Enterprise Risk Management Challenges


Despite a lot of conversation about Enterprise Risk Management (ERM), business leaders are constantly faced with the challenges of its implementation. Mark S. Beasley, CPA, Ph.D., a professor, thought leader, and well respected writer on ERM, raised some points speaking at an international risk management conference in June, he reminded that the issues most business leaders face as they help lead their organisation’s ERM efforts are similar. Therefore, working together to address these challenges is in our collective best interests. Some of the points noted include the following:-

The Speed of Information Exchange is Elevating the Need for More Robust Risk Oversight
The rapid pace of how information is exchanged and disseminated means news about a particular event can affect an organisation’s reputation and brand at frightening speed. Organisations no longer have the luxury of time to engage in decision-making to craft their strategic response once news about a risk event is released. In many cases a single risk event is attached to other unrelated risk events that when combined rapidly begin to erode the organisation’s reputation and brand.

To address this reality, some organisations are working proactively to more robustly consider their organisation’s responses to its top risks allowing them to think through strategies of managing these risks well in advance of an actual event. Developing an inventory of responses to top risks and vetting the effectiveness of those responses may pay significant dividends when immediate action is required.

Risk Management Leaders Need to Speak the Language of the Business
Like many professions, those who lead an organisation’s risk management efforts often develop their own language that they use to communicate with others. Conversations about likelihood, impact, inherent and residual risks, risk appetite and risk tolerances become commonplace among risk management leaders, but they may not be well understood by others in the business. Risk management leaders should speak the language used by those in their audience. Business leaders are focused on boosting margins, achieving objectives and goals, and advancing the business and that usually affects how they think and the language they use.

To address this, some risk management leaders are rethinking the language and jargon they employ to ensure that they are being heard and understood by business unit leaders.

The Complexity of Business May Outweigh an Individual’s Capacity to Assess Risks
Geopolitical events, cyber threats, disruptive innovation, regulatory shifts, and changing social demographics represent just a sampling of issues that may trigger significant risks for an organisation. Any one of these risk drivers is complex in and of itself, but the emerging reality is that any of these risk drivers may be related to or trigger other risks, only adding to the complexity of the risk management challenge. In many situations, the number of factors that need to be evaluated to accurately assess a risk’s likelihood or impact may outweigh any one individual’s capacity. The value of embracing a more holistic and team-based enterprise-wide approach to risk identification and assessment, is recommended.

A collection of minds for varied perspectives on complex risk issues may be needed to face the realities of today’s business environment.

Risk Oversight and Strategy Need to be Better Integrated
A common challenge faced is the apparent disconnect between an organisation’s risk management and strategic planning activities. Unfortunately, in many organisations, risk management is viewed as a compliance or regulatory activity that needs to be done to satisfy some external demand for risk management. Often that means risk management is relegated to a lower-level, non-strategic position that addresses important, but not strategy-defeating issues. For some reason, business leaders continue to struggle to remember the important connection between “risk and return.” As a result, the organisation’s risk management efforts are not adequately integrated with strategic planning.

Business leaders must understand the importance of risk management, and how it can be positioned to provide strategic value. The solution is to start the conversation with what is strategically important to the organisation, and then asking what might prevent that from being successful.

Overlooking Ethical Culture May Lead to an Organisation’s Biggest Risk
Business culture varies across organisations and it is important to understand how an organisation’s culture might affect its ERM efforts. Understanding what values are important among the leaders of the organisation may shed insights as to the willingness organisational leaders may have to take certain risks. While most organisations have a set of defined business values, sometimes management’s behaviors and decisions may not reflect those stated values.

Recognising when those differences potentially exist and calling attention to those disconnects may be risk management’s most important contribution, and will require the support of those in key governance roles, such as the board of directors.
Overall, ERM can be complex, the aim should be to make it easier to understand and realise. ERM programs and frameworks are by nature detailed and painstaking, requiring pragmatic and realistic approaches to implementing. One important aspect is to keep it simple—complex is not necessarily comprehensive or better, as the framework needs to be understood by a wide group of stakeholders.

Avoid the tendency to try to replicate the successes of others. While it is important to learn from the successes and failures of others, it is generally unwise to try to replicate an entire framework, wholesale. Institutions are only as good as the people in them. Real capacity building through expert training is the key to a sustainable program. Strong, consistent leadership is the key— ERM is always driven from the top.

ERM implementation takes time and money, if done well. Get good advice. Do not rely entirely on internal staff, no matter how good they are. Get the best, external advice from certified experts. It will save money in the long run.