Like a seed, which grows roots to survive and become a useful plant, Enterprise Risk Management (ERM) must be entrenched and embedded in every organisation (includes government – ministry, department and agency) for maximum advantage and effect.
In essence, embedding ERM means that risk management is integrated with every aspect of management activity – it is part of the psyche of the organisation, and eventually is practiced with unconscious competence. That it happens without people having to think about it, in other words it needs to be integrated into all the business practices AND the culture of the organisation.
The expression unconscious competence is used to describe something that we have learned to do so well, that we don’t have to think about it, like driving or writing.
Enterprise risk management is the overarching risk management for the whole business. It enables a portfolio view of risks and how they interconnect. An ERM framework provides the requisite tools, templates and communications that can be applied consistently across the enterprise.
If the organisation were a well-managed airline, then the disciplines of risk management would be embedded within every departments’ activities, from the checking-in process, luggage handling, and servicing the engines, to checking the routes ahead for bad weather conditions. Risks, in the various units and departments are analysed and mitigated within a framework, keeping in mind the overall company objective to deliver air travellers safely to their destinations.
Making risk management an unconscious competence and integrating it into all the business practices and the culture will reduce uncertainty and enable better decision making. This does not mean that uncertainties in the threats and opportunities will not arise. But they are dealt with in a better managed and holistic manner.
In reality, it’s a common practice whereeach department (e.g. IT, Human Resources, Treasury, Health & Safety etc.)within the organisation seesitself as being the sole repository for risk management expertise, and too often pride and obstinacy prevent department headsfrom sharing information with one other. This means that “silos” of risk management build up within the enterpriseand that’s not good for business. This silo management approach is often create the gaps for catastrophic events that lead to corporate failures.
Enterprise risk management should not operate in isolation but needs to be built into existing decision-making structures and processes in order to support planning, priority setting, programme management, financial reporting, audits and evaluations, the development of corporate business plans, business continuity, operations, performance assessment and other key functions.
Embedding enterprise risk management requires the importance and attention of any change management exercise: it needs top level support, there needs to be a good business case setting out the value for doing it (and the costs), there must be clear outcomes or goals for doing it, a well-defined action plan built around the stakeholder requirements, with clear ownership and accountability, good communications and performance measurements for success, and a systematic approach for alignment with the culture.
A four point model to explainaspects of embedding or integrating ERM, how it can be expanded, and the attributes that need to be demonstrated is as follows;
Led from the top – This is all about ensuring that there is executive and board-level support for the programme and this is maintained over time. Leaders should challenge and be demanding, rather than just saying the right things occasionally. Evidence of embedding would include board and management committee minutes, staff magazines, websites and business plans. The sponsorship from the top should be consistent and visible.
Owned – Throughout the organisation, there should be ownership, pride and commitment in driving continuous improvement. The Board and senior management must own the leadership role for ERM.
In order for this ownership to be embedded, ERM needs to be integrated into the organisation. To gain long term traction, it needs to be a core discipline integrated into day-to-day business processes and activities. Increasingly, organisations are turning to “risk-based” decision making and management practices so that enterprise risk management becomes integrated with all other aspects of management.
Ownership is achieved by getting people to take on the new behaviour into the way they do things. There are extensive psychological explanations as to how you get people to change their behaviour for good, but when it becomes a part of the DNA of the culture and the behaviour exhibited, a part of the collective unconscious competence, then you will have a more innovative and enabled organisation.
To be successful, enterprise risk management has to have the ownership of management and staff at every level. That requires making sure that there are both incentives for taking ownership and sanctions for failing to take ownership.
Driven with energy – requires a systematic, timely and structured approach towards creating the programme, gaining ownership and buy-in to the programme related processes as well as ensuring that it is communicated. This requires that outcomes are visible and actively discussed. We can’t embed things if they are a closely guarded secret.
Measured – measuring the successes and failures of the enterprise risk management programme, challenging and reviewing for the next stage of adapting ERM are all part of ensuring continuous improvement for managed risk taking.
Enterprise risk management might be the subject of the moment, but if it does not inform significant management decisions then it is largely window dressing.
Sowing the seed of enterprise risk management will enable better decisions to be made and increase the likelihood of the long term survival of the business. It will equip the pilots for smooth or rough weather, ahead and during the journey. It is a sure way for business sustainability.
- Mbonu, FERP, CIRM(UK), HCIB, MsRM (Stern), studied Engineering, is an experienced Banker and Enterprise Risk Management professional. Earned a post graduate degree in Risk Management from New York University Stern School of Business, and is a member of the Institute of Risk Management -UK. Can be reached on 09092092046 (SMS Only); email: rm4riskmgt@gmail.com
