With the changing business environment brought on by events such as the global financial crisis, gone are the days of focusing only on operational and tactical risk management. Enterprise Risk Management (ERM), a framework for a business to assess its overall exposure to risk (both threats and opportunities), and hence its ability to make timely and well informed decisions, is now the norm.
Ratings agencies, such as Standard & Poors, are reinforcing this shift towards ERM by rating the effectiveness of a company’s ERM strategy as part of their overall credit assessment. This means that, aside from being best practice, not having an efficient ERM strategy in place will have a detrimental effect on a company’s credit rating.
Not only do large companies need to respond to this new focus, but also the public sector needs to demonstrate efficiency going forward, by ensuring ERM is embedded not only vertically but also horizontally across their organisations. This article provides help, in the form of five basic steps to implementing a simple and effective ERM solution.
This is first of a series of articles on ERM. Future articles will expand on each of the steps in this articles.
Step 1 – Establish an Enterprise Risk Structure
ERM requires the whole organisation to identify, communicate and proactively manage risk, regardless of position or perspective. Everyone needs to follow a common approach, which includes a consistent policy and process, a single repository for their risks and a common reporting format. However, it is also important to retain existing working practices based on localised risk management perspectives as these reflect the focus of operational risk management.
Figure 1. Vertical and horizontal ERM
The corporate risk register will look different from the operational risk register, with a more strategic emphasis on risks to business strategy, reputation and so on, rather than more tactical product, contract and project focused risks. The health and safety manager will identify different kinds of risks from the finance manager, while asset risk management and business continuity are disciplines in their own right. ERM brings together risk registers from different disciplines, allowing visibility, communication and central reporting, while maintaining distributed responsibility.
In addition to the usual vertical risk registers, such as corporate, business units, departments, programmes and projects, the enterprise also needs horizontal, or functional risk registers. These registers allow function and business managers, who are responsible for identifying risks to their own objectives, to identify risks arising from other areas of the organisation.
Figure 2: Enterprise Risk Structure in the Predict! Hierarchy tree
The enterprise risk structure should match the organisation’s structure: the hierarchy represents vertical (executive) as well as horizontal (functional and business) aspects of the organisation.
This challenges the conventional assumption that risks can be rolled up automatically, by placing horizontal structures side by side with vertical executive structures. Risks should be aggregated using a combination of vertical structure and horizontal intelligence. This is a key factor in establishing ERM.
Step 2 – Assign responsibility
Once an appropriate enterprise risk structure is established, assigning responsibility and ownership should be straightforward. Selected nodes in the structure will have specified objectives; each will have an associated manager (executive, functional or business), who will be responsible for achieving those objectives and managing the associated risks. Each node containing a set of risks, along with its owner and leader, is a Risk Management Cluster.*
Vertical managers take executive responsibility not only for their cluster risk register, but also overall leadership responsibility for the Risk Management Clusters below. Responsibility takes two forms: ownership at the higher level and leadership at the lower level. For example, a programme manager will manage his programme risks, but also have responsibility for overseeing risk within each of the programme’s projects.
Budgetary authority (setting and using Management Reserve), approval of risk response actions, communication of risk appetite, management reporting and risk performance measures are defined as part of the Owner and Leader roles as illustrated in Figure 3. This structure is also used to escalate and delegate risks.
Horizontal managers take responsibility for their own functional or business Risk Management Clusters, but also for gathering risks from other areas of the Enterprise Risk Structure related to their discipline. For example, the HR functional manager will be responsible for identifying common skills shortfall risks to bring them under central management. Similarly, the business continuity manager will identify all local risks relating to use of a test facility and manage them under one site management plan. To assist in this, we use an enterprise risk map – see Step 3. *Risk Management Clusters® are unique to the Predict! risk management software
Step 3 – Create an enterprise risk map
Risk budgeting and common sense dictate that risks should reside at their local point of impact, because this is where attention is naturally focused. However, the risk cause, mitigation or exploitation strategy may come from elsewhere in the organisation and often common causes and actions can be identified. In this case, we take a systemic approach, where risks are managed more efficiently when brought together at a higher level. To achieve this, we need to be able to map risks to different parts of the risk management structure.
To create an enterprise risk map, you need:
- a set of global categories to communicate information to the right place
- the facility to define the relationships between risks (parent, child, sibling etc)
- scoring systems with consistent common impact types
Global categories
Functional and business managers should use these global categories to map risks to common themes, such as strategic or business objectives, functional areas and so on. These categories then provide ways to search and filter on these themes and to bring common risks together under a parent risk.
Risk relationships
Figure 4: Global categories
For example, if skills shortage risks are associated with HR, the HR manager can easily call up a register of all the HR risks, regardless of project, contract, asset, etc. across the organisation and manage them collectively.
Similarly, the impact of a supplier failing on any one contract may be manageable. But across many contracts could be a major business risk. In which case, the supply chain function needs to bring the risks against this supplier together and to manage the problem centrally.
Each Risk Management Cluster will include both global and local categories in a Predict! Group, so that each area of the organisation needs only to review relevant information.
Scoring systems are also applied by Risk Management Cluster, with locally meaningful High, Medium and Low thresholds which map automatically when rolled up. For example, a high impact of £150k at project or contract level will appear as low at corporate level. Whereas a £5m risk at a project or contract level may appear as High at the corporate level.
Typically, financial and reputation impacts will be common to all clusters, whereas local impacts, such as project schedule, will not be visible higher up.
Figure 5: Scoring by cluster maps from local to enterprise level
Step 4 – Decision making through enterprise risk reporting
The most important aspect of risk management is carrying out appropriate actions to manage the risks. However, you cannot manage every identified risk, so you need to prioritise and make decisions on where to focus management attention and resources. The decision making process is underpinned by establishing risk appetite against objectives and setting a baseline, both of which should be recorded against each Risk Management Cluster®.
Enterprise-wide reporting allows senior managers to review risk exposure and trends across the organisation. This is best achieved through metrics reports, such as the risk histogram. For example, you might want to review the risk to key business objectives by cluster. Or how exposed different contracts and projects are to various suppliers.
Furthermore, there is a need to use a common set of reports across the organisation, to avoid time wasted interpreting unfamiliar formats. Such common reports ensure the risk is communicated and well understood by all elements of the organisation, and hence provide timely information on the current risk position and trends, initially top-down, then drilling down to the root cause.
Step 5 – Changing culture from local to enterprise
At all levels of an organisation, changing the emphasis from ‘risk management’ to ‘managing risks’ is a challenge; however, across the enterprise it is particularly difficult. It requires people to look ahead and take action to avert (or exploit) risk to the benefit of the organisation. It also requires the organisation to encourage and reward this change in emphasis!
Unfortunately, problem management (fire-fighting) deals with today’s problems at the expense of future ones. This is generally a far more expensive process as the available remedies are limited. However, if potential problems are identified (as risks) before they arise, you have far more options available to affect a ‘Left Shift: from a costly and overly long process to one better matching the original objectives set!
Figure 8. Proactive management of risks – left shift
Most organisations have pockets of good risk management, many have a mechanism to report ‘top N’ risks vertically, but very few have started to implement horizontal, functional or business risk management. Both a bottom up and top down approach is required. An ERM initiative should allow good local practices to continue, provided they are in line with enterprise policy and process (establishing each pocket of good risk management as a Risk Management Cluster will provide continuity).
From a top-down perspective, functional and business focused risk management needs to be kick started. A risk steering group comprising functional heads and business managers is a good place to start. The benefits of such a group getting together to understand inter-discipline risk helps break down stove-piped processes. This can trigger increasingly relaxed cross-discipline discussions and focus on aligning business and personal objectives that leads to rapid progress on understanding and managing risk.
Finally, to ensure that an organisational culture shift is affected, the senior management must be engaged. This engagement is not only aimed at encouraging them to see the benefits of managing risk, but to also help the organisation as a whole see that proactive management of risk (the Left Shift principle) is valued by all.
A Risk Management Masterclass for the executive board and senior managers can provide them with the tools necessary to progress an organisation towards effective ERM.
The benefits
ERM delivers confidence, stability, improved performance and profitability. It provides:
- Access to risk information across the organisation in real time
- Faster decision making and less ‘fire fighting’
- Fewer surprises (managed threats and successful opportunities)
- Improved confidence and trust across the stakeholder community
- Reduced cost, better use of resources and improved morale
- Stronger organisations resilient to change, ready to exploit new opportunities
Over time this will:
- Increase customer satisfaction, enhance reputation and generate new business
- Safeguard life, company assets and the environment
- Achieve best value and maximise profits
- Maintain credit ratings and lower finance costs
Conclusion
All of the risk management skills and techniques required to implement Enterprise Risk Management can easily be learned and applied. From senior managers to risk practitioners, Masterclasses, training, coaching and process definition can be used to support rollout of ERM.
Create a practical Enterprise Risk Structure, set clear responsibilities and hold people accountable. Define a simple risk map and provide localised working practices to match perspectives on risk. Be seen to make decisions based on good risk management information.
