Enterprise Risk Management: a Key Management Decision Tool for a Globalised and Volatile World

By Marc Ronez, Managing Director, Asia Risk Management Institute
23 June 2010

Fifteen years ago, risk management was almost unheard of. Today, it is fast ascending the corporate agenda seemingly in direct correlation with the increasing number of corporate scandals such as Enron, Citiraya and CAO. In recent years, we have indeed witnessed an increasing number of corporate debacles that have resulted in considerable financial loss, damaged reputations, and decreased shareholder value. These often lead to the dismissal of top management blamed for the adverse results. It is clear from those examples that the mismanagement of risk can carry an enormous price for any organization. Just consider the impact of the following events on your own organization:

  • You are accused of selling poor-quality or defective products, or unnecessary services
  • Loss of a key customer or supplier who distrust you
  • A sudden hostile takeover attempt cripples your financial position thus destroying your long-term shareholder value
  • Natural, industrial, environmental disasters may strike you anytime, catching you with inadequate crisis management in place
  • Rogue managers lacking oversight and taking advantage of inadequate controls to commit frauds or assume enormous risks
  • Organizations must therefore be careful when it comes to the amount of risk they have to assume while taking on business opportunities. If they take on too much risk, the possible losses could cripple or even destroy them. On the other hand, if they are too conservative, they may miss interesting opportunities thus failing to achieve the organization’s financial objectives. There is “no free lunch” and the success of any organization depends on its ability to find the optimal balance between risk and return is therefore an imperative for successful business management.
What actually is Enterprise Risk Management (ERM)?

ERM applies active risk management to all the risks that an organization is facing as it strives to create value. It is a disciplined and integrated approach to risk that supports the alignment of strategy, process, people, and technology, and allows corporations to identify, prioritize, and effectively manage their critical risks. By understanding all risks in an integrated framework, organizations can execute proper strategies to successfully achieve their objectives and to meet and improve their performance goals such as increasing profitability and smoothing earnings volatility. The ERM approach is based and designed to support the following principles:

  • Understand your business as a whole. Clarifying the sources of your competitive advantages and facing reality regarding the threats to and the capability of your organization to deliver in a competitive business environment.
  • Establish effective risk control system and processes. A control framework for checks and balances includes setting limits and boundaries is necessary to prevent mistakes, frauds and ensure that no individual will be able to gain excessive power to take risk for your organization.
  • Never lose sight of cash as it does not lie! Cash is King, if you want to check the real financial vulnerability of an organization, look at the cash, the rest is accounting!
  • Don’t change the rules of the game while playing it! Stick to the rules set for assessing, reporting and monitoring risk to prevent management from fine tuning them to twist the results to their advantage.
  • Focus on value creation. Risk management is not only about reducing downside potential of risk, but also about increasing upside opportunity.
  • Balance processes and people. Risk management is not only about establishing the right control systems and processes, it is also about having the right people in place and that they are motivated by the right risk culture and incentives to deliver effective risk taking.
Why We Need Risk Management Now More Than Before?

From terrorism to the threat of infectious diseases, uncertainty abounds in today’s global economy, and several macro-trends have increased the exposure of organizations to a range of strategic and operational risks that in the past were blissfully ignored:

  1. Awakening of the stakeholders. Organizations are now facing increasing demands from all their stakeholders - investors, employees, customers, suppliers, governments, etc. in many areas like corporate governance, business ethics, accounting transparency, labour practices, workplace health and safety, societal responsibility and environmental protection.
  2. Globalization and deregulation of key industries. On the positive side, this leads to freer trade and the possibility of investment opportunities worldwide but on the other side, it is also dramatically increasing the pressure of competition resulting in more and larger mergers with changes in organizational structures, downsizing, reengineering, etc.
  3. Pace of new technologies and the internet. The continuous pace of innovation, complex technologies and tools and forces organizations to constantly move ahead creating a myriad of new risks.
  4. Increasing importance of intangible assets. The market capitalizations of organizations are now largely exceeding by a multiple factor the balance sheet values. The difference is linked to the ‘invisible’ assets such human capital, customer base, distinctive brand, strong reputation, innovative processes, etc. that are not protected under the traditional risk management model that focuses on ‘visible’ physical and financial assets.
  5. Increasing pressure from the regulatory environment. Regulatory and industry developments include for example the Basel II accord, the COSO ERM framework, the Sarbanes-Oxley act and in Singapore, the MAS risk management guidelines. Regulators and auditors are expecting to see demonstration of active risk management programs.
The Challenges of Implementing Risk Management

Despite the increasing recognition of the need for effective risk management and some strong external pressures, many organisations have found that it is not easy to develop and implement an Enterprise Risk Management program successfully. Most firms typically wrestle with the scope and purpose of an initiative as expansive and comprehensive as an ERM implementation. They struggle to clearly define what ERM actually is and how they can implement it in a way that can truly achieve its objectives and generate real benefits. Our experience, as illustrated by the survey results on figure 1, has shown us that organizations approaching Risk Management generally fall into one of the following 2 categories:

  • Those for whom a Risk Management initiative is only a reactive way trying to address stakeholders’ concerns and new regulatory requirements in a world confronted with unprecedented level of uncertainty in a visible and credible manner. They will tend to focus on system changes and the implementation of risk-based control systems to support compliance and raise the level of protection against risks.
  • Those for whom a Risk Management Program is a strategic initiative that provides distinct benefits over and above simple regulatory compliance. For these firms, Risk Management is not a defensive undertaking but an offensive strategy that yields tremendous potential competitive advantage through an integrated, enterprise-wide perspective on their risk profile which is aligned with their business model.

Indeed, an ERM implementation is a complex undertaking, and there is no one approach or solution that fits it all. However as recent corporate scandals have illustrated, risk management is ultimately about people! While the investment in risk management systems and processes is vital, organizations will soon discover they may be wasting money unless they also create a risk-aware culture to embed risk management at all levels within their organization. Senior managers involved in establishing ERM programs often mention training and development as one of the key factor for a successful implementation. In addition to promoting the development of culture of risk awareness, ownership, accountability and transparency, it equips employees with the knowledge, skills and tools they need to manage effectively the risks for which they are responsible. This is a must!

Have you started the journey? Are you on board with enterprise risk management? You had better be as it is the future of how businesses will be run!

Marc Ronez is the Managing Director of the Asia Risk Management Institute (ARiMI). He is an expert in risk decision-making and crisis management. ARiMI provides open-enrolment risk management courses and conducts training to support organisations’ risk management effort. It delivers the Enterprise Risk Manager Certified Professional Risk Manager (CPRM) designation program with NUS Extension.