‘Enterprise Risk Management Programme’ – Striking the right balance

‘Enterprise Risk Management Programme’ – Striking the right balance

Priyank Kothari

Head - Information Security

‘Enterprise Risk Management Programme’ – Striking the right balance

May 30, 2018 6066 Views

The Committee of Sponsoring Organisations of the Treadway Commission (COSO)

commissioned and published their first piece of work on Enterprise Risk Management (ERM) in 2004. Since then, ERM has gained broad acceptance among organisations globally in its efforts to manage risks.

However, even today ERM programmes across many organisations struggle to find their strong footing. In the absence of clear directives, business and enterprise risk teams find themselves among the chaos of multiple frameworks, conflicting direction & priorities, rollout constraints & limited participation, tool enablement & investment needs, and multiple governance structures. ERM teams are also seen competing with other prominent specialised internal risk teams like compliance for budgets, mindshare and space which further makes it an uphill task.

Given the challenges, the ERM programme in many small to medium organisations often fails to take off or take much longer than the anticipated time to reach the minimum levels of maturity. There are likewise comparable cases in larger organisations where programmes start with a bang with leadership sponsorship and budgetary support but have found it difficult to sustain or deliver the intended value.

This leads to an important question – What constitutes a successful ERM programme? Is the programme moving in the right direction? Is the right approach being followed?’

Honestly, there is no single right answer and neither a universal common approach to be undertaken. An ERM programme is influenced and shaped by the multitude of factors like the industry, geography, size & scale of operations, risk appetite, regulatory environment, culture and so on. However, there are a few core factors (covered below) which if addressed in an optimum way while building an ERM approach, will help you drive more value and lead to a sustainable integrated ERM programme.

Top-Down Vs Bottom-Up Approach: Which side of the spectrum are you?
Many of us may argue that the best approach which has worked especially in large organisations with a high success rate is the top-down approach. It reflects management sponsorship and an enterprise-wide commitment to the risk programme. Risk conversations are driven by well-established management forums (like the Executive team), select committees (like the compliance committee) or focus groups (central risk team). However, it has been observed that the Top-Down approach fails to recognise the lower or mid-management governance layer which comprises project leaders or process leads who manage the processes day in & out. They are not only the first line of defence but also the first layer to identify a potential risk. Thus leaving them out of risk conversation or risk governance will not only weaken your enterprise risk posture but would leave you with a very flat view of potential risks. A right balance between the Top-down and the Bottom-up approach can help to plug this gap and enable you to derive much more benefit out of your ERM programme.

Status Vs Insights: Can we distinguish between the two?
Let’s take an example of a typical large organisation where management meetings and executive reviews are driven by a well-established metric-driven dashboard with graphs and numbers. It has been often observed that there are times when we are so engrossed in translating risks into numbers (ex. Total risks stand at x, y% closed etc.) that it ends up as a status on the dashboard during crunched management updates and is often viewed in isolation. Unless numbers are broken down into risks with impacts or insights are derived, translated and absorbed by the business; dashboards in itself will not result into effective decision making thereby defeating the very purpose of the programme. Thus look for insights than mere numbers, avoid status updates with no takeaway and explore ways to engage with the business.
Risk Assessment Cycle Vs Management Reporting Cycle: Are they interlinked?
Not necessarily. In many organisations, it has been observed that if the management reporting cycle is annual, risks are also assessed annually for timely inclusion into the management reports (such as the annual report). While this may help in meeting the reporting obligation besides aligning with the management expectations, but how naïve it can be. The very essence of proactively managing risk for the business is lost. Risk assessments should be an ongoing process, and it should be carried out to actively manage risks and enable the business to make risk-based decisions. Risk assessment cycles should be determined by the business environment and not just be driven by management reporting cycles. Reporting should be a byproduct of the risk assessment cycle and not the very purpose.
Directive Vs Culture: What’s your pick?
Let’s explore both the choices before you decide on one. Directives are generally management instructions driven by regulatory obligations or business decisions or corporate strategy and are expected to set the direction for a given area. It reflects management support & sponsorship, and serves as a great tool to set the ball rolling to push a new initiative. But, in the long-term, directives are difficult to sustain and are only ‘tick-in the box approach’ thereby impacting maturity of enterprise risk programmes. On the other hand, nurturing risk-aware organisation culture has the potential to influence individual behaviours and stakeholder engagements to a more risk-conscious approach. If one can imbibe and drive culture change, implementation of best practices becomes easier & feasible. Thereby, it helps to lay a stronger foundation for a successful risk management programme.

It has never been a question of selecting one approach over another. It is about striking the right balance between competing elements based on organizational culture, programme stage & maturity, risk management policy & mandates, and management & business expectations to derive the best value out of your ERM programme.

It is also important to note that the ERM programme and the approach undertaken needs to evolve with time and in tandem with the business changes, and thus we must be quick to learn, adapt and shape the programme to be able to effectively manage risks for the business.