ERM process growing since past three years
H.L Sunil, C.Eng. MIE (SL). PG.Dip.DBFA(SL). MBA (USQ-AUS) Deputy
General Manager; Project Portfolio Management, Sri Lanka Telecom PLC
In the context of global economic uncertainty the challenges and
opportunities faced by companies around the world continued to evolved.
And also evolution of Information, Communication and Technology and
convergence of Technology, Media, Telecommunications and use of
Internet; leads business boundaries disappearing with globalization.
Hence business enterprises been exposed to many risks and uncertainties.
In public domain there was news on instant collapse of business
giants worldwide. Later it has been found that the cause were failure to
foreseen risks that they would have to face in future. Realizing the
facts many companies globally; have taken initiatives to establish
enterprise-wide formal risk management processes which lead to build up
Enterprise Risk Management (ERM). ERM means to manage the positive risks
(rewarded risk) to grow the business, create value and realize the same
and manage negative risk (unrewarded risk) to protect existing assets.
In this regard C-Suits initiate initiated programs to create of risk
intelligence culture across their companies as the priority in highly
volatile business environment.
The creation of risk intelligence business culture enables managers
to take rewarded risks by investing reasonable resources and reasonably
manage unrewarded risks within their risk appetite using minimum
resources. Through the recent survey by Harvard Business Review Analytic
Service has found that ERM process are growing since past three years
and found that still the companies have long way to go. However
financial sector institutions have their established, well matured risk
management process.
ERM Concept
ERM is an emerging concept which is being enriched through the
contributions made by non-profitable private and commercial
organizations in the form of developing models for ERM frameworks,
conducting research and surveys, publications on ERM knowledge areas and
developing management tools and systems. To name a few such
organizations are ISO31000:2009, COSO, AS/NZ4360:2004, Casual Actuarial
Society, etc.... Out of those, the framework developed by COSO is taken
as a referenced framework by most of companies to initiate ERM.
ERM requirement
In the public domain, there were many cases reported concerning
sudden occurances that have caused losses to individuals, public/private
and government institutions, property, business. To mention few of such
recent events: in the local context are service sector failures, Change
Management failure, procurement issues, natural disasters, bankruptcy of
financial institutions, deseases and epidemics; in international
contexts there are much more which have had global impacts. On analyzing
the issues later it has been found that accountability lies within
C-Suits, where attention was not given to effectively prepare an
organization see future risks and uncertainties.
Local Context
In local context the vision of Sri Lanka to become “Wonder of Asia”
there are several initiatives by government institutions and
private/public enterprises in the form of programmes and projects
investing huge capital management, risk management and Stage-Gate
investment governance process. So it is very important to establish risk
management process and creating risk intelligence culture in most
public, private business enterprises and government institutions to reap
best out of the investments. Creation of risk management culture is the
foundation for ERM.
Challenge
Establishing investment governance best practices processes it
requires change of business culture within an organization is not a very
easy task. Addressing the task conducting training on best practices
concept, workshops and establishing Framework, risk management processes
and, systems and tools are some steps that need to be initiated.
New Capability
The fig.1 shows the drivers that will be effective in ERM process and
how those corner elements are being driven. All these effort would be
success; only if the process be lead and owned by top management of the
enterprises. Further, to define an ERM framework, it involves defining
risk appetite, defining and monitoring Key Risk Indicators (KRI),
People, Process and Systems which are the main tasks to establish risk
intelligence. C-Suits should have well understanding of, and well aware
of how ERM concept works.
They should arrange appropriate trainings for subordinates. It is
also important for them leads action to establish risk management
processes within each functional unit under the leadership of C-Suits
and senior managers.
Initiate ERM
Establishing an ERM concept is a new change drive in an organization.
Initiating ERM process; it has been recommended to use existing
resources, processes, forums, committees and start with incremental
step-by-step approach since it has an impact across the organization.
Defining ERM Framework for a company is important.
Develop and deploy Strategies Risk Infrastructure and Management Risk
Risk Owners Sustain and continuously improve Risk Governance Board of
Directors CEO Oversight ERM infrastructure Risk Process Tone at the top
People Process Technology Identity risks Asses and evaluate risks
Integrate risks Responds to risks Design implement and test controls
Monitor assure, and escalate SGB ERM Implementation team Functional
Managers ERM workshop
Matured ERM process will provide information on business critical
emerging dynamic risks. Having information on risks, the board of
directors and C-Suits will have better insight into the company's
performance. Hence management would be able to initiate appropriate
response plans and strategies for implementation to achieve
organizational objectives.
Risk Appetite
The risk appetite is unique for an organization. In simply meaning of
risk appetite is the amount of risk one can take in achieving set target
at individual level. However, when considering an organization, it is
high level statements on risk appetite which is defined for each
category of risks and in quantifiable means.
Defining of risk appetite statements is initiated by C-Suits managers
and the CEO who will obtain approval from the board of directors.
The approved statements will be cascaded down to functional units,
risk owners and communicated to them with risk tolerance which is the
deviation that could be taken by an individual from the defined risk
appetite to achieve a task.
Key Risk Indicators
Key Risk Indicators (KRI) provides early signals to an organization
on the increase of risk exposures in various business units of the
enterprise that prevents the achievement of organizational objectives.
These indicators provide early warning on risks that an organization
will have to face. Risk owners should identify risk indicators;
interpret KRI and signals on intensity (probability and impact) and
closeness of the risks (risks may be emerging).
The managers then will have to change strategies to maintain
outcomes, in order to achieve desired objectives.
Conclude
Identifying and managing risks is the key to the survival of any
business entity.
Therefore to reduce losses, create value and realize the same to the
satisfaction of stakeholders, any organization should be prepared to
manage risks and uncertainties. In order to manage risks, initiatives
for implementation of ERM should be the priority. To initiate ERM is
very challenging and it may require compliancy to legal requirements.
In this regard it is appropriate government and the relevant
authorities to initiate actions to impose required legislations
indicating requirement of implementing ERM process in the public and
private institutions.
This will enable better services to the public and protect public
investments in corporate. It will also help to reduce unexpected
surprises and business calamities at every level.
Reference:
1. ISO 31000
2. Enterprise Risk Management Integrated Framework by www.coso.org
3. Risk Intelligent enterprise management by M/s Deloitte
www.deloitte.com
4. Report on the Accenture 2011 Global Risk Management Study by Steve
Culp
5. Risk Management in a Time of Global Uncertainty by Harvard Business
Review Analytic Services
|