Many businesses however have difficulty identifying, assessing and documenting the extensive range of risks that they face. Management struggle to implement a framework to identify the risks that they must assess in the day-to-day operation of their businesses and also maintain focus on strategic business risks.
In addition, the development of new business strategies and successful execution of these often fail due to an inability to fully understand the risks involved.
The key to successful implementation of an ERM program across an organization is getting the balance right between ‘micro’ operational risks – many of which are still important – and key strategic business risks.
A bottom-up analysis of risks by line management and risk managers will often only focus on operational risks. These risks – whilst important to identify, mitigate and manage – do not always give rise to significant financial loss or business impairment.
The risks which do, however, are often left to be managed at board or executive level for larger organizations or with the business owner in private enterprises.
It is important to implement an approach to ERM that does not omit key business risks and ensures critical business risks are elevated to the appropriate level in an organization – usually board and executive level – in a transparent and structured manner.