When risk threatens a company, it does so holistically. Much like the anaconda, which swallows its prey whole, risk doesn't waste time with a nibble here and a nibble there. It devours a business.
Just ask Saudi Aramco. When they were hacked in 2012, Aramco was forced to halt all computer-related activities. In an instant, the trillion-dollar company started doing business at the speed of paper. For any other company, this would have been certain bankruptcy. Arguably the most valuable company in the world, Aramco was able to recover, but it took five months.
Or ask Wells Fargo. The company was fined nearly $200 million in 2016 when deceptive sales practices resulted in employees creating accounts without customer permission.
Perhaps you remember Enron. A cyberattack affects much more than the IT department. False sales affect much more than the sales department, and misleading balance sheets affect much more than the finance department.
Risk management is an area where company executives often struggle with the questions: How good (or great) do we need to be at managing our risks? Do we need a professional level Enterprise Risk Management (ERM) program in place, or do we just need to buy corporate insurance and hope for the best?"
For most companies, the answer is somewhere in between.
ERM is a strategic discipline where the full range of risks are managed in a unified governance program. Sounds sophisticated, so let's dissect the words.
Basically, ERM is a big deal and implementation requires discipline, time, and collaboration. It's not for every company.
Very few companies have adopted a full ERM program as defined above. ERM requires a complete culture shift in an organization. Every major decision in the organization contains a structured thought process for assessing risks and potential outcomes based on the enterprise risks. ERM can hamper the entrepreneurial spirit in a company and significantly slow decision making. Therefore, before considering stepping into the ERM world, consider how it will impact the culture of the organization.
Companies should remember one of the main purposes of ERM: to create value for the company and its stakeholders by identifying and responding to risks, either negative or positive (opportunities).
Companies seeking to establish an ERM program have the opportunity to choose from a variety of frameworks to help structure the implementation. One of the most prevalent is the COSO ERM framework. Following the Enron scandal and the Sarbanes-Oxley Act, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published "Enterprise Risk Management — Integrated Framework." COSO ERM was an expansion of COSO's previously published "Internal Control — Integrated Framework." The COSO ERM framework was designed to be used by businesses to help define the strategy, identify and manage risks, and ensure attainment of their goals.
The COSO framework is highly regarded as the most all-encompassing ERM framework. The most recent framework to be published was the RIMS Risk Maturity Model (RMM) for Enterprise Risk Management, which was developed by Steven Minsky. It focuses on the key areas of efficient and continuous enterprise risk management.
The bottom line is, organizations should tread lightly into the ERM implementation process and consider the costs and benefits associated with an ERM program.
This article has been adapted from a chapter from the author's book, Jar(gone).
Trenegy helps companies design and implement internal controls frameworks to mitigate risk from inside and outside the organization. Whether you recently became a public company and need a controls framework built from scratch or are trying to maintain a stable control framework in an volatile market, we focus on providing you with deliverables and strategies that can be used long after we are gone. Find out more at info@trenegy.com.
