Enterprise-wide approach for Risk management

ISO 31000:2018 13 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/10/Enterprise-wide-Risk-Management_-A-Comprehensive-Approach.wav

In recent years, risk management has seen some key changes. First, specialized types of risk management have emerged, such as project, energy, finance, operational, and clinical risk management. Second, organizations are now focusing on a broader, more comprehensive approach to managing risk. This broader approach is often called enterprise or enterprise-wide risk management (ERM), which is now the most commonly used term. The main idea of ERM is to stop managing risks separately and instead take a unified, integrated approach. With ERM, organizations consider all the risks they face across all their operations. ERM focuses on managing risks that could impact an organization’s goals, important dependencies, or key processes. It also covers both opportunities and risks related to control and hazards. ERM also considers how risks are connected, which is something traditional risk management often overlooks. For example, multiple risks can affect the same activity or goal. ERM evaluates risks by looking at goals, key processes, or dependencies and considering all the risks that could impact them. Most organizations now use ERM because it provides a way to manage all risks in a coordinated way. However, specialized functions like health and safety or business continuity still play an important role.

Risk management has seen major advancements, with its role in corporate governance becoming widely integrated. What was once called “integrated” or “holistic” risk management is now commonly referred to as enterprise risk management (ERM), which applies across the entire organization. Similarly, operational risk management (ORM) has grown significantly in a short time. While the evolving nature of risk management is positive, changing how risk analysis is conducted or communicated can confuse senior leaders and reduce interest. Taking on too much risk can lead to organizational failure, but risk awareness shouldn’t stop bold strategic decisions. Instead, decisions should be made with a clear understanding of the risks involved.

Organizations should continue pursuing opportunities, even if they seem risky, as long as the risks are managed within the organization’s capacity. Boards need to be aware of the actual risks being taken. If a company is “risk aggressive,” meaning it’s willing to take on higher risks, the range of risks the board considers may be limited. This can restrict important discussions about significant risks. While being risk aggressive isn’t necessarily wrong, it requires frequent reassessment and careful management at all levels. The ideas of “risk appetite” and “the upside of risk” are useful but need more refinement to deliver clear benefits.

Key Features of Enterprise Risk Management (ERM):

  1. Covers all risk areas (financial, operational, compliance, strategic, reputational, etc.).
  2. Manages risks as an interconnected portfolio rather than separate, isolated risks.
  3. Considers risks within both internal and external contexts, systems, and stakeholder concerns.
  4. Recognizes that risks are linked, and combined, they can create different exposures than when viewed individually.
  5. Uses a structured process to manage all types of risks, whether measured by numbers or judgment.
  6. Integrates risk management into critical decisions across the organization.
  7. Helps the organization identify risks it is willing to take in pursuit of strategic goals.
  8. Creates a way to communicate risk, ensuring a shared understanding of risks and their importance.
  9. Supports internal audit by offering a structured way to provide assurance to the board.
  10. Views effective risk management as a competitive advantage that helps the organization achieve its goals.

Example: Enterprise Risk Management (ERM) in an Oil and Gas Company

1. Risk Identification:

The company identifies risks across several categories:

  • Operational Risks: Equipment failure, oil spills, worker safety, and project delays.
  • Financial Risks: Oil price volatility, exchange rate fluctuations, and funding shortfalls for major projects.
  • Compliance and Regulatory Risks: Environmental regulations, fines for emissions, and political instability in regions of operation.
  • Strategic Risks: Shifts in global energy demand (e.g., the rise of renewable energy), geopolitical risks affecting supply, and competition from other energy sources.
  • Reputational Risks: Negative media coverage due to environmental incidents, community protests, and shareholder dissatisfaction.
  • Technology Risks: Cybersecurity threats to operational systems, and data breaches.

2. Risk Assessment and Prioritization:

Once risks are identified, they are assessed based on their potential impact on key objectives and the likelihood of occurrence. For example:

  • High Impact, High Likelihood: An environmental spill could cause significant financial, operational, and reputational damage.
  • Low Impact, Low Likelihood: A minor price fluctuation of a local currency may not have a strong impact on overall revenue. Risks are mapped in a risk matrix, prioritizing high-impact risks for more immediate attention.

3. Risk Response Planning:

The company develops strategies to manage these risks, using the following approaches:

  • Risk Avoidance: Deciding not to operate in politically unstable regions to avoid geopolitical risk.
  • Risk Mitigation: Implementing stricter safety protocols and investing in more advanced equipment to reduce the chance of oil spills or equipment failures.
  • Risk Transfer: Purchasing insurance for natural disasters or significant equipment failure to reduce financial impact.
  • Risk Acceptance: Accepting minor fluctuations in oil prices as part of normal market conditions and planning budgets accordingly.

4. Integration Across the Organization:

ERM is embedded across departments, ensuring each unit understands its role:

  • Operations: Works to mitigate operational risks through better safety standards and by adopting new technology to prevent equipment failure.
  • Finance: Manages financial risks through hedging strategies to stabilize the impact of fluctuating oil prices.
  • Legal and Compliance: Regularly reviews and updates the company’s compliance with environmental and safety regulations in every region of operation.
  • Risk Committees: Established at various levels to ensure regular communication and reporting of emerging risks, ensuring alignment with the company’s risk appetite.

5. Risk Monitoring and Reporting:

Risk data is continuously gathered from various departments and updated in a risk register, which forms part of the ERM system. This register:

  • Tracks all identified risks, including their status and any mitigating actions.
  • Provides visibility to senior management and the board through regular reports.
  • Links risk performance metrics to key company objectives, such as operational uptime or financial targets.

In the event of significant risk, such as a major accident, immediate reviews are conducted to update the risk profile and revise mitigation strategies. The Board of Directors receives quarterly updates on risk exposures and mitigation strategies, ensuring strategic alignment.

6. Continuous Improvement:

ERM is dynamic, requiring regular updates to respond to:

  • New regulations, such as stricter environmental laws.
  • Changing market conditions, like the rise of renewable energy.
  • New technologies that offer better safety measures or operational efficiency. The company conducts annual reviews of its ERM framework to ensure that it remains aligned with best practices and any emerging risks.

Definitions of ERM

ERM involves the identification and evaluation of significant risks, assignment of ownership, implementation and monitoring of actions to manage these risks within the risk appetite of the organization. The output is the provision of information to management to improve business decisions, reduce uncertainty and provide reasonable assurance regarding the achievement of the objectives of the organization. The impact of ERM is to improve efficiency and the delivery of services, improve allocation of resources (capital) to business improvement, create shareholder value and enhance risk reporting to stakeholders.

As per COSO the definition of Enterprise Risk Management( ERM), “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risk to be within its risk appetite and to provide reasonable assurance regarding the achievement of entity objectives.

As per Institute of Internal Auditors the definition of Enterprise Risk Management( ERM), “A rigorous and coordinated approach to assessing and responding to all risks that affect the achievement of an organization’s strategic and financial objectives.

As per HM Treasury the definition of Enterprise Risk Management( ERM), “All the processes involved in identifying, assessing and judging risks, assigning ownership, taking actions to mitigate or anticipate them and monitoring and reviewing progress.

As per RIMS the definition of Enterprise Risk Management( ERM), “Enterprise risk management is a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.

A complete definition of the ERM (Enterprise Risk Management) process involves three key parts: a description of the process itself, identifying the results or outcomes of that process, and understanding the benefits or impacts of those outcomes. Many definitions focus on the ERM process by explaining the steps involved, which is a good start. However, the results of the process—such as managing risks within acceptable limits and ensuring that objectives are met—are more important. Some definitions mention these results, but to be complete, the definition should also highlight the intended impact. In short, the main outcomes of ERM are better decision-making, improved core processes (sometimes through specific projects), and smooth, efficient operations with fewer disruptions. These outcomes can be summarized as mandatory obligations fulfilled, assurance obtained, decision making enhanced and effective and efficient core processes introduced (MADE2).

FIRM Benefits
FinancialReduced cost of funding and capital
Better control of CapEx approvals
Increased profitability for organization
Accurate financial risk reporting
Enhanced corporate governance
InfrastructureEfficiency and competitive advantage
Achievement of the state of no disruption
Improved supplier and staff morale
Targeted risk and cost reduction
Reduced operating costs
ReputationalRegulators satisfied
Improved utilization of company brand
Enhanced shareholder value
Good reputation and publicity
Improved perception of organization
MarketplaceCommercial opportunities maximized
Better marketplace presence
Increased customer spend (and satisfaction)
Higher ratio of business successes
Lower ratio of business disasters

Taking a complete approach to enterprise risk management (ERM) offers many benefits. Each organization decides how to set up its ERM process and achieve these benefits. The main idea of ERM is to evaluate all major risks the organization faces. It’s also important to understand how these risks are connected, so the organization can calculate its total risk exposure. Once the total risk exposure is measured, it can be compared to the organization’s risk limits and the board’s risk tolerance.

Energy and Finance

Enterprise Risk Management (ERM) in the energy and finance sectors addresses unique risks, but the core principles are similar. Here’s a simplified overview for both sectors:

ERM in the Energy Sector:

In the energy industry, risks are diverse and range from operational to environmental, regulatory, and market risks. Some key aspects of ERM include:

  • Operational Risks: Managing equipment failures, supply chain disruptions, and safety hazards. This could involve strategies to ensure the safe operation of oil rigs, power plants, and pipelines, along with contingency plans for equipment failure or accidents.
  • Environmental and Regulatory Risks: Energy companies face significant environmental risks, such as oil spills or gas leaks. Regulatory risks include changing environmental laws, carbon taxes, and renewable energy regulations. ERM helps ensure compliance and manage the impact of regulations.
  • Market Risks: Energy prices can be highly volatile due to global market conditions, supply and demand, and geopolitical events. ERM helps manage price fluctuations and financial exposure through strategies like hedging or diversified investments.
  • Strategic Risks: These include decisions around investments in new energy sources, such as renewable energy, which may require large capital expenditure and long-term planning.

ERM in the Finance Sector:

The finance sector primarily deals with risks related to market fluctuations, credit, operational failures, and regulatory compliance. Key components of ERM include:

  • Credit Risk: Managing the risk of borrowers defaulting on loans. ERM strategies help assess the creditworthiness of clients and set appropriate credit limits.
  • Market Risk: Finance firms are exposed to changes in interest rates, foreign exchange rates, and stock market movements. ERM provides tools to manage these fluctuations, such as portfolio diversification and hedging strategies.
  • Operational Risk: This includes risks from internal processes, system failures, or cybersecurity threats. ERM helps identify these risks and implement controls to minimize disruptions, such as using advanced cybersecurity measures or having backup systems in place.
  • Regulatory Risk: The finance industry is heavily regulated. ERM ensures that financial institutions comply with various laws and regulations, avoiding penalties or legal actions.
  • Liquidity Risk: Managing liquidity is critical, ensuring that a firm has enough cash or easily convertible assets to meet its short-term obligations.

Both energy and finance sectors use ERM to maintain stability, make better decisions, and enhance resilience against internal and external risks. Risk management in the energy and finance sectors has developed into a specialized field. In the finance sector, the goal of an ERM (Enterprise Risk Management) program is to increase shareholder value by:

  • Improving capital and efficiency: Providing a clear method for distributing resources wisely and taking advantage of natural risk balances and portfolio benefits.
  • Supporting financial decisions: Focusing on areas that may have big negative impacts and finding opportunities where risk can be turned into an advantage.
  • Building investor confidence: Stabilizing financial results and protecting them from disruptions, showing that risks are managed proactively.

ERM in the energy sector often relies on the treasury department and experts who specialize in managing risks related to oil prices. This type of financial risk management is well-established, with many energy companies having large teams dedicated to it. However, ERM in energy companies is still mainly focused on managing financial risks. In the finance sector, regulations are a key driver for risk management. For example, banks must comply with Basel III rules, and the insurance industry in Europe follow similar guidelines under the Solvency II Directive. These regulations require financial institutions to measure their exposure to operational risks.

Operational risk management (ORM) in financial institutions helps determine how much capital should be kept aside to handle the potential impact of identified risks. The better risks are identified and managed, the less capital is needed to cover those risks. ORM is a specific part of the broader enterprise risk management (ERM) process. The global banking crisis raised doubts about how well risk management worked in banks, especially in managing operational risks. After the crisis, media reports often claimed that: 1) risk is bad, and 2) risk management had failed. However, taking risks is necessary for organizations to succeed.It’s hard to argue against the idea that risk management failed in banks, but the real issue wasn’t with the principles of risk management. The problem was that these principles weren’t applied correctly. Many banks made two key mistakes:

  • They didn’t properly analyze the balance between risk and reward, focusing too much on potential rewards without fully considering the risks.
  • They underestimated the level of risk because they were so aggressive in taking risks that they ignored the possibility of unlikely, but serious, events.

Business continuity and resilience

Enterprise risk management (ERM) and business continuity management (BCM) are closely linked. The risk assessment done in ERM and the business impact analysis used in business continuity planning (BCP) work together. In ERM, the usual process is to look at goals and find the specific risks that might affect those goals. The business impact analysis helps identify the essential activities that must be maintained for the organization to keep running. Both ERM and business impact analysis focus on identifying the key activities and dependencies necessary for a business to thrive. However, the next steps differ between ERM and BCP. ERM deals with managing risks that could affect core processes, while BCM focuses on the actions to take to keep individual activities going. In this way, BCM specifically identifies steps to take after a risk occurs to reduce its effects, addressing the need to limit damage and control costs.

Resilience is the capacity of an organization to consistently achieve a desired state following a change in circumstances. As per ISO 22300:2021, Resilience may be defined as the ability to absorb and adapt in a changing environment. Resilience in risk management refers to an organization’s ability to anticipate, prepare for, respond to, and recover from adverse events or disruptions. It emphasizes not just avoiding risks but also adapting to challenges and bouncing back stronger. Integrating organizational resilience into governance practices should ensure that the board considers the risks to critical infrastructure from natural disasters, major accidents, and deliberate harm. Recognizing the importance of resilience will guide decisions about investments, purchasing, risk management, and conversations with supply chain partners. This approach will help infrastructure owners and operators better understand how resilient their systems are, regularly evaluate how well their strategies are working, and make any needed changes to ensure they can deliver services effectively and adapt to shifting organizational goals. Here are some key aspects of resilience in risk management:

  • Proactive Planning: Organizations should identify potential risks and develop plans to mitigate them before they occur. This includes conducting risk assessments and scenario planning to understand possible threats.
  • Agility and Flexibility: Resilient organizations can quickly adapt their strategies and operations in response to unexpected challenges. This requires flexible processes, a culture of innovation, and the ability to make quick decisions.
  • Crisis Management: Effective crisis management strategies help organizations respond to and manage crises when they occur. This includes having clear communication plans, designated teams, and predefined roles during a crisis.
  • Continuous Improvement: After experiencing a disruption, organizations should analyze their responses and outcomes to learn from the event. This helps in refining risk management strategies and improving resilience for the future.
  • Stakeholder Engagement: Involving employees, customers, suppliers, and other stakeholders in risk management efforts helps build a supportive network that enhances resilience. Open communication and collaboration are essential.
  • Technology and Data Utilization: Leveraging technology and data analytics can improve risk detection and response capabilities. Real-time monitoring of risks enables organizations to make informed decisions quickly.
  • Culture of Resilience: Fostering a culture that values resilience encourages employees to be proactive and prepared. Training, awareness programs, and leadership support are vital in building this culture.
  • Resource Management: Adequate resources, including financial, human, and technological, are crucial for maintaining operations during disruptions. Organizations should ensure they have reserves and backup plans in place.

By integrating resilience into risk management, organizations can better navigate uncertainties and emerge stronger from challenges, ultimately safeguarding their long-term success.

A broad approach to risk management helps an organization create a solid plan to prevent, prepare for, reduce, respond to, and recover from disruptions. A resilient organization must focus on “preventing, protecting, and preparing” its resources and assets, while also being ready to “respond, recover, and review” during a crisis. The concept of resilience offers a chance for risk management and business continuity experts to collaborate for a more coordinated approach. To boost resilience, organizations need to:

  • Be ready to respond quickly to disruptions, learn from them, and make improvements for the future.
  • Stay aware of changes in both internal and external environments and keep resilience a priority.
  • Focus on preventing, protecting, and preparing all types of resources, including assets, networks, and intellectual property.

The ‘plan–do–check–act’ (PDCA) structure of many standard is entirely consistent with the plan, implement, measure, learn (PIML) approach to implementing a risk management initiative

Managing emerging risks

All organizations are concerned about changes in both the external and internal environment, as these changes bring new challenges, uncertainties, and opportunities. These changes are considered emerging risks. However, it can be hard to address these risks unless the organization clearly understands what they are. Emerging risks fall into three categories:

  • New risks in a familiar context: New risks that arise in the external environment but relate to the organization’s existing strategy.
  • Known risks in a new context: Risks that the organization was already aware of but have evolved or been triggered by new circumstances.
  • New risks in a new context: Risks the organization hasn’t faced before, related to changes in its core processes.

Recent business changes have raised the level of risk for organizations, such as expanding into new markets, adopting new technologies, and building more complex supply chains. These risks are usually within the organization’s control. However, there are other emerging risks that organizations cannot control, such as:

  • Climate change
  • Government debt
  • National security issues
  • Shifting demographics.

When managing emerging risks, an organization should assess whether to treat them as hazards, controls, or opportunities. Depending on the organization’s activities, these risks may be threats or potential opportunities for growth. In some cases, they may just add uncertainty that needs to be handled. A key factor to consider is how quickly these risks can become important. Some risk management experts call this the “risk velocity,” referring to the speed at which risks develop and change.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply