Enterprise Risk Management (ERM) is now widely accepted as a credible and valued business activity.
Many businesses, however, have difficulty identifying, assessing, and documenting the range of risks that they face. Business owners and managers struggle to implement a framework to identify the risks that they must assess in the day-to-day operation of their businesses and maintain focus on strategic business risks. The successful development and execution of new business strategies often fail also, due to an inability to fully understand the risks involved.
The key to the successful implementation of an ERM program across any organization is getting the balance right between ‘micro’ operational risks – many of which are still important – and key strategic business risks.
It is important to implement an approach to ERM that does not omit key business risks and ensures critical business risks are elevated to the appropriate level in an organization – usually board and executive level – in a transparent and structured manner.
A bottom-up analysis of risks by line management and risk managers will often only focus on operational risks. These risks – whilst important to identify, mitigate and manage – may not give rise to significant financial loss or business impairment. The risks which do, however, are often left to be managed at the board or executive level for larger organizations or with the business owner in private enterprises.
For smaller businesses, managing risks can be quickly started with four key steps.
Conduct an Initial Risk Identification Workshop. Get the management team together to participate in a workshop to discuss the business’ key business risks. For risks that are identified in this phase, develop and implement plans to address the key risks. For regulatory and compliance risks, move quickly to address any issues.
Establish Clear Ownership of Risks. Make sure it is clear who the owner of each risk (or categories of risks) lies. Wherever possible, have the ownership as close as possible to the business activity or function. Ensure that the risk owners have a full understanding of the risks and are skilled and resourced to manage these risks.
Establish a Formal Risk Register. This is a register of key business risks in each risk category (use the 52 Risks® framework as a starting point). This will assist with the identification of key business risks and, as each is assessed, ensure action is taken as appropriate.
Establish a Risk Management Rhythm – Develop an organizational-wide risk culture and rhythm. Strive to have risk identification, assessment, mitigation, and reporting embedded as a core capability. Encourage the discussion of risk in all management forums, project decision-making, and business reviews.