When risk threatens a company, it does so holistically. Much like the anaconda, which swallows its prey whole, risk doesn’t waste time with a nibble here and a nibble there. It devours a business.
Just ask Saudi Aramco. When they were hacked in 2012, Aramco was forced to halt all computer-related activities. In an instant, the trillion-dollar company started doing business at the speed of paper. For any other company, this would have been certain bankruptcy. Arguably the most valuable company in the world, Aramco was able to recover, but it took five months.
Or ask Wells Fargo. The company was fined nearly $200 million in 2016 when deceptive sales practices resulted in employees creating accounts without customer permission.
A cyber-attack affects much more than the IT department. False sales affect much more than the sales department, and misleading balance sheets affect much more than the finance department. Just ask Enron.
Risk Management is an area where company executives often struggle with the question: “How good (or great) do we need to be at managing our risks? Do we need a professional level Enterprise Risk Management (ERM) program in place, or do we just need to buy corporate insurance and hope for the best?” For most companies, the answer is somewhere in between.
So what is ERM?
“Enterprise Risk Management” ERM is a strategic discipline where the full range of risks are managed in a unified governance program. Sounds sophisticated, so let’s dissect the words…
- Strategic discipline means the program is important enough to say, “If we do not do this, the company will fail.” For example, a strategic discipline of most department stores is great customer service. If a high-end store provides poor customer service, people will stop forking over hundreds of dollars for a shirt, and the store will lose customers.
- Full range of risks means every risk in the entire company. Company leadership will shake the organization down from top to bottom and identify all risks. This is a difficult task. Which risks must be addressed and which ones can be sustained?
- Unified governance program uses a team of employees to govern the management of risks. This program includes processes for tracking how well each part of the company is managing, mitigating, and controlling each of the individual risks. For example, a department store manager may be required to report back to an “ERM Group” on the store’s ERM compliance. The ERM report would include compliance and actions taken to mitigate and control employee turnover, loss prevention, parking accidents, fraud, weather, building maintenance, safety, and customer service risks.
Basically, ERM is a big deal, and implementation requires discipline, time, and collaboration.
ERM is not for every company. Very few companies have adopted a full ERM program as defined above. ERM requires a complete culture shift in an organization. Every major decision in the organization contains a structured thought process for assessing risks and potential outcomes based upon the enterprise risks. ERM can hamper the entrepreneurial spirit in a company and significantly slow decision-making. Therefore, before considering stepping into the ERM world, consider how it will impact the culture of the organization.
Companies should remember one of the main purposes of ERM: to create value for the company and its stakeholders by identifying and responding to risks, either negative or positive (opportunities).
Companies seeking to establish an ERM program have the opportunity to choose from a variety of frameworks to help structure the implementation. One of the most prevalent is the COSO ERM framework. Following the Enron scandal and the Sarbanes-Oxley Act, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published Enterprise Risk Management – Integrated Framework. COSO ERM was an expansion of the previously published COSO Internal Control – Integrated Framework. The COSO ERM framework was designed to be used by businesses to help define the strategy, identify and manage risks, and ensure attainment of their goals.
The COSO framework is highly regarded as the most all-encompassing ERM framework. The most recent framework to be published was the RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, which was developed by Steven Minsky. This framework focuses on the key areas of efficient and continuous enterprise risk management. The bottom line is, organizations should tread lightly into the ERM implementation process and consider the costs and benefits associated with an ERM program.
This article has been adapted from a chapter from the author’s book: Jar(gone)
Trenegy helps companies design and implement internal controls frameworks to mitigate risk from both inside. and outside of the organization. Whether you recently became a public company and need a controls framework built from scratch or are trying to maintain a stable control framework in an volatile market, our focus is on providing your organization deliverables and strategies that can be used long after we are gone. Find out more at email@example.com.