We’ve all seen the headlines and YouTube videos: Millions of customers have their confidential information exposed and possibly compromised through the Equifax data breach. A United Airlines passenger is forcibly dragged from an overbooked flight. And the pillar of German banking, Deutsche Bank, unravels through a series of corporate scandals.
With these types of news stories garnering increasing national and international attention, there are many real and potential risks to proactively manage in order to avoid fines, lawsuits, threats to stakeholder relations, and overall reputational damage.
What is “risk” and how can it be managed?
A general definition of risk is that it is the chance of an event or circumstance happening that will have an impact on business objectives. Managing risk from a holistic “big picture” perspective has led to the development of enterprise risk management (ERM) strategies.
ERM is a coordinated set of activities an organization implements to manage risk. ERM enhances corporate governance, promotes resiliency in the face of the changing business environment, and reduces operational surprises and losses.
Developing and implementing an effective ERM framework includes the following:
- Understanding and setting the context of risk, led by an organization’s senior leaders. A key element here is determining the organization’s risk appetite. Risk appetite is generally defined as the amount and type of risk that an organization is willing to take in order to meet its strategic objectives.
- Identifying all possible risks that could impact business objectives.
- Determining the higher rated risks by estimating both the probability and severity of an associated risk event occurring.
- Responding to the higher rated risks through either accepting, avoiding, sharing, or mitigating through controls.
- Monitoring and continually reviewing the environment, associated risks, and control activities.
- Reporting on an organization’s risks and associated risks profile to all relevant stakeholders in a timely manner.
A successful ERM strategy will have well-established roles and responsibilities for risk management, policies, and a well-coordinated governance structure, including formalized risk management committees. Also extremely important are risk management tools such as Risk and Control Self Assessments, Key Risk Indicators and Management reporting on Risk Profiles.
What is a key success factor for implementing a robust ERM framework? Having an open discussion forum for senior leaders and subject matter experts on risk and controls relevant to specific organizational units. These forum discussions lead to greater transparency and organizational understanding of risk and its consequences. Led by a seasoned facilitator, this process results in a higher likelihood of achieving organizational objectives.
ERM programs vary because they always need to be adjusted to fit an organization and its industry. With that in mind, a good place to start is to note the risk management activities already in place. An organization may not currently define these measures as risk management and it may not be holistic throughout the organization. However, it’s important to observe and leverage the risk management efforts that have already been made. Making a business realize how much it already does in terms of risk management is the first value add that ERM can provide.
It’s then recommended to set some time with senior leaders and/or the board to review and discuss the organization’s risks and how to best prevent and respond to them. Here are a few points and questions to consider when doing so:
- Identify the company’s overall objectives and key strategies.
- Ask questions like “what could go wrong with the objectives and strategies?”, “what are the business’ main concerns?”, “how will the concerns impact different stakeholders?”, etc. Try to identify as many risks as possible that the organization could be exposed to.
- Then ask, “which risks are significant, in terms of potentially bad outcomes and the likelihood that it could happen?”. “If a risk is significant, how are we dealing with it now, and can we do anything more?”. Here we try to identify some additional controls that may not already be in place.
We’ve just gone through a high level risk and control assessment exercise, one of the first steps in ERM. There is a lot more involved with the ERM process and risk and control assessments, but this first step is a great starting point as it identifies and analyzes key risks, key controls, and areas where additional controls are needed from the top level of the senior management and/or the board.
The organizations referenced at the start of this article may or may not have had ERM programs, or perhaps these processes were faulty. It’s important to understand that there are limitations to ERM – like all other established methodologies, it can be subject to human error and unforeseen factors.
However, it’s important for an organization to have an ERM program in place, as it establishes a foundation that the company can further develop as its environment and situations change and evolve over time. An ERM program is always a wise investment for any organization to pursue, as it will minimize and prevent risks, allowing an organization to focus on achieving its business objectives.
CPABC's executive and certificate programs provide opportunities for you to learn how to develop actionable plans for yourself and your organization. You will also benefit from peer sharing, and building your professional network. Learn more.
William (Bill) Wesioly is a CPA, CMA, in Ontario, an independent risk management consultant, and a professional leadership coach. Prior to becoming an independent consultant, he worked in the financial services industry in risk management roles for Bank of Montreal and Royal Bank of Canada. He currently teaches the CPA ERM certification program in Toronto for CPA Ontario.