Luck be a Lady Tonight? Not for Enterprise Risk Management
Luck is the last thing that any responsible company in the Hospitality and Retail Industries wants to rely on when it comes to its success. Instead, using the concepts of Enterprise Risk Management (ERM), the successful company identifies, analyzes, responds to, and monitors all risks (particularly non-insurable ones) and opportunities. ERM is used worldwide by millions of companies to plan for their failures and their successes.
What is Enterprise Risk Management (ERM)?
“Enterprise risk management (ERM) is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentials for harm that may interfere with an organization’s operations and objectives and/or lead to losses.
ERM takes a holistic approach and calls for management-level decision-making that may not necessarily make sense for an individual business unit or segment. Thus, instead of each business unit being responsible for its own risk management, firm-wide surveillance is given precedence. For instance, if a risk manager at an investment bank notices that two trading desks positioned in different areas of the firm have similar exposures to the same risk, they may force the lesser important of the two to eliminate that same position. This decision is made with the entire firm in mind (not with the specific trading desk).” [1]
Management responsibilities include developing the risk architecture or infrastructure, documentation of procedures or risk management protocols, training, monitoring and reporting on risks and risk management activities.[2]
Source: How to Communicate Risks Using Heat Maps, CGMA
What Benefits Does ERM Provide? [3]
Greater awareness about the risks facing the organization and the ability to respond effectively;
Enhanced confidence about the achievement of strategic objectives;
Improved compliance with legal, regulatory and reporting requirements; and
Increased efficiency and effectiveness of operations.
Questions to Consider when Implementing ERM[4]
What are the main components or drivers of our business strategy?
What internal factors or events could impede or derail each of these components?
What external events could impede or derail each of the components?
Do we have the right systems and processes in place to address these internal and external risks?
Traditional Risk Management Versus Enterprise Risk Management
Carol Williams, founder of ERM Insights, states in “www.erminsightsbycarol.com” that in a traditional risk management framework, an organization only looks at things that are insurable. For example, on a rainy day, the janitor of a retail business not only puts out a sign to warn people about a slippery surface, the company will also have liability and workers’ compensation insurance in the event someone does slip and get hurt. Purchasing insurance for any company vehicles or equipment is another example.
She notes that “ERM, on the other hand, goes beyond insurable hazards to include areas of risk that cannot be transferred through insurance. If a data breach occurs for example, the company could have insurance to help offset the cost of responding and addressing the problem. However, this breach could also damage the organization’s reputation, which of course is not insurable. Proactive measures to protect information from hackers, malware, and misuse will need to be done to reduce the likelihood of this occurring.”
Other examples of non-insurable risks include:
Strategic goals;
Social media;
Vendor disruptions;
Mergers & Acquisitions; and
Lack of innovation.
Ms. Williams offers the following comparison of traditional risk management versus Enterprise Risk Management:
ERM ADDRESSES THE LIMITATIONS OF TRADITIONAL RISK MANAGEMENT[5]
The traditional approach to risk management is often referred to as silo or stove-pipe risk management whereby each silo leader is responsible for managing risks within their silo as shown below.
As noted in this article, this traditional approach to risk management has limitations, which may mean there are significant risks on the horizon that may go undetected by management and that might affect the organization. Some of these limitations include:
There may be risks that “fall between the silos” that none of the silo leaders can see. Risks don’t follow management’s organizational chart and, as a result, they can emerge anywhere in the business.
Some risks affect multiple silos in different ways. So, while a silo leader might recognize a potential risk, he or she may not realize the significance of that risk to other aspects of the business.
Third, in a traditional approach to risk management, individual silo owners may not understand how an individual response to a particular risk might impact other aspects of a business. In that situation, a silo owner might rationally make a decision to respond in a particular manner to a certain risk affecting his or her silo, but in doing so that response may trigger a significant risk in another part of the business.
So often the focus of traditional risk management has an internal lens to identifying and responding to risks. That is, management focuses on risks related to internal operations inside the walls of the organization with minimal focus on risks that might emerge externally from outside the business.
Despite the fact that most business leaders understand the fundamental connection of “risk and return”, business leaders sometimes struggle to connect their efforts in risk management to strategic planning.
Currently Unknown, But Knowable Risks Overlooked by Traditional Risk Management
ERM Should Inform the Strategy of the Business
This Presentation
ERM concepts can be applied to every business, including law firms. The presentation will cover the following topics from the three panelists and their respective companies, and ask the audience to answer questions in complex hypotheticals:
- How each company came to start using an ERM program;
- The organization and management of EMR committees and compliance committees;
- How each company conducted a “credible risk review;”
- Consideration of identified risks, including:
- Data/ technology; cyber-security
- Talent retention;
- Brand;
- Competitive environment changes;
- Financial performance;
- Business interruption;
- Legal and regulatory compliance;
- Consideration of the impact of each risk on the company: high/ medium/ low;
- Consideration of the key risk drivers for each risk:
- For example, legal and regulatory risk:
- Changes in regulations and law;
- Need to monitor state by state;
- New business growth areas;
- Changes in regulations and law;
- Business Interruption;
- Not just covid; natural disasters; active shooters;
- HR risks;
- Talent acquisition/ retention;
- Supply chain shortages;
- For example, legal and regulatory risk:
- Consideration of the likelihood of each risk occurring;
- Assignment of “who owns the risk” within the company;
- Which management persons are responsible for mitigating that risk;
- Development of a risk mitigation plan;
- Development of hypotheticals; company responses to risks;
- COVID;
- Customer claims;
- Employment risks;
- Cyber-security
- Nuclear verdicts
- Creating a culture that embraces the process of understanding, identifying and mitigating risks;
- Reporting of ERM analysis to the board or in public filings.
[1] Investopedia, June 2, 2021; https://www.investopedia.com/terms/e/enterprise-risk-management.asp
[2] https://www.cgma.org/resources/tools/essential-tools/enterpise-risk-management.html
[3] https://www.cgma.org/resources/tools/essential-tools/enterpise-risk-management.html
[4] https://www.cgma.org/resources/tools/essential-tools/enterpise-risk-management.html
[5] The following content and illustrations can be found at https://erm.ncsu.edu/library/article/what-is-enterprise-risk-management