‘Enterprise Risk Management Programme’ – Striking the right balance
Committee of Sponsoring Organisations of the Treadway Commission (COSO) commissioned and published their first piece of work on Enterprise Risk Management (ERM) in 2004. Since then, ERM has gained broad acceptance among organisations globally in their efforts to manage risks.
However, even today ERM programme across many organisations struggle to find their strong footing. In the absence of clear directives, business and enterprise risk teams find themselves among the chaos of multiple frameworks, conflicting direction & priorities, rollout constraints & limited participation, tool enablement & investment needs, and multiple governance structures. ERM teams are also seen competing with other prominent specialised internal risk teams like compliance for budgets, mindshare and space which further makes it an uphill task.
Given the challenges, ERM programme in many small to medium organisation often fail to take off or take much longer than the anticipated time to reach the minimum levels of maturity. There are likewise comparable cases in larger organisations where programme start with a bang with leadership sponsorship and budgetary support but have found difficult to sustain or deliver the intended value.
This leads to an important question - What constitutes a successful ERM programme? Is programme moving in the right direction? Is the right approach being followed?’
Honestly, there is no single right answer and neither a universal common approach to be undertaken. An ERM programme is influenced and shaped by the multitude of factors like the industry, geography, size & scale of operations, risk appetite, regulatory environment, culture and so on. However, there are a few core factors (covered below) which if addressed in the optimum way while building an ERM approach, will help you drive more value and lead to a sustainable integrated ERM programme.
- Top-Down Vs Bottom-Up Approach: Which side of the spectrum are you?
Many of us may argue that the best approach which has worked especially in the large organisations with high success rate is the top-down approach. It reflects management sponsorship and an enterprise-wide commitment to the risk programme. Risk conversations are driven by well-established management forums (like Executive team), select committees (like compliance committee) or focus groups (central risk team). However it has been observed that Top-Down approach fails to recognise the lower or mid - management governance layer which comprises of project leaders or process leads who manage the processes day in & out. They are not only the first line of defense but also the first layer to identify a potential risk. Thus leaving them out of risk conversation or risk governance will not only weaken your enterprise risk posture but would leave you with a very flat view of potential risks. A right balance between the Top-down and the Bottom-up approach can help to plug this gap and enable you to derive much more benefit out of your ERM programme.
- Status Vs Insights: Can we draw a distinction between the two?
Let's take an example of a typical large organisation where management meetings and executive reviews are driven by well-established metric driven dashboard with graphs and numbers. It has been often observed that there are times when we are so engrossed in translating risks into numbers (ex. Total risks stand at x, y% closed etc.) that it ends up as a status on the dashboard during crunched management updates and is often viewed in isolation. Unless numbers are broken down into risks with impacts or insights are clearly derived, translated and absorbed by the business; dashboards in itself will not result into effective decision making thereby defeating the very purpose of the programme. Thus look for insights than mere numbers, avoid status updates with no takeaway and explore ways to engage with the business.
- Risk Assessment Cycle Vs Management Reporting Cycle: Are they interlinked?
Not necessarily. In many organisations, it has been observed that if the management reporting cycle is annual, risks are also assessed annually for timely inclusion into the management reports (such as the annual report). While this may help in meeting the reporting obligation besides aligning with the management expectations, but how naïve it can be. The very essence of proactively managing risk for the business is lost. Risk assessments should be an ongoing process, and it should be carried out for the purpose of actively managing risks and enabling the business to make risk-based decisions. Risk assessment cycle should be determined by the business environment and not just be driven by management reporting cycles. Reporting should be a byproduct of the risk assessment cycle and not the very purpose.
- Directive Vs Culture: What's your pick?
Let's explore both the choices before you decide on one. Directives are generally management instructions driven by regulatory obligations or business decisions or corporate strategy and are expected to set the direction for a given area. It reflects management support & sponsorship, and serve as a great tool to set the ball rolling in order to push a new initiative. But, in the long-term, directives are difficult to sustain and are only ‘tick-in the box approach’ thereby impacting maturity of enterprise risk programme. On the other hand, nurturing risk-aware organisation culture has potential to influence individual behaviors and stakeholder engagements to a more risk conscious approach. If one can imbibe and drive culture change, implementation of best practices become easier & feasible. Thereby, it helps to lay a stronger foundation for a successful risk management programme.
It has never been a question of selecting one approach over another. It is about striking the right balance between competing elements based on organizational culture, programme stage & maturity, risk management policy & mandates, and management & business expectations to derive the best value out of your ERM programme.
It is also important to note that ERM programme and the approach undertaken needs to evolve with time and in tandem with the business changes, and thus we must be quick to learn, adapt and shape the programme to be able to effectively manage risks for the business.