If there’s one forecast worth paying attention to this year, it is that those organisations with established enterprise risk management (ERM) frameworks will be better prepared for future disruptions than those that don’t.
In its research, Rethinking risk for the future, ACCA found that ERM has not only enabled organisations to respond to the Covid-19 crisis with more speed and agility, but also to maximise the opportunities that other current waves of change present, including rapid digitalisation.
ACCA members who oversee risk management in various roles, whether as head of ERM, chief risk officer (CRO) or in internal audit, explained how the pandemic has shown the business benefits of addressing risk from an enterprise-wide perspective and the negatives of doing so in silos.
Employing a risk appetite statement enabled decision-makers to accept the risks that corresponded with their strategy
Improve your ERM
- Improve alignment between environmental, social and governance disclosures and sustainability statements
- Introduce greater due diligence and visibility in supply chains
- Mitigate third-party risk in the digital world
- Create more effective whistleblowing policies
- Overhaul cybersecurity and data protection policies
- Enhance engagement between senior management and board/audit and risk committees
ERM frameworks incorporate regular reviews and assessments, so many companies with established structures were also conducting these more frequently to assess whether more provisions were required on certain issues. Respondents attested that a lot of quick decisions could not have happened without having an ERM framework integrated into their strategies.
‘Risk is involved in all aspects of our business,’ said a head of ERM from a global insurance company based in the Netherlands, ‘including product development in terms of adapting to what is happening in the external environment – for example, adapting to consumer expectations and extending grace periods and expanding coverages.’
An established ERM framework encompasses all risks, including business resilience, so even if a pandemic was not identified as a specific risk, the possibility that the company could be interrupted would be considered and the structure for responding defined.
This is crucial because if additional finance is needed, the framework serves as a neutral basis to help senior management decide which risks should take priority over scarcer resources.
Survey respondents noted that the beauty of effective ERM is that it allows uncertainties to be dealt with more strategically, including the identification of the many non-financial and intangible risks that organisations face today.
Capture potential risks
For example, the risk register does not foolproof an organisation, but it does capture potential risks, and ERM processes provide the opportunity to act on them immediately. The same goes for the risk appetite statement, which effectively sets the tone and should be determined and owned by the board.
The pandemic has given companies a loud wake-up call for thinking more about risk culture and how it contributes to long-term success
Risk is everyone’s responsibility
As environmental, social and governance (ESG) issues intensify and increasingly interconnect, the need for proper integration is essential. Risk and sustainability are a set of values that must be ingrained in the organisation’s DNA. This starts by educating the board and senior management.
An enterprise-wide view of aggregate risk can allow the organisation to monitor and report on key performance indicators and key risk indicators more efficiently and accurately, and repurpose existing metrics towards ESG goals. As a result, ERM can reduce the downsides more effectively while also capturing opportunities and enhancing long-term performance.
This is a subjective exercise and can be one of the most confusing and controversial topics for stakeholders. Even so, employing a risk appetite statement proved useful for many organisations during the pandemic, enabling decision-makers to accept in a conscious way the risks that corresponded with their purpose and strategy, and with the available resources required to manage them.
The organisation is also more likely to meet its strategic goals when its appetite for risk is linked to operational, compliance and reporting objectives.
As one CRO member in Shanghai explained, ‘The risk appetite statement is not perfect, but it keeps us focused on the right risks because we constantly have to measure what we are doing against this benchmark, as we know uncertainties and their values can change quickly.
‘We’re always getting better at how we address credit and market risks, but operational risks are trickier to quantify, and this is another way to help us manage them.’
See the bigger picture
The pandemic has given companies, large, medium or small, a loud wake-up call for thinking more about risk culture and how it contributes to long-term success. A business is more able to adapt to change and react to disruption when risk is in conversations with stakeholders at all levels – when everyone is accountable to some degree and understands why certain processes exist.
ERM includes everyone in the organisation, so from employees in the lowest grade of the hierarchy structure up to the board. It requires integrated thinking – understanding risk from all parts of the business and providing a unified platform for oversight and accountability.
ERM also guides companies to manage risks holistically and as they arise, so that when unanticipated issues, such as Covid-19, strike, each person knows what their role is and works collaboratively to manage the impacts.
We found that an organisation’s culture always determines the effectiveness of its risk management. ‘To me, it is the elephant in the room,’ says an independent risk consultant in London and ACCA member, ‘because a healthy risk culture means risks are reported and raised, not stuck somewhere in-between.’