Business has always been a risky venture at its very core, so in order to succeed an organization must pay close attention to the risks it faces and takes on daily. Typically, companies today deal with risks in the following three broad groups:
- Internal Risks - These are specific to an organization and can be controlled. An example of this is employee misconduct. This type of risk can be mitigated by setting in place, and strictly enforcing, a code of conduct for employees.
- Strategic Risks - These types of risks are taken with the assumption that they will deliver a competitive advantage. The higher the risk, the greater the reward. An example is a car manufacturer adding a new technology or amenity that a competitor doesn’t have on their vehicles.
- External Risks - These are largely out of the control of an organization. Political upheavals and extreme weather are good examples of this. The company can’t do much to prevent or even predict such events, it can only mitigate the impact of these kinds of threats after the fact.
To effectively address all of these types of risks, companies need an Enterprise Risk Management (ERM) strategy.
What Should Your ERM Strategy Be?
According to the ISO 31000: 2009 global risk management standard, your ERM strategy should be:
- Dynamic - Risk management should be an active and regular assessment of business risks. It should evolve with the changes in the business and be a normal part of decision making and operations.
- Iterative - Risk management is not a one-time solution. Instead, it should rely on processes that are revisited in the mitigation and management of risk.
- Responsive to change - Risk management should be agile and ready for surprises such as new competitors springing up or rapid social changes affecting the target market.
Enterprise Risk Management goes deeper than assessing risk impact and probability. It seeks to understand finer details like how fast the risk might occur, what events might trigger the risk, when the risk will pose threat to the business, if the is risk being actively managed and so much more.
It is proactive. Instead of waiting for risks to occur then respond to them, ERM examines the relationships between risks and makes assumptions that enable the company to get in front of them.
ERM is also holistic. Instead of having departments assess and manage their own risks, the assessment is made on an enterprise wide scale. This eliminates the potential for incidences where a risk mitigation strategy in one department might unknowingly create a new risk in another.
How to Implement an ERM Strategy
1. Gather your risks in one place
Organizations should start with establishing an enterprise risk structure with registers where different departments can identify, communicate and manage risk. This starts with an enterprise wide SWOT analysis and assessment of both tangible and intangible risks. This combined risk register allows all team members to be aware of the risks that might arise in all departments in the organization.
2. Assign responsibility
While support of top management is critical, Enterprise Risk Management emphasizes a holistic approach where all departments or business units are involved. Establishing a committee with representatives from each department can achieve this.
Their role should go beyond having a response plan. They should be tasked with meeting regularly to identify new risks across the organization. And because it is an organization-wide initiative, it helps to have an annual risk assessment questionnaire to be completed by all employees.
3. Identify, monitor and report
It is impossible for an organization to respond to every risk. Instead, it should prioritize and focus resources on mitigating and managing specific risks. The risk reporting framework should be available to all employees, thus enabling anyone to communicate about risks in the shortest amount of time.
Need Help Implementing an ERM?
Creating an Enterprise Risk Management (ERM) Strategy can be quite intimidating, but with the experts at ASB Resources by your side you can put together a robust ERM strategy that will turn Risk into Rewards for your company. Schedule some time with us soon!