to Monitoring. If I attempt to simplify, ERM constitutes all the elements of Universe measurement, Goal alignment, Risk & Mitigation and Measured Monitoring.
Okay – so there’s a huge laundry list of ERM related activities. Now where do we apply these…
As with everything else about ERM, my answer would be everywhere. ERM figures in all your day-to-day operational activities all the way to your 10 year strategic goal. In my experience, the space where ERM is given due importance today is primarily in Compliance. It’s been pointed out in various findings that ERM, as a complete practice, is quite immature.
Ah, this question. To be honest, I do not have a complete and convincing answer for this one. I would encourage you, the reader of this post, to provide your perspective.
In my view, the earlier the better. ERM is a vast area. It would be useful to start your ERM practice when the internal processes and universe is still manageable.
Why you ask? In the words of George Mallory, when asked why he wanted to climb Mount Everest – Because it’s there.
To expand on this, ERM enables the business to safeguard itself against a potential cascade of risks which would threaten its existence. ERM enables large organization to be nimble and respond to opportunity. ERM aligns the organizational goal across all its functions not only from an operations perspective, but all the way into the strategic horizon. ERM would, though indirectly, improve customer and share-holder perception of the organization. I would say that the real question here is, why wouldn’t you implement an ERM framework. Here again, I invite the reader to give your perspective.
After reading this post, the obvious question you might have on your mind is – where do the swans come in. I think I’ll leave that for another post for now. The intent of this post was to provide a base on which we can build.
Authors note: I wish I knew who to credit for the wonderful picture I have used in this post.
Ashwin joined Subex in 2006 as a part of the Implementation team for Revenue Assurance & Fraud Management. Over the years he has worked with cross-geographical teams to drive value discovery and creation for telecom operators across Middle East, Africa and APAC as a delivery SME and a Business Solutions Consultant. Beyond his work in Subex, he has been involved in some of the most seminal Revenue Assurance public domain centers (both in terms of his work on popular RA blogs as well as his co-authored work on Revenue Assurance for Telecom Operators). He regularly speaks at various industry events on areas pertaining to Business Optimization.
Interesting during a conversation with an Operator last week, they mentioned about looking at having the team structured not by the traditional approach of Fraud & RA, but rather as those responsible for : Reactive, Active and Proactive detection/assurance.
Thought that was an innovative approach as it would be relatively easier to define the profile of the resources you would intend to hire this way, and also to define the internal Roles & Responsibilities as well.
Would be keen to show this works out in practice.
This approach will appear to be more matured if we can find an answer to – who will decide the level of assurance required. Will that be a collective responsibility to decide the level of assurance required? And can this be made accountable?